DHCP scope to a specific group active directory

Similar Messages

• Time services in Active Directory

  We have an old Ubuntu box running as an NTP server and as part updating our systems we are planning to decommission it.  However, this system has been set as the local machines NTP server via DHCP scope options and via group policy.  If I just
  switch it off then all the Windows clients or any DHCP client on the network will not know where to get the correct time from and could cause connectivity issues on the domain.
  I have tested a new GPO on an isolated machine to see what the effects are and not a lot changed, the client machine effected by this new GPO just reports DC01 as the NTPServer when I run w32tm /query /configuration and reports the source as being local
  CMOS clock when i run w32tm /query /status.  Is this normal?
  Running the same thing on my PDC shows the clock as being Free running system clock, should this be set to an online time service, or should it not matter (as long as the clients are only getting their time
  from the PDC?
  What I would like to know is is there a best practice guide somewhere I can read through?
  I have been trawling various searches but can't seem to find anything relevant.
  Drac

  We have an old Ubuntu box running as an NTP server and as part updating our systems we are planning to decommission
  it.  However, this system has been set as the local machines NTP server via DHCP scope options and via group policy.  If I just switch it off then all the Windows clients or any DHCP client on the network will not know where to get the correct time
  from and could cause connectivity issues on the domain.
  You can use GPOs to make your Windows Client computers use your AD forest topology for time sync. I have described that in this Wiki article:http://social.technet.microsoft.com/wiki/contents/articles/18573.time-synchronization-in-active-directory-forests.aspx
  Once you are sure that all Windows client computers (and non-Windows computers if you have some) are using your AD forest topology for time sync, you can remove your Ubunto box.
  I have tested a new GPO on an isolated machine to see what the effects are and not a lot changed, the client
  machine effected by this new GPO just reports DC01 as the NTPServer when I run w32tm /query /configuration and reports the source as being local CMOS clock when i run w32tm /query /status.  Is this normal?
  Is the client you use running as a VM? If yes, you can consider disabling the time sync feature with the hypervisor. 
  Otherwise, please consider running the following commands to re-create registry entries for time sync configuration:
  w32tm /unregister
  w32tm /register
  Currently the PDC does not sync with any online time server, just its own internal clock (this is a virtual Windows
  2012 server with the guest set not to sync time with host, if that makes any difference?).  So i need to set this to use an online time server and then "reset" the clients to use the PDC instead of the internal NTP server.  The other DC's in our
  domain all use the PDC as their time server along with all other infrastructure servers.
  You need to configure the PDC emulator of the root domain in your forest to sync its time with at least two reliable NTP external servers. 
  This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
  Get Active Directory User Last Logon
  Create an Active Directory test domain similar to the production one
  Management of test accounts in an Active Directory production domain - Part I
  Management of test accounts in an Active Directory production domain - Part II
  Management of test accounts in an Active Directory production domain - Part III
  Reset Active Directory user password

• Difference between Windows NT domain registry and Active Directory registry

  What are the difference(s) ?

  Frank, thanks for your response :)
  I want WebSphere Application Server to take advantage of a directory service. There are multiple options available for a directory service. 
  In my configuration the requirement is to make WebSphere Application server to use Microsoft's Active Directory. 
  While I was going through (WebSphere) documentation, I see following note.
  " With Windows NT domain registry support for Windows 2000 and 2003 domain
  controllers, WebSphere Application Server only supports Global groups that are the Security type. It is recommended that you use the Active Directory registry support rather than a Windows NT domain registry if you use Windows 2000 and 2003 domain controllers
  because the Active Directory supports all group scopes and types. The Active Directory also supports a nested group that is not support by Windows NT domain registry. The Active Directory is a centralized control registry."
  You can find the above note in this link (somewhere after 7th line)
  http://www-01.ibm.com/support/knowledgecenter/SSAW57_7.0.0/com.ibm.websphere.nd.multiplatform.doc/info/ae/ae/csec_localos.html?cp=SSAW57_7.0.0%2F3-11-5-1-0-0
  Does it mean that they are recommending to use Active Directory over Windows NT (which is an older approach) with windows server 2000 or windows server 2003 because Active directory is
  advanced ?
  I was under the impression that, Active Directory was started with Microsoft Windows Server 2003 and Windows NT registry was used till Windows 2000 server.
  After going through above links, 
  Windows NT registry in an old method. However, it is compatible with Windows Server 2000 and Windows server 2003 but it is recommended to use Active directory with Windows Serve 2003 as it is more advanced. And the same is recommended in WebSphere documentation
  (I am aware that support for Windows Server 2000 is over and only extended support is available for Windows Server 2003 however this is to clear doubt). Is my understanding correct ? And does windows server 2000 also support both i.e we can use either Windows
  NT registry or Active directory and similarly, Either of them (Windows NT or Active Directory) could be used with Windows Server 2003 ?
  And if I got it correct, Is Windows NT and Active Directory, both directory service offering from Microsoft? While NT being an old method and Active Directory being a new/advanced approach ?

