Changing Local Group Memberships
As administrator, I added a certain user as a member to a Local Group. I used my admin tools to see that he was in fact in the group. The user checked that he was in the group by the command "net user xxxxxx" which showed
he was in the group. But the user did not have the privileges of the group. The user had to log out then log back in, then he had the new privileges.
Is there a way to make the new privileges take effect without the user logging out and logging in?
Am running Windows XP Pro.
Yes, log out and log in is required for these changes. Or you may reboot.
Arnav Sharma | http://arnavsharma.net/ Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading
the thread.
Similar Messages
-
Local Groups Membership on All Servers in the Network
Hi,
I have about 150 servers running Windows Server 2008 R2. Most of them are domain members but some are standalone (workgroup). There is only one Forest and one Domain.
I need to generate a list/report with users names and group names that are member of local "Administrators" and "Remote Desktop Users" groups on every server in the network.
I certainly don't want to log into each server one-by-one to generate reports. I might have to do that on Standalone servers, but at least I want to generate this remotely on all domain joined servers.
Any ideas how it can be done? Windows PowerShell (I would need the script), some other built-in tool, or third-party tool.You can use net localgroup <group> command to get local group membership. To run this remotely, you can use
psexec. You can mainly create a script that gets the list of domain-joined servers from AD and then runs
psexec against them for data extraction.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile -
Sonicwall E5500 Local Group Membership Question
In Users > Local Groups open any group and click on the members tab. In the non-member users and groups list box there is an entry that looks like this: ------
Example membership list:
Sonicwall Admins
Sonicwall read only admins
All LDAP Users
Does anyone know what the ------ entry means? We are using integrated LDAP security. Thanks.I recently acquired a SuperMicro chassis that has a SAS2 expander backplane. It has SFF-8087 ports on it.http://www.supermicro.com/manuals/other/BPN-SAS2-846EL.pdfI made a post on another forum and someone mentioned that the card couldn't be used with that backplane since it's a SATA controller, however, the backplane is both SAS and SATA device compliant, it's only the RAID controller, as far as I know, that is a "SATA II" controller, and not a SAS controller.So, I couldn't find anything in the official documentation of this controller on whether or not it was able to control SAS devices. The card itself has a 3 SFF-8087 ports though, couldn't this theoretically still be used with a SFF-8087 to SFF-8087 cable(seen below)since the backplane is a SAS/SATA backplane?...
-
OIM: Issue with changing AD group membership
I'm trying to add/remove groups in the AD child form and I get the error below.
- I can successfully change properties on the main form, such as last name, etc...
- I don't get why the errors come up from the schedule task API..ex: com.thortech.xl.schedule.tasks.ADITRes ??
- I've tried tracing this all the way to the .jar file using a decompiler... I think it has somethign to do with either the Group DN or the IT resource, but can't tell which.
- I've successfully Reconed all Groups/OUs.
- I don't see how it can be the ITResource since I can change attribs, unless it's looking at the IT resource of the Schedule task.
EDIT: I'm using OIM 9102BP11 with latest version of the ADconnector (9.1.x)
I should also note that this was working perfectly fine until I tried to move to GCADITResource. Even when I move back to regular ADITresource, provision a new user, i keep getting this error.
DEBUG,20 Sep 2010 10:28:56,377,[OIMCP.ADCS],com.thortech.xl.schedule.tasks.ADITRes : initialize:: STARTED
ERROR,20 Sep 2010 10:28:56,377,[OIMCP.ADCS],====================================================
ERROR,20 Sep 2010 10:28:56,377,[OIMCP.ADCS],*com.thortech.xl.schedule.tasks.ADITRes : initialize : null*
ERROR,20 Sep 2010 10:28:56,377,[OIMCP.ADCS],====================================================
ERROR,20 Sep 2010 10:28:56,377,[OIMCP.ADCS],================= Start Stack Trace =======================
ERROR,20 Sep 2010 10:28:56,378,[OIMCP.ADCS],com.thortech.xl.schedule.tasks.ADITRes : initialize
