Deploying to AD based user groups

Similar Messages

• Wireless Deployment with Active Directory User Group Integration

  I am trying to find out the best practice in deploying a WLAN for users in the cooperate environment, which uses their company active directory integrated laptops to join to the WLAN.
  I know this can be done using certificates easily but I want to just find a way to deploy this without certificates and only based on the AD user group. Maybe a Radius server + LDAP server integration solution would be great.
  Please advice. Thanks.
  Cheers
  Lal Antony
  www.lalantony.com

  The easiest way to deply this is with a Microsoft toolkit, it has everything you need included, manuals, scripts to install and configure server-side components and it's very easy to use. You can get it from here:
  http://www.microsoft.com/downloads/en/details.aspx?FamilyID=60c5d0a1-9820-480e-aa38-63485eca8b9b&displaylang=en
  It's based on Win2003 server but I've been advised by MS that it should be OK on Win2008 as well.

• Distribute RM Templates based on groups of users or OU

  Hi,
  We're distributing templates to the users. However, since there are a lot of templates, is it possible to distribute them based on department, OU, or any other way, so users can see only templates they need.
  Thank you.
  alfa21

  Hi alfa21,
  It is possible! First, you should know that there are several ways of RMS templates distribution: http://social.technet.microsoft.com/wiki/contents/articles/3911.how-to-deploy-ad-rms-policy-templates.aspx
  Now, do not enable the default RMS scheduled task, and use GPOs/scripts to copy .xml files (which are ADRMS templates of your choice) to %LocalAppData%\Microsoft\DRM\Templates for selected users/groups/OUs.
  If your clients are using ADRMS client 2.x then all templates are downloaded automatically (even if you didn't enable scheduled task) BUT you can force AD RMS Client 2.x to use templates of your choice and do not download any other templates. Please
  find"How can I manage template distribution for the AD RMS Client 2.x?" section in this article: http://technet.microsoft.com/en-us/library/jj159267(v=ws.10).aspx. Also notice, that templates path would be different (%localappdata%\Microsoft\MSIPC\UnmanagedTemplates)
  for this ADRMS client.
  Did my post help you or make you laugh? Don't forget to click the Helpful vote :) If I answered your question please mark my post as an Answer.

• Setting Default Dashboard based on Groups/users in OBIEE 10g

  Hi,
  I am having a requirement and facing some issues with setting a default dashboard option to the users who ever access the application. Below is the brief description of entire requirement.
  The main requirement is to integrate OBIEE into a .net and silver light application. We will be having a 3 links in the .net application , which in turn displays the OBIEE reports and dashboards upon clicking the 3 links.
  We are using the concept of Init blocks, session variables and Go URL from an OBIEE standpoint for accomplishing this integration requirement. We have also configured LDAP server in OBIEE.
  The issue we are facing is out of the 3 links in .net application, we have one link/icon called dashboard icon which should display bunch of OBIEE dashboard pages in the form of 4 tabs but currently it is showing the My Dashboard home page. For this to achieve to set default dashboard page is to go to My account and change the default dashboard to the desired dashboard and log out and log in back to the application and we will be all set with dashboard pages being displayed upon lcking the dashboard icon but this is manual process for each user as they need to login into the .net application and change the setting s in My Account manually to change the default dashboard setting to the desired one.
  How should I make sure, whoever is logging into the Application (every user) should be able to see the default dashboard pages without changing the options manually by going to My Account.
  The LDAP server is taking care of the Authentication part of the users as every user record is maintained in Active directory which in turn is part of LDAP server.
  To brief high level requirement on single statement is  how to make a default dashboard pages to users based on group in OBIEE. Is there any option in OBIEE, where we can change or set a default dashboard to particular group in OBIEE either in RPD or UI level.
  Appreciate your help on this.
  Let me know if anyone needs any more information in this regard.
  Thank
  Praveen

  You can set 'PORTALPATH'. Have a look at these threads below:
  how to get default dashboards when users logs in
  Re: PORTALPATH for Each Group
  - Bharath

• How to hide iviews based on the user groups?