• Search for specific user in an Active Directory group

  Hello,
  I have an OU containing a number of Groups. Each group contains a number of members.
  I'm currently retrieving the entire list of members from each group by searching for the members attrib for each group. This is not an ideal approach as the query execute time is a bit too long.
  from what I can tell, the group class is group (opposed to a groupofuniquenames). Is there a way to query for the specific member?
  Thanks

  Thanks for the reply.
  I have read the first post you gave, but not the second. I'm off to read that now.
  My main concern is that I don't have access to the DN of the user in the member attrib. I have access to their CN and uid (which is indexed). From what I can recall from when I last updated this code, I couldn't create a wildcard search filter e.g.,:
  (&(cn=All Scientists)(objectClass=Group)(member=CN=Albert Einstein*))
  If that's correct and I require a DN, is there any way around this?
  I was interested in the posixGroup and groupOfUniqueNames classes. I wasn't aware that these were available through Active Directory, but I see them listed in the AD schema (http://msdn.microsoft.com/en-us/library/ms683908(VS.85).aspx).
  If I'm correct, posixGroup would allow for a filter of (&(cn=All Scientists)(objectClass=posixGroup)(memberUid=AEinstein))
  I'm not sure how typical it is to use the posixGroup class in AD and I'll have to check with my AD team before moving forward with this. But I wanted to get some more direction/ideas before asking them to create some posixGroup objects for me.
  I'm now going to go and read the second post you linked, but I wanted to put the rest of my details out there.
  Thanks again.

• How to create User in the specific group in Microsoft Active Directory

  Hi,
  I am using Nestcape LDAP, and want to create user in the user defined group. I have created a new user group "TestUsers" in the "Users" container of Active Directory, I want to add the new user to Test Users group But my problem is that whenever I create a new user
  it get added to Domain Users group.
  I tried adding memberOf attribute with value "TestUsers"
  attr = new LDAPAttribute("memberOf", "TestUsers");          
  attrs.add(attr);
  It gives me following error :
  code= 53 Exception 0000209A: SvcErr: DSID-031A0D6F, problem 5003 (WILL_NOT_PERFORM), data 0
  Following is the code I am using.
  public LDAPResult createUserID(
  String userId,
  String pwd,
  String pId,
  boolean resetonLogOn,
  LDAPConnection ldCon) {
  boolean flag = false;
  int code=0;
  try {
  String pwdLastSetVal;
  String desName;
  String desc;
  /* Specify the DN of the new entry. */
  String dn =
  "CN=" + userId + ",CN=" + this.container + "," + this.baseDN; // container = "Users"
  /* Create and add attributes to the attribute set. */
  String objectclass_values[] =
  { "top", "person", "organizationalPerson", "user" };
  // LDAPEntry findEntry=null;
  /* Create a new attribute set for the entry. */
  LDAPAttributeSet attrs = new LDAPAttributeSet();
  /* Attribute sAMAccountName */
  LDAPAttribute attr = new LDAPAttribute(LDAP_SAM_KEY, userId);
  attrs.add(attr);
  /* Attribute unicodePwd */ // LDAP_PASSWORD_KEY = "unicodePwd"
  attr =
  new LDAPAttribute(
  LDAP_PASSWORD_KEY,
  (byte[]) this.encodePassword(pwd));
  attrs.add(attr);
  /* Attribute Display Name */
  desName = userId + ":" + pId;
  //desName = userId ;
  attr = new LDAPAttribute(LDAP_DIS_NAME_KEY, desName);
  attrs.add(attr);
  /** Attribute userAccountControl to enable the userid.
  attr = new LDAPAttribute(LDAP_ACCOUNT_KEY, LDAP_ACCOUNT_EN_VAL); // LDAP_ACCOUNT_EN_VAL= "548"
  attrs.add(attr);
  /* Attribute pwdLastSet to reset the password on first logon*/
  if (resetonLogOn == true) {
  pwdLastSetVal = "0";
  } else {
  pwdLastSetVal = "-1";
  attr = new LDAPAttribute(LDAP_RESET_KEY, pwdLastSetVal);
  attrs.add(attr);
  /* Attribute Description */
  desc = " Account Created by HelpNow App";
  attr = new LDAPAttribute(LDAP_DESC_KEY, desc);
  attrs.add(attr);
  /* Attribute objectclass */
  attr = new LDAPAttribute("objectclass", objectclass_values);
  attrs.add(attr);
  attr = new LDAPAttribute("memberOf", "TestUsers");          
  attrs.add(attr);
  /* Create an entry with this DN and these attributes . */
  LDAPEntry myEntry = new LDAPEntry(dn, attrs);
  /* Add the entry to the directory. */
  ldCon.add(myEntry);
  flag = true;
  }catch (LDAPException e) {
  flag = false;
  code=e.getLDAPResultCode();
  }catch (Exception e) {
  flag = false;
  code=LDAPException.OTHER;
  }finally {
  ldaprs.flag=flag;
  ldaprs.code=code;
  return ldaprs;
  }

