Determining if a user is disabled in OD using LDAP query

Similar Messages

• Determin how many user log on the site using JSP/Servlet?

  Hi all,
  Is there a way to determine how many user log on the site using JSP/Sevlet? I'm running Apache 2.x & Tomcat 4.x
  I'm trying to get a list of user currently log in the site.
  Please help!
  Thanks,
  -JN-

  You could use the HttpSessionBindingListener interface. Every time a user logs into the session put a user object into the session. The user object will implement the HttpSessionBindingListener interface. When the user object is added to a sessiion it recieves an event and it increments a counter. When the session times out or you invalidate the session because the user has logged out the user object will recieve an event and it can then decrement the counter.
  This will at least tell how many active user sessions there are.

• Disabled AD users still showing in People Search - LDAP query already filtering

  We are running MOSS 2007 on Windows Server 2008 R2 Standard. In the past couple of weeks we have noticed that our disabled Active Directory users are no longer being removed from SharePoint. On my import connection I have an LDAP query of "(&(objectCategory=Person)(objectClass=User)(!userAccountControl:1.2.840.113556.1.4.803:=2)(mail=*ca)(sn=*)(department=*)(!(!givenName=*)))",
  which among other things is filtering out disabled users. This has been this way for 5 years now and always worked fine. Now it has stopped doing its job and I can't figure out why. I have performed a complete reindex of the search as well as multiple full
  profile imports all to now avail.
  Can anyone shed some light on this for me?
  TIA
  Sandra

  Create the filter in AD connection 
  Open Edit connection filters screen from that you can see Exclusion filter for users.
  In Exclusion filter for users enter the below values.
  Attribute : userAccountControls (Select from dropdown)
  Operator: Bit on Equal (Select from dropdown)
  Filter : 2
  Once you enter the required values click on Add button and it will show the
  below details in Exclusion filter for users.
  Do the full crawl after this. 
  Check for details
  http://support.microsoft.com/kb/827754?wa=wsignin1.0

• ASA WebVPN. How do you restrict access to users in an AD group using LDAP?

  Hi All,
  I am trying to configure separate WebVPN connection profiles to give different portal bookmark contents to users based on their AD group membership.  This has been very difficult, even though I beleive it should be easy.
  The login page of teh ASA by default has a dropdown to allow default users to access the default portal and the SSL VPN client connection.
  There are two other portals that I would like to restrict access to based on AD group membership.  I have set these up to be selected by URL.
  The biggest problem is, I have no way of knowing how to go about this.  The AAA LDAP options show a group membership search, which I have configured, but I cannot say "Profile X is restricted to AD group CarpetBaggers", so that if soneone that is NOT a carpetbagger tries to log in, it fails.
  I can only do an all or nothing scenario.
  It would be nice to use Dynamic Access Policies to do this, and I have created a few, but they do NOT seem to work when the drop down aliases or URLs are in use.  So how do I go about using them in this scenario?  Turning off the aliases or URLs is not really an option right now.
  Scenario 1 would work the best for me.  Restrict access to profiles/groups based on AD group membership using LDAP.
  Scenario 2 would be an ideal longer term solution.
  Any thoughts, ideas or assitance would be greatly appreciated.
  Cheers

  This is exactly what i was looking for, and Nelson is correct.  When you enter the DAP configuration for a profile click on "Advanced" and there is the option to create a logical expression.  The guide (ther is a button to access this) is really helpful, with a couple of examples.  This is what i used:
  assert(function()
     if ( (type(aaa.ldap.distinguishedName) == "string") and
          (string.find(aaa.ldap.distinguishedName, "OU=Users") ~= nil) )
  then
         return true
     end
     return false
  end)()
  from the debug dap you can see what Users relates to;
  DAP_TRACE: Username: MyUsername, aaa.ldap.distinguishedName = CN=Mr B,OU=Users,OU=Site ******,DC=CH,DC=Mycompany,DC=com
  My admin account fails to get me in to the same profile:
  DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["distinguishedName"]="CN=Admin Mr B,OU=Admin Users,OU=Site *****,DC=CH,DC=Mycompany,DC=com"
  Thanks
  Andrew

• Using LDAP Query in Active Directory to see what users are still logged ?

  any suggestions for a LDAP query that I can use in AD to see who is still logged into the network?
  It would be great to distinguish who's logged in with a screen lock which means they aren't really at their PC vs what users are actually using their PCs.
  Thanks in advance!