  Hi,
  I have a custom role with workset, page and iviews.
  The page has 5 iviews.
  User group1 can see 5 iviews in the page.
  Now user group2 wants see only 3 iviews in the page (same role).
  Without creating another role for user group2, How can I hide the iviews based on the user group?
  Is this possible?
  Thanks
  Sundar

  Hi Sundar,
  I guess to achieve this, you have to set the permissions at iView level.
  For this, go to System Admin -> Permissions -> Portal Permissions. Now navigate to your iView using the folder structure, do right-click on the iView and click on Open Permissions.
  Search for the particular group and add that and assign the privileges accordingly. You can remove Everyone group from the iView .
  Hope this will solve your problem.
  Regards,
  Saurabh Mathur

• How to send notifications to different user groups based on payload value

  Hi Gurus,
  I have a scenario in BPM where i have to send notifications to different user groups based on the payload value.
  ex:
  Payload sample:
  <employees>
  <emp1>
  <state>TX</state>
  </emp1>
  <emp2>
  <state>AZ</state>
  </emp2>
  </employees>
  Requirement: I have to send notification through Humantask to users of TX and AZ as mentioned in payload.
  Can you please help me out in achieving this in BPM?
  Thanks,
  Raju
  Edited by: user0808 on Mar 1, 2013 12:58 PM
  Edited by: user080811 on Mar 4, 2013 11:06 AM
  Edited by: user080811 on Mar 4, 2013 11:07 AM

  Hi Daniel,
  thanks a lot for your quick response.
  I went through your blog and tried implementing the same.
  But in my case i have to send parallel notifications to both the states.
  Please correct me if i am wrong, using if conditions in rules is allowing me to send to only one state.
  I also tried the following approach
  1) setting the organization units in bpm workspace
  2) passing values using human task parametric roles
  3) and looping the subprocess that has the humantask for the count of states.
  I am able to loop the subprocess but i am not able to change the parametric role value for the next iteration of the subprocess.
  Can you please help me in resolving this?
  thanks,
  Raju

• Deploying to User Groups

  I would like to push out an app (Office 2013 upgrade) to certain user groups. I ran the ad group dicovery and I see the two test groups, yet when I setup a deployment, I can't specifiy which group I would like to use. My only option is "all
  user groups". Can't I specify a specific group?

  Once groups are discovered, you need to create a collection in ConfigMgr that utilizes the AD group.
  Create a collection, then create a membership rule using a query that pulls in the group members.  Something like this:
  select
  SMS_R_USER.ResourceID,SMS_R_USER.ResourceType,SMS_R_USER.Name,SMS_R_USER.UniqueUserName,SMS_R_USER.WindowsNTDomain
  from SMS_R_User where SMS_R_User.UserGroupName = "DOmain\\GroupName"
  Then deploy your application to the collection.
  Jeff

• Conditions based on user groups

  Hi,
  I am already using the authorization i dont want to make any changes.
  I want to restrict the column using user group.
  If my user group is admin or unique then display the item and if the user group helpdesk or test then dont display.
  I am using condition: PL/SQL Function Returning boolean
  declare
  begin
  return apex_util.current_user_in_group(p_group_name=>'admin');
  end;
  It is working fine for only admin group. If i need to display the column to either admin or uniqueuser group ,Then please could you advise the expression for that.
  Regards
  Harinder

  Hello Harinder,
  What about
  return apex_util.current_user_in_group(p_group_name=>'admin') or apex_util.current_user_in_group(p_group_name=>'yourOtherGroup');
  Greetings,
  Roel
  http://roelhartman.blogspot.com/
  You can reward this reply by marking it as either Helpful or Correct ;-)

• Controlling visibility of an iView based on User groups...how ?