  Refer to the post titled "JNDI, Active Directory and Group Memberships" available at http://forum.java.sun.com/thread.jspa?threadID=581444&tstart=150

• How to create user in specific user group in Microsoft Active Directory ?

  Hi,
  I am using Nestcape LDAP, and want to create user in the user defined group. I have created a new user group "TestUsers" in the "Users" container of Active Directory, I want to add the new user to Test Users group But my problem is that whenever I create a new user
  it get added to Domain Users group.
  Following is the code I am using which adds user to default group Domain Users.
  public LDAPResult createUserID(
  String userId,
  String pwd,
  String pId,
  boolean resetonLogOn,
  LDAPConnection ldCon) {
  boolean flag = false;
  int code=0;
  try {
  String pwdLastSetVal;
  String desName;
  String desc;
  /* Specify the DN of the new entry. */
  String dn =
  "CN=" + userId + ",CN=" + this.container + "," + this.baseDN; // container = "Users"
  /* Create and add attributes to the attribute set. */
  String objectclass_values[] =
  { "top", "person", "organizationalPerson", "user" };
  // LDAPEntry findEntry=null;
  /* Create a new attribute set for the entry. */
  LDAPAttributeSet attrs = new LDAPAttributeSet();
  /* Attribute sAMAccountName */
  LDAPAttribute attr = new LDAPAttribute(LDAP_SAM_KEY, userId);
  attrs.add(attr);
  /* Attribute unicodePwd */ // LDAP_PASSWORD_KEY = "unicodePwd"
  attr =
  new LDAPAttribute(
  LDAP_PASSWORD_KEY,
  (byte[]) this.encodePassword(pwd));
  attrs.add(attr);
  /* Attribute Display Name */
  desName = userId + ":" + pId;
  //desName = userId ;
  attr = new LDAPAttribute(LDAP_DIS_NAME_KEY, desName);
  attrs.add(attr);
  /** Attribute userAccountControl to enable the userid.
  attr = new LDAPAttribute(LDAP_ACCOUNT_KEY, LDAP_ACCOUNT_EN_VAL); // LDAP_ACCOUNT_EN_VAL= "548"
  attrs.add(attr);
  /* Attribute pwdLastSet to reset the password on first logon*/
  if (resetonLogOn == true) {
  pwdLastSetVal = "0";
  } else {
  pwdLastSetVal = "-1";
  attr = new LDAPAttribute(LDAP_RESET_KEY, pwdLastSetVal);
  attrs.add(attr);
  /* Attribute Description */
  desc = " Account Created by HelpNow App";
  attr = new LDAPAttribute(LDAP_DESC_KEY, desc);
  attrs.add(attr);
  /* Attribute objectclass */
  attr = new LDAPAttribute("objectclass", objectclass_values);
  attrs.add(attr);
  /* Create an entry with this DN and these attributes . */
  LDAPEntry myEntry = new LDAPEntry(dn, attrs);
  /* Add the entry to the directory. */
  ldCon.add(myEntry);
  flag = true;
  }catch (LDAPException e) {
  flag = false;
  code=e.getLDAPResultCode();
  }catch (Exception e) {
  flag = false;
  code=LDAPException.OTHER;
  }finally {
  ldaprs.flag=flag;
  ldaprs.code=code;
  return ldaprs;
  }