ERROR,20 Sep 2010 10:28:56,378,[OIMCP.ADCS],
ERROR,20 Sep 2010 10:28:56,378,[OIMCP.ADCS],*Description : null*
ERROR,20 Sep 2010 10:28:56,378,[OIMCP.ADCS],*java.lang.NullPointerException*
at java.util.Hashtable.put(Hashtable.java:396)
at com.thortech.xl.schedule.tasks.ADITRes.initialize(Unknown Source)
DEBUG,20 Sep 2010 10:28:56,378,[OIMCP.ADCS],com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController : hashTableEnvForDirContext:: STARTED
ERROR,20 Sep 2010 10:28:56,378,[OIMCP.ADCS],====================================================
ERROR,20 Sep 2010 10:28:56,378,[OIMCP.ADCS],*com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController : hashTableEnvForDirContext : null*
ERROR,20 Sep 2010 10:28:56,378,[OIMCP.ADCS],====================================================
ERROR,20 Sep 2010 10:28:56,379,[OIMCP.ADCS],================= Start Stack Trace =======================
ERROR,20 Sep 2010 10:28:56,379,[OIMCP.ADCS],com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController : hashTableEnvForDirContext
ERROR,20 Sep 2010 10:28:56,379,[OIMCP.ADCS],
ERROR,20 Sep 2010 10:28:56,379,[OIMCP.ADCS],Description : null
ERROR,20 Sep 2010 10:28:56,379,[OIMCP.ADCS],java.lang.NullPointerException
at java.util.Hashtable.put(Hashtable.java:396)
at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.hashTableEnvForDirContext(Unknown Source)
at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.connectToAvailableAD(Unknown Source)
at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.getAttributeValues(Unknown Source)
at com.thortech.xl.integration.ActiveDirectory.tcUtilADTasks.addUserToGroup(Unknown Source)
ERROR,20 Sep 2010 10:28:56,379,[OIMCP.ADCS],================= End Stack Trace =======================
ERROR,20 Sep 2010 10:28:56,380,[OIMCP.ADCS],====================================================
ERROR,20 Sep 2010 10:28:56,380,[OIMCP.ADCS],*com.thortech.xl.integration.ActiveDirectory.tcUtilADTasks : addUserToGroup : ADD User to Group Operation Failed:null*
ERROR,20 Sep 2010 10:28:56,380,[OIMCP.ADCS],====================================================
ERROR,20 Sep 2010 10:28:56,380,[OIMCP.ADCS],================= Start Stack Trace =======================
ERROR,20 Sep 2010 10:28:56,380,[OIMCP.ADCS],com.thortech.xl.integration.ActiveDirectory.tcUtilADTasks : addUserToGroup
ERROR,20 Sep 2010 10:28:56,380,[OIMCP.ADCS],
ERROR,20 Sep 2010 10:28:56,380,[OIMCP.ADCS],Description : null
ERROR,20 Sep 2010 10:28:56,380,[OIMCP.ADCS],java.lang.Exception
at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.hashTableEnvForDirContext(Unknown Source)
at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.connectToAvailableAD(Unknown Source)
at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.getAttributeValues(Unknown Source)
at com.thortech.xl.integration.ActiveDirectory.tcUtilADTasks.addUserToGroup(Unknown Source)
ERROR,20 Sep 2010 10:28:56,381,[OIMCP.ADCS],================= End Stack Trace =======================
DEBUG,20 Sep 2010 10:28:56,381,[OIMCP.ADCS],com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController : disconnect:: STARTED
DEBUG,20 Sep 2010 10:28:56,381,[OIMCP.ADCS],com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController : disconnect:: FINISHED
DEBUG,20 Sep 2010 10:28:56,381,[OIMCP.ADCS],com.thortech.xl.integration.ActiveDirectory.tcUtilADTasks : addUserToGroup:: FINISHED
INFO,20 Sep 2010 10:28:56,563,[XELLERATE.ADAPTERS],Adapter: adpADCSADDUSERTOGROUP has completed for the task: Add User To Group.
Edited by: Alex S on Sep 20, 2010 10:45 AMThe individual rows in the AD user group object child table contains references to which IT resource this group refers to so if you switch ADITresource back and forth it is very easy to get things out of synch.
The exact structure of references between the rows in the child table, the IT resources and the DN of the groups is a bit complex so I can't tell you by heart exactly how it should be but take a look into this and hopefully you will be able to spot the issue.
Best regards
/Martin -
Com.apple.alf.plist file keeps changing group membership
Hey All, I've read several discussions about this issue. The com.apple.alf.plist file keeps changing group membership from admin to wheel. Disk Utility repair changes the group membership to admin but it will change back to wheel during normal use of the computer, it seems that accessing systempreferences.app and security preferences will change the group to wheel.