  I recently posted a framework for checking all machines to see who is logged into them. You can take that and adjust it as you need.
  https://social.technet.microsoft.com/Forums/en-US/fb2ef90a-ba15-41bf-8e6c-95d32256225b/how-do-i-run-this-query-from-a-text-file-list?forum=ITCG
  Don't retire TechNet! -
  (Don't give up yet - 13,085+ strong and growing)

• Pwpolicy -- how to determine if a user's account is disabled?

  Hi all...
  For my user accounts, I have the accounts set to disable after 180-days of non-use.
  I'd like to be able to determine which accounts *have been disabled* because of this. Graphically, I can only see this in WorkGroup Manager when a user actually tries to log in to their account and it fails because of this -- then the user gets an "X" next to their name in WGM.
  But this "X" doesn't appear unless the user tries to access his/her account.
  For example, here's the policy on my account:
  For example, here's my account
  pwpolicy -getpolicy -u maser
  Getting policy for maser
  newPasswordRequired=0 maxMinutesOfNonUse=259200 maxChars=0 usingHistory=0 isSessionKeyAgent=0 isComputerAccount=0 maxMinutesUntilDisabled=0 requiresAlpha=0 hardExpireDateGMT=01/01/70 minutesUntilFailedLoginReset=0 requiresMixedCase=0 passwordCannotBeName=0 requiresSymbol=0 expirationDateGMT=01/01/70 notGuessablePattern=0 canModifyPasswordforSelf=1 maxFailedLoginAttempts=0 minChars=9 usingExpirationDate=0 requiresNumeric=0 maxMinutesUntilChangePassword=0 usingHardExpirationDate=0
  This shows me that 259200 minutes (the default) will be when my account is disabled from maxMinutesOfNonUse -- but nothing about how long it's been since I've used my account.
  Is there a terminal command which will show me which accounts have been disabled?
  And/or a command that will show my how many "MinutesOfUse" an account has (meaning how long it's been since a user connected to my server)?
  Thanks!

  Hi all...
  For my user accounts, I have the accounts set to disable after 180-days of non-use.
  I'd like to be able to determine which accounts *have been disabled* because of this. Graphically, I can only see this in WorkGroup Manager when a user actually tries to log in to their account and it fails because of this -- then the user gets an "X" next to their name in WGM.
  But this "X" doesn't appear unless the user tries to access his/her account.
  For example, here's the policy on my account:
  For example, here's my account
  pwpolicy -getpolicy -u maser
  Getting policy for maser
  newPasswordRequired=0 maxMinutesOfNonUse=259200 maxChars=0 usingHistory=0 isSessionKeyAgent=0 isComputerAccount=0 maxMinutesUntilDisabled=0 requiresAlpha=0 hardExpireDateGMT=01/01/70 minutesUntilFailedLoginReset=0 requiresMixedCase=0 passwordCannotBeName=0 requiresSymbol=0 expirationDateGMT=01/01/70 notGuessablePattern=0 canModifyPasswordforSelf=1 maxFailedLoginAttempts=0 minChars=9 usingExpirationDate=0 requiresNumeric=0 maxMinutesUntilChangePassword=0 usingHardExpirationDate=0
  This shows me that 259200 minutes (the default) will be when my account is disabled from maxMinutesOfNonUse -- but nothing about how long it's been since I've used my account.
  Is there a terminal command which will show me which accounts have been disabled?
  And/or a command that will show my how many "MinutesOfUse" an account has (meaning how long it's been since a user connected to my server)?
  Thanks!

• Determine if a user has access to a URL in a webApp?