  Refer to the post titled "JNDI, Active Directory and Group Memberships" available at http://forum.java.sun.com/thread.jspa?threadID=581444&tstart=150

• How do i use an active directory group for vpn and not all user

  hi all,
  i have an asa 5515x...
  how do i use a particular group in active directory to have vpn/anyconnect access?  right now i believe it's for all user on my current config,
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  !integrate with active directory
  aaa-server LDAPSERVERS protocol ldap
  aaa-server LDAPSERVERS (vlan192) host 10.0.0.2
  ldap-base-dn dc=company,dc=com
  ldap-scope subtree
  ldap-naming-attribute sAMAccountName
  ldap-login-password 12345678
  ldap-login-dn cn=administrator,cn=Users,dc=company,dc=com
  server-type auto-detect
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  say i want this "vpn-group" object group in AD and my vpn is only anyconnect and no other vpn types.
  thanks for any comment you may add.

  The best way is to use Dynamic Access Policies (DAP). Cisco has a white paper (here) that shows how one can choose the LDAP group as one of the DAP criteria.
  DAP requires the Advanced Endpoint Assessment feature, so your licensing must support that.

• SharePoint 2013 Active Directory Groups represented as c:0+.w| SID in UserInformation list instead of c:0+.w|Domain\Groupname

  Hi
  We are running on SharePoint Server 2013.When we add AD groups as permissions, we see that the group name is being displayed properly in the permissions. Whereas when I click on the groupname I see the SID with the Sharepoint specific claims characters,
  instead of domain\groupname. I understand that the claims characters are because of claims mode. But I expected domain\groupname instead of SID. Is this the right behaviour.
  When I call SiteData.GetContent web service, I get the SID of the group name instead of the domain\groupname.
  Can someone please clarify?
  Thanks
  Naga

  Hi,
  Yes, the identity claim for an AD group is based on the SID of the group. The claim encoding for an Active Directory group consists of the following sections:
  c:0+.w|<SID>
  •"c" for a claim other than identity
  •"+" for a group SID
  •"." for a string
  •"w" for a Windows claim
  More information:
  http://www.sharepointfire.com/MyBlog/2013/11/get-ad-group-identity-claim-in-sharepoint-2013/
  Thanks,
  Dennis Guo
  TechNet Community Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Dennis Guo
  TechNet Community Support

• Bulk create Active Directory Users and Groups in PowerShell using Excel XLSX source file instead of CSV