I don't really want to get into a discussion about the wheel account, unless necessary, but since this is a very important system settings file I'd like it to work correctly. I have noticed several issues with the firewall not responding as expected such as turning off by itself, and app settings changing or disappearing from the security preference pane. So, I have deleted the plist file and restarted as recommended on other discussions but the issue always returns during normal use. I think it might be the application owning the plist file causing the issue, but I am not sure which one owns the plist file. I assume it would be systempreference.app since I think it is a firewall plist file. The permissions for systempreferences.app is strange also;
- everyone - custom
- system - read/write
- wheel - read/write
- everyone -read
This may be the culprit but I tried to make a minor change, so as not to mess up the operating system, and disk utility repair permissions just puts it back the way it was. Any ideas about this would be very appreciated.
Note: I have done a complete system reinstall and the issue still returns.OK, Since I haven't gotten any responses about this it must be a complicated issue. Just as a quick check could some of you good people out there look at the "Get Info" window for the systempreferences.app and see if your permissions look like mine? I'm still having trouble with the firewall settings not acting as expected such as apps and processes that I have approved/denid connection access not showing up in the firewall pane of system preferences and having to reapprove each startup. Thank you in advance for any help on this.
-
A member was added or deleted to a security-enabled local group. (4732 and 4733)
Hi Team,
We are getting below alerts continuously. it is specifying that user is adding and removing from security group. But it is happening automatically and we've checked no one is performing such operation. And we read on some site it happened on domain controller
but also our share point farm server is not on domain controller. Please find the alert below and suggest what we should do so that we'll not get this alert again. Thanks in advance.
A member was added to a security-enabled local group.
Subject:
Security ID:
POSTEN\s-sharep_farm
Account Name:
S-ShareP_Farm
Account Domain:
POSTEN
Logon ID:
0x8a121
Member:
Security ID:
NETWORK SERVICE
Account Name:
Group:
Security ID:
BUILTIN\IIS_IUSRS
Group Name:
IIS_IUSRS
Group Domain:
Builtin
Additional Information:
PrivilegesHi Kamal,
Per my knowledge, SharePoint does not have the function to audit the changes in domain groups.
What is “From” email address of the alerts?
Please check if you have configured Windows System Resource Manager to send e-mail notifications when an event is logged firstly.
https://technet.microsoft.com/en-us/library/cc732728.aspx
And it seems that the System Center Operations Manager(SCOM) can set the alert for auditing the changes to the local group membership.
Please also check if you have installed SCOM and set rule to send the alerts in SCOM.
http://blogs.technet.com/b/nzdse/archive/2009/11/10/audit-alert-scenarios-system-center-operations-manager-opsmgr-2007-r2.aspx
Best regards.
Thanks
Victoria Xia
TechNet Community Support -
AD/OID Group Membership Integration
I have Oracle DIP/SSO and Zero Sign-on working. My client wants to grant a role to a user in AD and then that correspondingly grants the same user in OID a database role.
I have read in an oracle whitepaper (Using Oracle with Microsoft Active Directory) that using Oracle DIP a change in user group member in AD can result in a corresponding change in group membership in the Oracle environment.
Has anyone done this? Can you point me in the right direction?In order to do this you update the group in the AD. This is done by using the groups or user icon and add an user to a specific group.
The synchronization profile in the OID/DIP will usually take care of this.
cu
Andreas -
Changed group membership in WGM 10.6.3 from the 10.6 server. The change takes overnight to work. Formerly ran WGM from my 10.6.8 mac (worked perfectly) but now I am at 10.7.5 and must use WGM on the server. Has anyone else seen this behavior?
Hi
"Changed group membership in WGM 10.6.3 from the 10.6 server. The change takes overnight to work"
If I've understood you correctly I've never known this or anything else to take that long? What were you trying to do exactly?
"Formerly ran WGM from my 10.6.8 mac (worked perfectly) but now I am at 10.7.5 and must use WGM on the server. Has anyone else seen this behaviour?"
http://support.apple.com/kb/HT1822
HTH?
Tony -
User Group Membership change Alert
As a system administrator, I will like to be alerted when a user's group membership has changed on the domain. Can Spiceworks compare the imported memberships in its database with AD and alert me when they do not match? Below is an image of the information that SW imports which could be used for this comparison.
This topic first appeared in the Spiceworks CommunityAssuming you know the dn of the groups to remove the person from and add them to, and the dn of the person to move, you should be able to do something similar to:
Attributes attrs = new BasicAttributes(true);
Attribute uniquemember = new BasicAttribute("uniquemember");
uniquemember.add("uid=user,o=domain.com"); //add user to move to attribute
attrs.put(uniquemember);
DirContext ctx = //connect to your ldap dir
try{
ctx.modifyAttributes(groupToRemoveFromDN, ctx.REMOVE_ATTRIBUTE, attrs);
ctx.modifyAttributes(groupToAddToDN, ctx.ADD_ATTRIBUTE,attrs);
catch (NamingException ne) {
//return error appropriately
try{
ctx.close();
catch (NamingException ne) {
//do what you want with error
}You also might want to check out the JNDI tutorial at http://java.sun.com/products/jndi/tutorial/index.html
--Nicole -
Invoke an adapter on change of User's Group Membership details
Hi
I need to invoke an adapter on change of User’s Group Membership details. I am not able to figure out from where I can invoke my adapter.
