Directory Groups Problem in Domain Mgmt

Similar Messages

• SharePoint 2013 Active Directory Groups represented as c:0+.w| SID in UserInformation list instead of c:0+.w|Domain\Groupname

  Hi
  We are running on SharePoint Server 2013.When we add AD groups as permissions, we see that the group name is being displayed properly in the permissions. Whereas when I click on the groupname I see the SID with the Sharepoint specific claims characters,
  instead of domain\groupname. I understand that the claims characters are because of claims mode. But I expected domain\groupname instead of SID. Is this the right behaviour.
  When I call SiteData.GetContent web service, I get the SID of the group name instead of the domain\groupname.
  Can someone please clarify?
  Thanks
  Naga

  Hi,
  Yes, the identity claim for an AD group is based on the SID of the group. The claim encoding for an Active Directory group consists of the following sections:
  c:0+.w|<SID>
  •"c" for a claim other than identity
  •"+" for a group SID
  •"." for a string
  •"w" for a Windows claim
  More information:
  http://www.sharepointfire.com/MyBlog/2013/11/get-ad-group-identity-claim-in-sharepoint-2013/
  Thanks,
  Dennis Guo
  TechNet Community Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Dennis Guo
  TechNet Community Support

• SharePoint 2013 Workflow (SPD 2013) fails for Active Directory Group members

  Hi
  I have a SharePoint 2013 site called "Team Meetings". There are a number of lists and an InfoPath form library.
  The site's SharePoint Group "Team Meeting Members" has two Active Directory groups (All Club Managers and All Club Police) as members. Those two AD groups contain all the people that I want to have  access to the library and list, except for
  a few additional folk who I have made individual members. 
  My PROBLEM:
  I  have created a SharePoint 2013 Workflow using SPD 2013 associated with the  Form Library. Workflow is set to start on new or modified item. The first action is to write to history list, then determine the status (Submitted or Pending) of
  the form and go to different Stages depending on that status.
  The workflow works perfectly for any user who has been added directly to the SharePoint group (Team Meetings Members) BUT FAILS at the very first action for anyone who is a member of one of the AD groups. I know the Workflow is fine because I've tested it
  with numerous people who are direct members of the SharePoint Group, but whenever a person who is a member of the AD group tries it the Workflow just fails.
  Here's a print of the info from the Workflow Status page (I don't have access to server logs):
  RequestorId: 4494760f-92ff-2e8c-90d2-cc7df0e6baa4. Details: System.ApplicationException: HTTP 401 {"Transfer-Encoding":["chunked"],"X-SharePointHealthScore":["0"],"SPRequestGuid":["4494760f-92ff-2e8c-90d2-cc7df0e6baa4"],"request-id":["4494760f-92ff-2e8c-90d2-cc7df0e6baa4"],"X-FRAME-OPTIONS":["SAMEORIGIN"],"MicrosoftSharePointTeamServices":["15.0.0.4420"],"X-Content-Type-Options":["nosniff"],"X-MS-InvokeApp":["1;
  RequireReadOnly"],"Cache-Control":["max-age=0, private"],"Date":["Mon, 10 Mar 2014 01:31:42 GMT"],"Server":["Microsoft-IIS\/8.0"],"WWW-Authenticate":["NTLM"],"X-AspNet-Version":["4.0.30319"],"X-Powered-By":["ASP.NET"]}
  The HTTP response content could not be read. 'Error while copying content to a stream.'. at Microsoft.Activities.Hosting.Runtime.Subroutine.SubroutineChild.Execute(CodeActivityContext context) at System.Activities.CodeActivity.InternalExecute(ActivityInstance
  instance, ActivityExecutor executor, BookmarkManager bookmarkManager) at System.Activities.Runtime.ActivityExecutor.ExecuteActivityWorkItem.ExecuteBody(ActivityExecutor 
  Members of the SharePoint Group "Team Meetings Members" have Contribute Access to both the form library and another list that the workflow writes to as well as the Workflow History list (which in SP 2013 uses the credentials of the
  user who started the workflow, unlike 2010 which used System Account).
  All members of the Team Meetings Members group, whether they are individual members or part of one of the AD groups, have no problems opening and saving forms etc. It's just the Workflow that doesn't like them...
  I am stumped. I've spent many hours searching for a reason for this. There are about 200 people in the two AD groups so I really don't want to have to add them all individually - especially when these groups are managed in AD for a whole bunch of other reasons
  and using the AD groups means I'll basically never have to worry about modifying the SharePoint access permissions.
  Does anyone have any ideas why this is happening and what I can try to fix it?
  Mark