  Hi Scripting Guy.  I am a Server Administrator who is very familiar with Active Directory, but new to PowerShell.  Like many SysAdmins, I often need to create multiple accounts (ranging from 3-200) and add them multiple groups (ranging
  from 1 - 100).  Previously I used VBS scripts in conjunction with an Excel .XLS file (not CSV file).  Since VBS is essentially out the door and PowerShell is in - I am having to re-create everthing.
  I have written a PowerShell script that bulk creates my users and adds them to their corresponding groups - however, this can only use a CSV file (NOT an XLS file).  I understand that "CSV is much easier to use than Excel worksheets", but
  most times I have three sets of nearly identical groups (for Dev, QA and Prod).  Performing Search and Replace on the Excel template across all four Worksheets ensures the names used are consistent throughout the three environments.
  I know each Excel Worksheet can be exported as a separate CSV file and then use the PowerShell scripts as is, but since I am not the only SysAdmin who will be using these it leads to "unnecessary time lost", not to mention the reality that even
  though you clearly state "These tabs need to be exported using this naming standard" (to work with the PowerShell scripts) that is not the result.
  I've been tasked to find a way to modify my existing PowerShell/CSV scripts to work with Excel spreadsheets/workbooks instead - with no success.  I have run across many articles/forums/scirpts that let you update Excel or export AD data into an Excel
  spreadsheet (even specifying the worksheet, column and row) - but nothing for what I am trying to do.
  I can't imagine that I am the ONLY person who is in this situation/has this need.  So, I am hoping you can help.  How do I modify my existing scripts to reference "use this Excel spreadsheet, and this specific worksheet in the spreadsheet
  prior to performing the New-ADUser/Add-ADGroupMember commands".
  For reference, I am including Worksheet/Column names of my Excel Spreadsheet Template as well as the first part of my PowerShell script.  M-A-N-Y T-H-A-N-K-S in advance.
     Worksheet:  Accounts
       Columns: samAccountName, CN_DisplayName_Name, sn_LastName, givenName_FirstName, Password, Description, TargetOU
     Worksheets:  DevGroups / QAGroups / ProdGroups
       Columns:  GroupName, Members, MemberOf, Description, TargetOU
  # Load PowerShell Active Directory module
  Write-Host "Loading Active Directory PowerShell module." -foregroundcolor DarkCyan # -backgroundcolor Black
  Import-Module ActiveDirectory
  Write-Host " "
  # Set parameter for location of CSV file (so source file only needs to be listed once).
  $path = ".\CreateNewUsers-CSV.csv"
  # Import CSV file as data source for remaining script.
  $csv = Import-Csv -path $path | ForEach-Object {
  # Add '@saccounty.net' suffix to samAccountName for UserPrincipalName
  $userPrincinpal = $_."samAccountName" + "@saccounty.net"
  # Create and configure new AD User Account based on information from the CSV source file.
  Write-Host " "
  Write-Host " "
  Write-Host "Creating and configuring new user account from the CSV source file." -foregroundcolor Cyan # -backgroundcolor Black
  New-ADUser -Name $_."cn_DisplayName_Name" `
  -Path $_."TargetOU" `
  -DisplayName $_."cn_DisplayName_Name" `
  -GivenName $_."givenName_FirstName" `
  -SurName $_."sn_LastName" `
  -SamAccountName $_."samAccountName" `
  -UserPrincipalName $userPrincinpal `