  Hello All.
  I have created a WebApp and defined <security-constraint>'s in the
  /WEB-INF/web.xml file, and all works fine.
  However, I would like to enable/disable links on my User Interface based on
  the current user's groups/roles and the <security-constraints>'s.
  I can use the request.isUserInRole() method to determine if a user belongs
  to a particular role.
  However, what happens if the access to the URL changes in the web.xml file.
  I need to programmatically determine which roles can access a URL defined in
  the <security-constraint>.
  Are there any weblogic classes that will assist in determining url patterns
  and roles.
  Any help would be greatly appreciated.
  Thank you
  Brad Hof

  Bradley Hof wrote:
  Hello All.
  I have created a WebApp and defined <security-constraint>'s in the
  /WEB-INF/web.xml file, and all works fine.
  However, I would like to enable/disable links on my User Interface based on
  the current user's groups/roles and the <security-constraints>'s.
  I can use the request.isUserInRole() method to determine if a user belongs
  to a particular role.
  However, what happens if the access to the URL changes in the web.xml file.You can't redeploy webapps in WL 5.1 so this will never happen :)
  Cheers,
  Alex

• How to find out if a user is disabled in xpress code?

  I have an active sync form and I'm trying to determine as one of my checks if a user is disabled. I've tried using waveset.disabled, but that always returns null. I also tried waveset.organization to see if the user is in the 'terminate' organization, but it only always returns 'Top' and not 'Top:Terminate'
  Any ideas how I can find out if a user account is disabled?
  Thanks for any info!

  Hi,
  These two attributes you can only get in userview.
  waveset.disabled (this is always null if user is not disble else return true if user is disble)
  waveset.organization (will give you the whole org path like Top:xyz)
  take a dump of your userview and see what you are getting there.
  Use below code in you form/WF to see the userview on console
  <block trace='true'>
  <invoke name='toXml'>
  <ref>userview</ref> // user your userview object name
  </invoke>
  </block>

• Enable firewall with GP but allow users to disable....

  I'm wondering how I can enable the firewall in group policy but allow a user to disable it if they have to.  I see that it says "settings are controlled by group policy" when I go to try to turn it off on a vista machine.  Thanks.

  Hi,
   GPOs do not provide this functionality unless you are using the special group policy preferences settings which do not include control over the firewall. You best bet is probably to simply deploy the OS with the default setting of the firewall being
  active and this would allow any local administrator to change the configuration.
   Alternatively, you could dig down and determine the registry keys to control the firewall and change those with group policy preferences.
  Thanks,
  Guy

• How to determine if a user has access to an item

  Without using the WWSEC_API, i need to find out if a user (not the logged in user) has the right privileges to view an item (url).
  Has anyone identified what tables are involved in determining if a user has access to view an item ?

  Create a vo with the following SQL passing userid as bind value:
  SELECT C.USER_NAME,
  B.RESPONSIBILITY_NAME,
  A.START_DATE,
  A.END_DATE
  FROM APPS.FND_USER_RESP_GROUPS_DIRECT A,
  APPS.FND_RESPONSIBILITY_TL B,
  APPS.FND_USER C
  WHERE C.USER_ID = A.USER_ID
  AND C.USER_NAME= :1
  AND B.RESPONSIBILITY_ID = A.RESPONSIBILITY_ID
  You will have the list of all the responsibilities of a user.
  Kristofer

• How to disable the previously entered user ID's that automatically appear. For example ; when logging into email , first letter of user ID promts the previously used email user IDs... Want to disable this feature---How can ot be done ?

  Question
  How to disable the previously entered user ID's that automatically appear. For example ; when logging into email , first letter of user ID prompts the previously used email user IDs... Want to disable this feature---How can it be done ?

  *Click the (empty) input field on the web page to open the drop down list
  *Highlight an entry in the drop down list
  *Press the Delete key (on Mac: Shift+Delete) to remove it.
  *http://kb.mozillazine.org/Deleting_autocomplete_entries
  * Tools > Options > Security: Passwords: "Saved Passwords" > "Show Passwords"
  * Tools > Options > Privacy > History: "Remember search and form history"
  * https://support.mozilla.com/kb/Remembering+passwords
  * https://support.mozilla.com/kb/Form+autocomplete

• How to determine that the user/ pernr is comp cord?