Does anyone have any idea about this?
-- Another Question: what is the purpose of having “tcUSRautoGroupMembership” in User’s Object Form on Post Update. It would be nice if you give some details about this task.
-HardewThanks for quick response.
What you have mentioned, is applicable for a specific value of a user’s OIM Profile filed; that means it will triggered only if a user has specified value i.e. "blah blah" for that field i.e. fieldA.
However my scenario is slightly different. Let me explain my scenario by example:-
I have N numbers of OIM groups i.e. g1, g2, g3, g4……, gn and a user called myUser. This user is a member of two groups’ g1 and g2, now if I make myUser to member of one more group i.e. g3 or remove i.e. g1; then I want to perform a custom task using adapter on this Group Membership change.
Is there any “Data Object Form” where I can associate my adapter on post-update to detect change of User’s Group Membership?
_hardew -
Design question: Change Group membership for a AD resource via SelfService
Hi all,
based on the OIM tutorials, I designed OIM that way that an end user can successfully request a resource. Is there a way to allow end users to modify their resource "subscriptions"? For example, I would like to allow end users to change their AD group memberships after the initial provision to the resource.
From what I have learned from the tutorials, I would assume to create an AD group membership attribute in the user account profile form and propagate changes to that attribute back to AD.
Or is there a way to allow end users to change their resource data directly under "My Resources" ?there is no concept of requesting a modification of an already provisoned account. Like you said this can be achieved thru an attribute on the user's profile and on changing that attribute, downstream applications can be propagated the new value.
Typically if changes to an already proviisoned account needs to be done in oim and through oim, an oim admin goes to the user's resource profile and clicks on edit on the process form and can edit any data there. in case of ad groups, there will be a child process form that shows the groups that the user is a member of, you can insert(add) new groups or delete existing groups from there and save the form. In the proviisoning porcess of AD you will need to write a porcess task, which should add/remove the user from the specified group in AD on the trigger when a new group is added or an existing group is removed wehn the admin is modifying the user's AD process form/process child forms in oim. -
Managing membership of local group - Domain Local groups not permitted?
Hi all
I would like to populate the membership of the local Administrators group on certain member servers using the "Local users and groups" feature of GPP. The object picker does not let me choose groups with Domain Local scope.
Does anyone know the reason for this? Is there any workaround?
I can add domain local groups to the membership of the Adminstrators group manually, so it seems strange I can't do it via GPO.
Alexei> I would like to populate the membership of the local Administrators
> group on certain member servers using the "Local users and groups"
> feature of GPP. The object picker does not let me choose groups with
> Domain Local scope.
I cannot confirm. I can add both DL and GG. What OS are you using? Here:
Win 7 Enterprise 32 bit.
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :)) -
Policies assigned to groups - membership changes not working
I have a single ZESM IR8 server setup.
All security throughout my environment, ZESM and otherwise, is based on group membership.
If I change a user from one group to another group this change does not reflect in their policy assignment.
Scenario: GroupA = standard user policy, GroupB = power user policy.
UserA was first in Group A and therefore got the standard user policy.
UserA now requires the power user policy.
Remove UserA from GroupA and add UserA to GroupB (in iManager).
UserA does NOT get the "power user" policy that is assigned to GroupB
Am aware that I can assign the policy at a user level but this is NOT an option in my environment. All security assignments MUST happen at a group level.What you observed is the expected behavior.
ZESM doesn't updates group membership in real time once a policy has been published. I've described this behavior on previous posts.
What the MC does behind the scenes when you click "Publish" on a container or group object is to assign the policy individually to each member/user. For groups, it resolves membership at the time the policy is published then the MC iterates among each member assigning the policy to each of them. That's why you don't see updates once the policy is published.
Try Updating the published policy to see if that works. From the docs:
Updating a Published Policy
Once a policy has been published to the user(s) or computer(s), simple updates can be maintained by editing the components in a policy, and re-publishing. For example, if the ZENworks Endpoint Security Management Administrator needs to change the WEP key for an access point, the adminstrator only needs to edit the key, save the policy, and click Publish. The affected end-users and computers receive the updated policy (and the new key) at their next check-in.