  Hi SDNs,
  I am trying to achive a functionality like:
  There is Page with 3 iViews A,B & C and that Page is assigned to some role R.
  And there are 2 user groups X & Y and i will assign that Role R to both the user groups.
  But the User group X should be able to see only iViews A & B, where as user group should Y should be able to all A,B & C iViews.
  I thought of proceeding like controlling Permissions at the iView level for the groups X & Y, but i couldn't do that because i don't know how to do
  Can any one suggest a best solution for achieving this kind of functionality ?
  Thanks,
  Trikanth

  Hi All,
  I just told example as A,B & C, actually i have more than 100 iViews and pages where i need to get this kind of functionality.
  So i can't go with creating different pages for each group.
  Thanks,
  Trikanth

• ISE 1.2 & AD & Meraki - Per User Group Policy ?

  I am working on a PoC for a deployment in an MDU. We are using Meraki switches and access points. There are 250 units in the building, each unit will have it's own subnet. The goal is to have the tenant be able to connect to a common building SSID and be placed into their assigned VLAN. There will also be physical ports in each unit that will need to do the same. I am trying to figure out a way to use ISE to authorize on a per user basis and not based on groups of users. On the Meraki system there are group policies that will assign the VLAN for the user as well as any type of layer 7 firewalling and bandwidth control. So there will be 250 group policies, one for each unit. There is a deployment guide that shows how to setup ISE for use with Meraki and it is great but it assumes that there will be large groups like Employees, Contractors, etc.. that will be used. This is where I'm being tripped up, also... this is my first swing at a NAC deployment so I have a lot to learn.
  1.Can I setup each user in Active Directory to have a tag that ISE can then forward on to Meraki for the group policy? Say it's unit 101 and I have a group policy called 101 in Meraki, Meraki documentation says to use the Airespace-ACL-Name attribute in ISE to indicate the group policy to use. This gives me the ability to place a group into that policy but not an individual. Or would this be better done by creating the users in ISE directly? Omit AD entirely?
  2. Each unit will have devices that will need MAB because they are not 802.1x compatible. I need to do the same as above with them. I would create a separate SSID for these devices but then use the MAC address to authenticate them but will need to authorize them to go into a specific group policy.
  I know this isn't a typical ISE application but I think that this will work really well in the end, just need to iron out these details and get a test system functioning. Any help would be greatly appreciated!!!
  Thanks,
  Nathan

  Please find the Meraki_ISE integration doc. in attachment.
  When VLAN tagging is configured per user, multiple users can be associated to the same SSID, but their traffic is tagged with different VLAN IDs. This configuration is achieved by authenticating wireless devices or users against a customer-premise RADIUS server, which can return RADIUS attributes that convey the VLAN ID that should be assigned to a particular user’s traffic.
  In order to perform per-user VLAN tagging, a RADIUS server must be used with one of the following settings:
  MAC-based access control (no encryption)
  WPA2-Enterprise with 802.1x authentication
  A per-user VLAN tag can be applied in 3 different ways:
  The RADIUS server returns a Tunnel-Private-Group-ID attribute in the Access-Accept message, which specifies the VLAN ID that should be applied to the wireless user. This VLAN ID could override whatever may be configured in the MCC (which could be no VLAN tagging, or a per-SSID VLAN tag). To have this VLAN ID take effect, “RADIUS override” must be set to “RADIUS response can override VLAN tag” under the Configure tab on the Access Control page in the “VLAN setup” section.
  The RADIUS server returns a group policy attribute (e.g., Filter-ID) in the Access-Accept message. The group policy attribute specifies a group policy that should be applied to the wireless user, overriding the policy configured on the SSID itself. If the group policy includes a VLAN ID, the group policy’s VLAN ID will be applied to the user.
  On the Client Details page, a client can be manually assigned a group policy. If the group policy includes a VLAN ID, the group policy’s VLAN ID will be applied to the user. 

• Rulebase - Multiple User Groups

  Hi
  I am building a rulebase that will be both staff facing (internal) and customer facing (external). There is a requirement to present different question and commentary depending on the user group that runs the interview.
  For example:
  When a customer runs the interview, the question text will read "What is your annual income?" and the Help Text will have generic information on how to calculate the annual income.
  Where as, when a staff runs the interview (on behalf of the customer), the question text will read "What is the customer's annual income?" and the Help text will have generic information + a hyperlink to an internal help page that has more details on how to calculate the annual income.
  So, basically I want to author the rules once - but use different question labels / commentary depending on the user group. How to achieve this?