  Hi,
  In tcode pa30 i see there is Comp Cord field. so these are the HR persons right which use the three digits numbers.
  So my question is how to determine that the user/ pernr is comp cord?
  I want to create the fm and pass user id as import and want to find out where this user is belongs to comp coordinator or not.
  i do see some entry in the T526 table but not sure, how it work.
  Regards
  Ali

  hi ali,
  SACHX is the field you are looking for ..
  regards
  Manthan Raja

• SQL content database is locking when a user is disabled in Active Directory.

   We have an issue, first of all we are running custom code in C# within a visual web part to "Offboard Users".  In essence it disables their AD account and moves it to another OU using the ActiveDirectoryServiceClient.
  Sometimes it works seamlessly, other times it causes a lock in the SQL content DB. The list ID that always comes up with the error is the User Information List.  I have researched that SharePoint will update the UserInfo table with tp_Deleted when a
  user is Disabled. Would this also update the AllUserData table with a corresponding int value due to the foreign key relationships between these two tables?  If so could this update be causing the SQL lock? Is there anything we can do to expedite the
  process, it runs really long, goes to critical, locks the DB, proceeds to completion successfully, but meanwhile users cannot interact with the site. The list is indexed on user name and work email. It is close to 4,000 list items, but broken into views. However
  I don't think this has anything to do with the list itself as the Profile Service should be updating the list, the code does not.
  We have separate DB for each site collection and all are within / under the 100GB limit. 
  How is the AllUserData table updated from the UserInfo table? 
  Thank You,
  Crjangel 
  Frances Garland

  I wouldn't have expected such a problem, but there you are :-(. Luckily you can analyze further by issuing a SQL DMV query providing details about existing locks, for instance using this one:
  http://www.toadworld.com/platforms/sql-server/b/weblog/archive/2013/08/11/dmv-13-finding-locking-amp-blocking-sys-dm-tran-locks.aspx
  Kind regards,
  Margriet Bruggeman
  Lois & Clark IT Services
  web site: http://www.loisandclark.eu
  blog: http://www.sharepointdragons.com

• WLC 4404 Wireless users getting disabled

  Currently Being Moderated
  Wireless users getting disabled
  Hi,
  I have WLC 4404 with 7.0.116.0 version. I was getting following messages for particular APs
  *Dec 20 14:11:13.875: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
  *Dec 20 14:11:13.908: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
  *Dec 20 14:11:29.383: %LWAPP-5-RLDP: RLDP stopped on slot 0.
  *Dec 20 14:11:29.674: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to down
  *Dec 20 14:11:29.678: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
  *Dec 20 14:11:29.700: %LWAPP-5-RLDP: RLDP started on slot 0.
  *Dec 20 14:11:29.707: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
  *Dec 20 14:11:29.752: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to down
  *Dec 20 14:11:29.757: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
  *Dec 20 14:11:29.790: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
  *Dec 20 14:11:45.396: %LWAPP-5-RLDP: RLDP stopped on slot 0. *Dec 20 14:11:13.875: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
  After seeing one of the cisco forum, I have disabled RLDP for that particular APs
  so above messages are rectified.
  But right now we are not able to identify Rogue IP and it is not contained.
  So please give any suggetion so that i can rectify the above messages as well as i can identify the rogue IP.
  Thanks & Regards
  Gaurav Pandya

  Hi Scott,
  You are right i am not able to detect rogue APs because i disabled the RLDP. but when i enable the RLDP for that particular AP. i got the following messages with interface go up and down
  *Dec 20 14:11:13.875: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
  *Dec 20 14:11:13.908: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
  *Dec 20 14:11:29.383: %LWAPP-5-RLDP: RLDP stopped on slot 0.
  *Dec 20 14:11:29.674: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to down
  *Dec 20 14:11:29.678: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
  *Dec 20 14:11:29.700: %LWAPP-5-RLDP: RLDP started on slot 0.
  So please suggest me the mid way so that i can enable the RLDP (Detect the rogue APs) with out interface going up and down frequently.
  Regards
  Gaurav