>>>
From: laurabuckley<[email protected]>
To:novell.support.zenworks.endpoint-security-management
Date: 12/15/2009 7:16 AM
Subject: Policies assigned to groups - membership changes not working
I have a single ZESM IR8 server setup.
All security throughout my environment, ZESM and otherwise, is based on
group membership.
If I change a user from one group to another group this change does not
reflect in their policy assignment.
Scenario: GroupA = standard user policy, GroupB = power user policy.
UserA was first in Group A and therefore got the standard user policy.
UserA now requires the power user policy.
Remove UserA from GroupA and add UserA to GroupB (in iManager).
UserA does NOT get the "power user" policy that is assigned to GroupB
Am aware that I can assign the policy at a user level but this is NOT
an option in my environment. All security assignments MUST happen at a
group level.
laurabuckley
laurabuckley's Profile: http://forums.novell.com/member.php?userid=122
View this thread: http://forums.novell.com/showthread.php?t=395870 -
SAML 2.0 and AD Security Group Membership
In ADFS 2.0, as a part of the token, I can pass the AD
security groups the user is in. Does SAP SSO have the ability to send and
receive SAML 2.0 tokens with AD security group membership?Hi Jeff,
SAP SAML 2.0 Identity Provider is able to include any group (or role) assignment of the user (available in the NetWeaver AS Java UME) as SAML Attribute in the generated SAML 2.0 Assertion.
These group assignments of the user can be local (maintained in local UME database) or remote ones if the UME is configured with other Data Source.
So in order to be able send the AD group assignments of the user you need to change the NetWeaver UME Data Source to your AD. More information how to do that you can find at this page: Identity Management - SAP Library.
Then in your Identity Provider you can configured so called "Authorization-Based Assertion Attributes" in the "Identity Federation" tab of your trusted Service Provider configuration. An example with such attributes is provided at this page: Configuring Identity Federation with Transient Users - Identity Provider for SAP Single Sign-On and SAP Identity Managem… (although the page is for Transient federation these attributes are supported for all supported NameID formats).
Regarding the receiving part:
In SAP SAML 2.0 Service Provider of NetWeaver AS Java received SAML 2.0 Attribute can be either assigned to any UME attribute of the authenticated user, or to be used in rules that assign specific role(s) or group(s) to the user. For more details see these pages: Configuring Federation Type Persistent Users (Advanced) - User Authentication and Single Sign-On - SAP Library and Configuring Federation Type Virtual Users - User Authentication and Single Sign-On - SAP Library
Regards,
Stefan -
AD groups membership not working for target Audience
Hiya,
Got a peculiar problem here. Trying to set audience on a link it doesnt work as we want it to. We have the following behavior:
If adding users directly on SharePoint Group no problems. However if adding AD group to SP group, it doesnt work. Member count for AD Group is 0
AD Group is created as Global, however tried placing it in a Domain Local group to see if that changed anything. SP synchs the AD groups fine, however it seems like it doesnt read the members, thus not granting any users access based on AD group membership.
Not sure if this is default behavior or?Hi,
It seems a known issue, but there is no workaround for this.
It worth to reading these threads
http://social.technet.microsoft.com/Forums/en-US/sharepoint2010setup/thread/8ede2f40-2b11-416b-b426-51c1b6479c33
http://social.technet.microsoft.com/Forums/en-US/sharepoint2010setup/thread/586494b9-d259-4abf-a857-26137fa30460
Hope this helps
Thanks!
Stanfford
Everything will be fine.
Maybe you are looking for
-
How can i enter network info on apple tv without remote
HELP! I was trying to change my dns number to get American netflix in Canada. I thought I had done everything right, was heading back to check out that it was working and accidently pressed enter too many times. I told my apple tv to forget my netwo
-
Windows 8.1 doesn't recognize my iphone
Hi to all, I'm a bit desperate... i have an iPhone 5 and the lastest itunes release. and on the last week I have the insane idea of installing windows 8.1 Now i can't see my iPhone on My computer so I cant see the pics I take with it I don't know wha
-
Dear Apple, why is not possible in the year 2014...sync to my iPhone just content I want to separety, without the whole sync procedur(backinup,syncing whole purchased things and stuff like that) When I want to have in my phone for example just 3 new
-
Hi, How can I configure a business process/jcd to receive(also send) messages from an external queue/topic? Thanks Kaanu PS: I am able to use queues/topics used in other SunSeeBeyond Projects.
-
Hi , I have installed Oracle Virtual box on windows server 2008 r2 hosted on 1und1.de. Till installtion and setting up untun on virtualbox it was fine, but once i changed the adapater to bridged mode. I immediatly lost connectivity with my server and