  The simplest way is to create two separate interviews in the same rulebase project. Then you can configure look and feel, screens, labels, commentary and everything else separately for the two different audiences. The benefits of this probably outweigh the small cost savings you'll likely see from reusing screens across the two audiences.
  The other option is to get tricky with customizing the behavior of Web Determinations based on the audience - but that will likely get hard to maintain quite quickly - and will make it harder to quickly deploy changes to the rulebase when they are required.
  Davin.

• Trash and user group help!

  why do i need to type in password when i delete things? how do i remove it?
  and i can't delete items directly from the dock as well. like opening from the downloads folder and dragging the file to trash. i have to bring open up Finder and delete from the folder directly.
  another issue is that am i able to remove the gues user from my start up screen? i've already disabled it from the user groups but i still see it in my login screen.
  one last problem, is it a norm to have current leakage for the MBP? i've been having frequent shocks from the 2 bottom corners of it when i plug it in to a power source. i bought it from an authorized retailer and using it in the country where i've gotten it from. i've just gotten my mbp about 3 weeks back.
  thanks for replying my queries!

  Hi,
  Yeah in ACS 3.1 its under the Shared Profile Components page. In ACS 4.1 its directly under the user groups or under SPC page.
  You need to check the box for "define ip based access restriction" and deny access for all other groups to the wireless access points network device group.
  ACS 3.X)
  1. Denied Calling/Point of access restrictions
  2. AAA Clients =UPS_PDU (Power Supplies)
  3. Port = just put a * for all
  4. Src IP address = just put a * as well
  SUBMIT to SAVE
  Create a second one for the other group like so:
  1. Denied Calling/Point of access restrictions
  2. AAA Clients =Routers_Switches
  3. Port = just put a * for all
  4. Src IP address = just put a * as well
  Click submit to save it.
  Go to the ACS User groups section and select the Network Administrators Group " that don't need access to the UPS's" and apply the NAR you created to that group. Do the same for the other grouping.
  (ACS 4.X)
  Go directly under the "user groups" and create the NAR under there. No need to go under the Shared Profile Components section
  Hope this helps and let me know if you need further assistance or explanation.
  Craig

• Pulling user/group field data from SharePoint list using REST, jQuery, Knockout.js Sharepoint 2013

  I'm trying to make an interactive task board based on the task list app in SharePoint 2013. The task lisk includes fields like "Title","Description","Status","% Complete","Due Date","Assigned To",
  etc. I used knockout.js to bind "Title","Description", and "Status" to my HTML controls. Here is some of the code:
  var ViewModal = function(items, listname){
  var self = this;
  self.sortBy = ko.observableArray(sortBy);
  self.tasks = ko.observableArray(items);
  self.listname = ko.observable(listname);
  self.auto = ko.observable(false);
  self.getTasks = function() {
  clearTimeout(self.getTasks);
  // server relative url to REST service endpoint
  var ajaxurl = _spPageContextInfo.webServerRelativeUrl + "/_vti_bin/listdata.svc/" + self.listname() + "?$orderby=PriorityValue";
  $.ajax({
  type: "GET",
  url: ajaxurl,
  contentType: "application/json; charset=utf-8",
  dataType: "json",
  cache: false,
  processData: true,
  success: function (data, status, xhr) {
  if (status == "success" && data) {
  ko.mapping.fromJS(data.d.results, mapping, self.tasks)
  $(".task-item").draggable();
  error: alert
  if (self.auto()) {
  setTimeout(self.getTasks, 10000);
  <div class="tasks-column">
  <div class="column-header">Not Started</div>
  <!-- ko foreach: tasksNotStarted -->
  <div class="task-item">
  <div class="view" data-bind="visible: !IsEditing()">
  <button class="edit" data-bind="click: $root.editTask">edit</button>
  <h2><span data-bind="text: Title"></span></h2>
  <div data-bind="html: Description"></div>
  <span data-bind="text: PriorityValue"></span>
  </div>
  <div class="edit" data-bind="visible: IsEditing">
  <button class="save" data-bind="click: $root.saveTask">save</button>
  <input type="text" data-bind="value: Title"></input>
  </div>
  </div>
  I'm having trouble displaying the data from the "Assigned To" user/group field. I tried:
  <span data-bind="text: AssignedTo"></span>
  But it displays the field as [object Object]
  I tried using $select/$expand
  ?$select=Title,AssignedTo/Id,Assignedto/Title&$expand=AssignedTo/Id,AssignedTo/T‌​itle";
  But it still returns the [object Object]