  Here is the same script as a function:
  Function Get-ExcelSheet{
  Param(
  $fileName = 'C:\scripts\test.xls',
  $sheetName = 'csv2'
  $conn = New-Object System.Data.OleDb.OleDbConnection("Provider=Microsoft.Jet.OLEDB.4.0;Data Source = $fileName;Extended Properties=Excel 8.0")
  $cmd=$conn.CreateCommand()
  $cmd.CommandText="Select * from [$sheetName$]"
  $conn.open()
  $cmd.ExecuteReader()
  It is called like this:
  Get-ExcelSheet -filename c:\temp\myfilename.xslx -sheetName mysheet
  Do NOT change anything in the function and post the exact error.  If you don't have Office installed correctly or are running 64 bits with a 32 bit session you will have to adjust your system.
  ¯\_(ツ)_/¯
  HI JRV,
  My apologies for not responding sooner - I was pulled off onto another project this week.  I have included and called your Get-ExcelSheet function as best as I could...
  # Load PowerShell Active Directory module
  Write-Host "Loading Active Directory PowerShell module." -foregroundcolor DarkCyan # -backgroundcolor Black
  Import-Module ActiveDirectory
  Write-Host " "
  # JRV This Function Loads the Excel Reader
  Function Get-ExcelSheet{
  Param(
  $fileName = 'C:\scripts\test.xls',
  $sheetName = 'csv2'
  $conn = New-Object System.Data.OleDb.OleDbConnection("Provider=Microsoft.Jet.OLEDB.4.0;Data Source = $fileName;Extended Properties=Excel 8.0")
  $cmd=$conn.CreateCommand()
  $cmd.CommandText="Select * from [$sheetName$]"
  $conn.open()
  $cmd.ExecuteReader()
  # Set parameter for location of CSV file (so source file only needs to be listed once) as well as Worksheet Names.
  $sourceFile = ".\NewDocClass-XLS-Test.xlsx"
  # Add '@saccounty.net' suffix to samAccountName for UserPrincipalName
  $userPrincinpal = $_."samAccountName" + "@saccounty.net"
  # Combine GivenName & SurName for DisplayName
  $displayName = $_."sn_LastName" + ". " + $_."givenName_FirstName"
  # JRV Call the Get-ExcelSheet function, providing FileName and SheetName values
  # Pipe the data from source for remaining script.
  Get-ExcelSheet -filename "E:\AD_Bulk_Update\NewDocClass-XLS-Test.xlsx" -sheetName "Create DocClass Accts" | ForEach-Object {
  # Create and configure new AD User Account based on information from the CSV source file.
  Write-Host " "
  Write-Host " "
  Write-Host "Creating and configuring new user account from the CSV source file." -foregroundcolor Cyan # -backgroundcolor Black
  New-ADUser -Name ($_."sn_LastName" + ". " + $_."givenName_FirstName") `
  -SamAccountName $_."samAccountName" `
  -UserPrincipalName $userPrincinpal `
  -Path $_."TargetOU" `
  Below is the errors I get:
  Exception calling "Open" with "0" argument(s): "The 'Microsoft.Jet.OLEDB.4.0'
  provider is not registered on the local machine."
  At E:\AD_Bulk_Update\Create-BulkADUsers-XLS.ps1:39 char:6
  + $conn.open()
  + ~~~~~~~~~~~~
  + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
  + FullyQualifiedErrorId : InvalidOperationException
  Exception calling "ExecuteReader" with "0" argument(s): "ExecuteReader
  requires an open and available Connection. The connection's current state is
  closed."
  At E:\AD_Bulk_Update\Create-BulkADUsers-XLS.ps1:40 char:6
  + $cmd.ExecuteReader()
  + ~~~~~~~~~~~~~~~~~~~~
  + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
  + FullyQualifiedErrorId : InvalidOperationException

• User login report in Active Directory for specific date and time

  I want to get User login report in Active Directory for specific date and time e.g user logged in at15-01-2015 from 8:00am to 4:00pm
  Is any query, script or any tool available?
  Waiting for reply please

  You can identify the last logon date and time using my script here: https://gallery.technet.microsoft.com/scriptcenter/Get-Active-Directory-User-bbcdd771
  If you would like to get back in time and see when the user did a logon / logoff then you need to have auditing enabled. Once done, you can records from Security log in the event viewer: https://social.technet.microsoft.com/Forums/windowsserver/en-US/98cbecb0-d23d-479d-aa65-07e3e214e2c7/manage-active-directory-users-logon-logoff-events
  I have started a Wiki about how to track logon / logoff and it can help too: http://social.technet.microsoft.com/wiki/contents/articles/20422.record-logon-logoff-activities-on-domain-servers-and-workstations-using-group-policy.aspx
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• Active Directory users not made member of Local Network group