• Removing the entitlement wher user gost disabled OIM11g R2

  Hi Expert,
  I am trying to writing the scheduler for removing the entitlement when user got disabled.
  Below is my code:
  public class RemoveEntitlement extends TaskSupport {
  protected OIMClient oimClient = null;
       private tcLookupOperationsIntf lookupOps;
       private tcUserOperationsIntf userOper;
       private tcObjectOperationsIntf obj;
       private tcFormInstanceOperationsIntf form;
       private UserManager userManager = null;
  public void execute() throws Exception {
  Connection connection = null;
  try {
  EntitlementService provisioningService = Platform.getService(EntitlementService.class);
  connection = getConnection();
  if (connection != null) {
  List<Long> entitlementkeys = getEntitlementKey(connection);
  if (entitlementkeys != null) {
  for (Long entKey : entitlementkeys) {
  boolean ent= provisioningService.deleteEntitlement( entKey );
  } else {
  } catch (Exception e) {
  throw e;
  } finally {
  if (connection != null) {
  connection.close();
  private List<Long> getEntitlementKey(Connection connection) throws SQLException {
  Statement statement = null;
  ResultSet resultSet = null;
  List<Long> entKeys = new ArrayList<Long>();
  try {
  statement = connection.createStatement();
  resultSet = statement.executeQuery("select ENT_ASSIGN_KEY,USR_KEY,ENT_LIST_KEY from ENT_ASSIGN where USR_KEY IN (select USR_KEY from USR where USR_Disabled='1')");
  if (resultSet != null) {
  while (resultSet.next()) {
  entKeys.add(resultSet.getLong("ENT_LIST_KEY"));
  } catch (SQLException e) {
  throw e;
  } finally {
  if (resultSet != null) {
  try {
  resultSet.close();
  } catch (SQLException e) {
  if (statement != null) {
  try {
  statement.close();
  } catch (SQLException e) {
  return entKeys;
  @Override
  public HashMap getAttributes() {
  // TODO Auto-generated method stub
  return null;
  @Override
  public void setAttributes() {
  // TODO Auto-generated method stub
  private Connection getConnection() {
  Connection connection = null;
  try {
  connection = Platform.getOperationalDS().getConnection();
  } catch (SQLException e) {
  throw new SuperRuntimeException(e);
  return connection;
  when I am trying test from my local (Eclipse) ,getting below error
  Mar 25, 2013 7:30:33 PM org.springframework.context.support.AbstractApplicationContext prepareRefresh
  INFO: Refreshing org.springframework.context.support.ClassPathXmlApplicationContext@256ef705: display name [org.springframework.context.support.ClassPathXmlApplicationContext@256ef705]; startup date [Mon Mar 25 19:30:32 IST 2013]; root of context hierarchy
  Mar 25, 2013 7:30:33 PM org.springframework.beans.factory.xml.XmlBeanDefinitionReader loadBeanDefinitions
  INFO: Loading XML bean definitions from class path resource [META-INF/iam-spring-config.xml]
  Mar 25, 2013 7:30:33 PM oracle.iam.platform.utils.SpringBeanFactory createBeanFactory
  SEVERE: Instantiating Spring Bean Factory Failed.IOException parsing XML document from class path resource [META-INF/iam-spring-config.xml]; nested exception is java.io.FileNotFoundException: class path resource [META-INF/iam-spring-config.xml] cannot be opened because it does not exist
  Exception in thread "main" java.lang.ExceptionInInitializerError
       at oracle.iam.platform.Platform.<clinit>(Platform.java:101)
       at RemoveEntitlement.execute(RemoveEntitlement.java:75)
       at RemoveEntitlement.main(RemoveEntitlement.java:66)
  Caused by: org.springframework.beans.factory.BeanDefinitionStoreException: IOException parsing XML document from class path resource [META-INF/iam-spring-config.xml]; nested exception is java.io.FileNotFoundException: class path resource [META-INF/iam-spring-config.xml] cannot be opened because it does not exist
       at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:349)
  Any Help Appreciated...

  Depends upon if the domains are part of the same forest. If the account moves from one domain to another in the same forest then I don't think there is any issue with cross domain entitlement assignment as long as your AD supports people in domain to have group from another domain.
  -Bikash