  Hi,
  Please use the REST URI below:
  /_api/lists/getbytitle('ListName')/items?$select=Title,AssignedTo/ID,AssignedTo/Title&$expand=AssignedTo/ID,AssignedTo/Title
  More information for your reference:
  How to get User Details and User Group Details in SharePoint 2013 REST API with Knockout for SharePoint Js (KoSpJs)
  http://www.ashokraja.me/post/How-to-get-User-Details-and-User-Group-Details-in-SharePoint-2013-REST-API-with-Knockout-for-SharePoint-Js-(KoSpJs).aspx
  How to Get Login Name and Display Name using SharePoint 2013 REST API
  https://www.nothingbutsharepoint.com/sites/devwiki/articles/pages/how-to-get-login-name-and-display-name-using-sharepoint-2013-rest-api.aspx
  Best Regards
  Dennis Guo
  TechNet Community Support

• Populating the user group instead of the group ID in MFA

  Hello all,
  I am trying to Populate the user group instead of the group ID in MFA. I want to use this to create authorization permissions, after authentication. I am running into the problem of not getting any info after authentication in the attribute dump.  Are
  there settings that I can change in order to Populate the attribute dump? are there settings that I can change to get all of the groups that each user is in?
  Thanks,
  Levi Williams
  IT professonial
  Intern

  Hi Levi Williams,
  Thanks for posting here!
  Refer to the solution in this  thread link:
  https://social.msdn.microsoft.com/Forums/en-US/df060757-8190-4083-a162-0876cd4b8d15/group-based-radius-return-attributes?forum=windowsazureactiveauthentication
  Additional reference:
  http://www.rdsgurus.com/uncategorized/step-by-step-using-windows-server-2012-r2-rd-gateway-with-azure-multifactor-authentication/
  Hope this helps!
  Regards,
  Sadiqh

• How to only synchronize one specific LDAP user group with SAP?

  Hi,
  Hopefully this is the correct forum to post this in. I want to have continuous one-way synchronization of users from my LDAP server to my SAP central system. I've started configure in SAP using transaction SM59 and LDAP. Can I somewhere set that only one specific LDAP user group shall be transferred to SAP (they do not need to be assigned to any specific group, profile, role in SAP) - or should this be done on the LDAP server side (or is it at all possible)?
  Correct me if I'm wrong, but the User Group field in the report RSLDAPSYNC_USER only concerns SAP user groups right? This would therefore not be sufficient since I want to select the users to synchronize based on user groups in the directory.
  Thanks, Oscar

  We've used a repository constant to specify the LDAP filter for reading users / groups from the LDAP target.
  E.g. LDAP_FILTER_USERS (&(objectCategory=person)(objectClass=user))
  Then we also have a constant for the LDAP_STARTING_POINT
  For our AD Group Initial Load we filter according to these settings:
  LDAP_FILTER_GROUPS = (objectclass=group)
  LDAP_STARTING_POINT_GROUPS = ou=IDMManagedGroups,ou=Groups,dc=cfstest,dc=le,dc=ac,dc=uk
  The above example only reads AD groups starting at the specified OU
  Then in a Job From LDAP Pass the LDAP URL looks like this:
  LDAP://%$rep.LDAP_HOST%:%$rep.LDAP_PORT%/%$rep.LDAP_STARTING_POINT_GROUPS%?*?SUB?%$rep.LDAP_FILTER_GROUPS%
  I hope this helps
  Paul