  Hi all,
  I've just done a clean install from 10.6 Server to 10.8.4.
  The issue I seem to be having is a mismatch between what Groups in Server.app is reporting as members (who happen to be users or groups from our Active Directory domains) of a Local Network group and what dseditgroup reports as members of the same network.
  The Setup:
  In Groups in Server.app under Local Network Group I have created a group call "AccessServer"
  Members in that group are:
       - AD-Domain User Group (so should be all users in the domain)
       - MacOS X "netaccounts" group (again, should capture all users that connect through the network I've used this in the past/10.6 very handy)
       - AD User 1
       - AD User 2
       - AD User 3
  The Server is bound to the AD Domain, All-Domains is not selected and a Search Path is added for each Domain needed and set at the top of the search order.
  The Behaviour:
  AD User 1 can access AFP and other services as expected.
  AD User 2 and 3 cannot.
  Another user within AD-Domain User Group or netaccounts can access AFP and other services as expected
  Yet other users within AD-Domain User Group or netaccounts cannot
  Furthermore: 
  If I REMOVE AD User 1 (a working user) *and* the AD Domain Group and netaccounts Group.  I can still login with that account!
  Diagnosis:
  I tried checking group membership with dseditgroup, the results match the behaviour, not the setup.
  >dseditgroup -o checkmember -m ADUser1 accessserver
  yes ADUser1 is a member of accessserver
  >dseditgroup -o checkmember -m ADUser2 accessserver
  no ADUser2 is NOT member of accessserver
  >dseditgroup -o checkmember -m ADDomainUser/netacc accessserver
  yes ADDomainUser/netacc is a member of accessserver
  >dseditgroup -o checkmember -m n accessserver
  no ADUser2 is NOT member of accessserver
  When non-member users try to connect I get a message in the logs of (IP/DNS values anonymized):
  2013-06-25 3:04:36.794 PM sshd[5217]: error: PAM: authentication error for illegal user ----- from ----.mala.bc.ca via x.x.
  I get the same results even after removing the user from the Groups screen!
  Failed Solutions
  - As we are a large AD I've tried specifying specific Active Direcotry servers that might better be able to find the users in question and authenticate.
  - I've let the system just sit, in hopes delayed replication would solve the problem overnight.
  - I've deleted and recreated the groups.

  Upon further investigation we have discovered:
  a) the main behaviour that is causing the problem is best described as AD users that are added to a Local or Network OS X group... either individually or through a Domain group.... are not actually recognized as members of that OS X group even though the GUI or CLI tool have added them and acknowledge them as being in the list.
  b)  This is NOT limited only to MacOS X Server 10.8.  The same behaviour is occuring on a long-running 10.6 server as well.
  c) The problem remains whether we nest AD groups to capture a large bunch of users, or add users individually.  If the user is part of the mysteriously denied set, how they are added to the OD or local group is irrelevant, including if added from the command line.
  d) Which users are allowed and which are not is unclear and appears generally random.  We have found 3 'classes' of users:    
            1 - those that are successfully becoming members every time.
            2 - those that are intermittent members.  Members on one server or another, or in one case even go from being reported as a member (by dseditgroup), to not being a member, to being a member again within the span of only a minute or two.
            3 - those that are never successfully admitted as a member.
  So the problem is both Apple's and Windows in that:
  Apple: Is allowing a group and/or user to be added and implying then membership in the group even though that membership is not being honoured in some way and there is no feedback or communication of that fact aside from generic 'denied' or 'illegal user' errors.
  Windows:  Is passing along membership through its groups and users, but not completely, for reasons that are, at this point, a mystery.
  Really hoping people have some ideas on this.  This system of nested groups or individual user access is something we have of course being using for many years.  So this is a major setback.

• Filtering Groups on Windows Active Directory using LDAP Authentication

  Hi All,
  I have small module that filters the groups from the Windows AD using LDAP attributes and flushes the data into the DB[code below].
  This module was developed and tested on weblogic 8.1[on windows]and works fine.
  Now the same is moved to another environment- Websphere on Linux Suse. The code fails to retreieve any value from the Windows AD.
  Please note no exception is aslo thrown.
  env.put(Context.INITIAL_CONTEXT_FACTORY,ldapCtxFactory);
            //set security credentials, note using simple cleartext authentication
            env.put(Context.SECURITY_AUTHENTICATION,authentication);
            env.put(Context.SECURITY_PRINCIPAL,adminName);
            env.put(Context.SECURITY_CREDENTIALS,adminPassword);
            //connect to my domain controller
            env.put(Context.PROVIDER_URL, domainController);
            // Create the initial directory context
            try {
                                dirCtx = new InitialDirContext(env);
                 // Create the search controls           
                 SearchControls searchCtls = new SearchControls();
                 //Specify the attributes to return
                 String returnedAtts[]={"member"};
                 searchCtls.setReturningAttributes(returnedAtts);
                 //Specify the search scope
                 searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
                 int totalResults = 0;
                 int iteration=0;
                 // Search for objects using the filter
                 NamingEnumeration results = ctx.search(searchBase, searchFilter, searchCtls);
  In the above code the method exits even before the try block[i could detect this using Sysout's]
  Below is the property file from which the values are read.
  admin=username
  password=password
  #AD search attributes
  searchBase=DC=domainname,DC=domainname
  searchFilter=(&(objectClass=group) (CN=value*))
  #JNDI context attributes
  ldapCtxFactory=com.sun.jndi.ldap.LdapCtxFactory
  authentication=simple
  domainController=ldap://address
  groupPattern=pattern
  Please Assit,
  Thanks in Advance
  Message was edited by:
  radiant
  Message was edited by:
  radiant

  Assuming it is the same Active Directory environment and only your Java platform has changed, the I can only assume that if no exception is thrown, and no data is returned, then the credentials you are using on the new Java platform are being mapped to an anonymous user (perhaps a blank password ?). By default, Windows Server 2003 domains, do not return any results to anonymous users.

• Need to automatically add newly created user account in an existing active directory group.

  Hi All ,
  In my  environment we are having window server 2012 active directory environment.We need to have the newly created active directory user account to get added automatically to the existing active directory group after that new user account creation.
  Please tell us the possible ways to achieve this scenario.
  Regards
  S.Nithyanandham
  Thanks S.Nithyanandham

  Hi,
  Can you please confirm your requirement,
  When you create a new user account in AD, based on the user's property like Department, Job or Location, the user need to be added to your specific AD groups?
  Regards,
  Gopi
  JiJi
  Technologies

• Search for single member in an Active Directory Group

  Hello all,
  I'm attempting to find a better method to search if a user is a member of a group in Active Directory. I currently retrieve the entire member attribute of the group.
  I need to reduce the time of the query. I would like to be able to search for a specific member (user) of the group instead of retrieving the entire member list of the group.
  I can post my current code if that would help.
  I believe the default Active Directory group object is the ldap group. I know that there are posixGroup and groupOfUniqueNames ldap classes available, but I'm not sure if Active Directory has access to those classes.
  Is my request possible using the group ldap object?

  Thanks for the reply.
  I have read the first post you gave, but not the second. I'm off to read that now.
  My main concern is that I don't have access to the DN of the user in the member attrib. I have access to their CN and uid (which is indexed). From what I can recall from when I last updated this code, I couldn't create a wildcard search filter e.g.,:
  (&(cn=All Scientists)(objectClass=Group)(member=CN=Albert Einstein*))
  If that's correct and I require a DN, is there any way around this?
  I was interested in the posixGroup and groupOfUniqueNames classes. I wasn't aware that these were available through Active Directory, but I see them listed in the AD schema (http://msdn.microsoft.com/en-us/library/ms683908(VS.85).aspx).
  If I'm correct, posixGroup would allow for a filter of (&(cn=All Scientists)(objectClass=posixGroup)(memberUid=AEinstein))
  I'm not sure how typical it is to use the posixGroup class in AD and I'll have to check with my AD team before moving forward with this. But I wanted to get some more direction/ideas before asking them to create some posixGroup objects for me.
  I'm now going to go and read the second post you linked, but I wanted to put the rest of my details out there.
  Thanks again.

• FCS 1.5 Not all Active Directory groups visible in list

  Hi,
  We just upgraded Final Cut Server to 1.5 and want to make use of Active Directory groups to set permissions in FCS. I've created a few groups in AD which do not appear in the list when I want to add these to Group Permissions. I do see many AD groups but some are not in the list. I can find the group in the Directory application and also with dscl (dscl /Active Directory/domain.tld -read /Groups/fcs-editor).
  Please advice.
  Thanks in advance,
  Martin

  I found a solution, though it might be still temporary. See if you can narrow down your Directory Search Policy. In your AD forest, you might need just one domain for your department, location, etc.
  So, in Directory Utility, click on Search Policy, delete "/Active Directory/All Domains", don't apply yet, but click on the plus sign, and see what specific domains you can choose from there. Do the same to contacts.
  Though still I can see now 1.592 records of groups or users when I run dscl but at least I know that AD administrators can really clean up our groups listings ( some of those groups are not being used) , and try to keep the number under 2,000.
  It has to be a way to increase the default number of 2,000 in Search Policy, but I haven't had time to do that