  Hi Lars,
  I'm afraid not so far but we are trying a few things today so I will post back with results.
  First thing we are doing is making the AD Group universal because one of our (external provider) gurus remembers seeing something about that. He also sent me a link to a post where they were talking about earlier
  versions but having similar issues and their solution was to make sure the app pool account has sufficient permissions in AD::
  http://social.msdn.microsoft.com/Forums/sharepoint/en-US/27a547da-5cc0-49d7-8056-6eb40b4c3242/failed-to-start-workflow-access-is-denied-exception-from-hresult-0x80070005-eaccessdenied
  This part of that thread looks interesting but we haven't checked it yet as were trying the universal setting first:
  "If the users participating in the workflows have been added to the SharePoint site via Active Directory groups, SharePoint has to update the user’s security token periodically by connecting to
  the domain controller. By default, the token times out every 24 hours. But if the application pool account did not have the right permissions on the domain controller to update the user’s token, user will keep getting the access denied error. The error was
  intermittent because when the user browsed to any page other than the workflow form, the token was getting updated successfully.
  You can try to fix it through granting the application pool account the appropriate permission by adding the account to the group “Windows Authorization Access Group” in Active Directory."
  I'll update when we try these ideas. If you have any luck please do the same.
  Mark
  (sorry about formatting - using my phone....)
  Mark

• BO XI 3.1 : Active Directory Authentication failed to get the Active Directory groups

  Dear all 
          In our environment, there are 2 domain (domain A and B); it works well all the time. Today, all the user belong to domain A are not logi n; for user in domain B, all of them can log in but BO server response is very slowly. and there is error message popup when opening Webi report for domain B user. Below are the error message: 
         " Active Directory Authentication failed to get the Active Directory groups for the account with ID:XXXX; pls make sure this account is valid and belongs to an accessible domain"
        Anyone has encountered similar issue?
     BO version: BO XI 3.1 SP5
     Authenticate: Windows AD
  Thanks and Regards

  Please get in touch with your AD team and verify if there are any changes applied to the domain controller and there are no network issues.
  Also since this is a multi domain, make sure you have 2 way transitive forest trust as mentioned in SAP Note : 1323391 and FQDN for Directory servers are maintained in registry as per 1199995
  http://service.sap.com/sap/support/notes/1323391
  http://service.sap.com/sap/support/notes/1199995
  -Ambarish-

• Mountain Lion Server: Network users Home directory mount problems

  I am having several problems with my server after a latest name change of the server via Server.app. (A first name change made problems, after that I have been trying to repair, changing the name a few times more. With latest name change, I also changed the server name itself from Foo to Bar while changing domain name from domain.com to bar.domain.com after which I repaired DNS so it covers the whole domain.com domain).
  The users in the Network directory think their home directory is on afp://domain.com/Users, but the server is now called bar.domain.com. /Network/Servers/bar.domain.com does not exist on the server. Client machines (with mobile home directories) are now able to sync, because I added an A record for domain.com to DNS (not  nice, but does the job, or more specifically that job). Also on the clients, I can go to a SHARED folder in Finder with the name Bar and go to Users and see al the home directories there. But:
  bash-3.2# ls -l /Network/Servers/
  total 4
  dr-xr-xr-x  2 root  wheel  1 Apr 14 11:14 domain.com
  dr-xr-xr-x  2 root  wheel  1 Apr 14 11:14 foo.domain.com
  bash-3.2# ls -l /Network/Servers/*
  /Network/Servers/domain.com:
  total 2
  dr-xr-xr-x  2 root  wheel  1 Apr 14 11:14 Users
  /Network/Servers/foo.domain.com:
  total 2
  dr-xr-xr-x  2 root  wheel  1 Apr 14 11:14 Users
  bash-3.2# ls -l /Network/Servers/*/Users
  /Network/Servers/domain.com/Users:
  ls: Users: Input/output error
  /Network/Servers/foo.domain.com/Users:
  ls: Users: Input/output error
  So, on the server looking for folder ~user does not work. It wants to  go to afp://domain.com/Users/user but that is unreachable.
  Any tips on what I can do except do a clean rebuild of the server (again)?
  (One of the obvious problems is that the Realm of OD is still called foo.domain.com, the origin of my problems has been that the first name change from foo.domain.com to domain.com (ill-advised, I know) failed — partly).
  What I'd like to know is:
  - where is it determined which servers end up in /Network/Servers?

  Som additional info:
  Other machines can mount afp://foo.domain.com/, afp://domain.com/ and afp://bar.domain.com/, but the server itself cannot mount them via Finder.

• Integration Directory(Configuration) Problem

  Hi All,
  I am facing one Probelm. I am working one the client through Citrix. I am not able to open Integration Directory(Configuration Problem) . In onsite it's working fine. Reming all other applications(Integartion Repository and SLD and Runtime work bench) are working fine.
  if I open Integration Directory i am getting this messge.
  <jnlp spec="1.0+" codebase="http://filp55.group.upm-kymmene.com:50100/dir">
      <information>
          <title>Integration Builder</title>
          <vendor>SAP AG</vendor>
          <homepage href="http://www.sap.com" />
          <description type="one-line">Directory</description>
          <description type="short">Directory</description>
          <description type="tooltip">Directory</description>
          <icon hight="64" href="start/graphics/sap6464.gif" type="splash" width="64" />
          <icon hight="32" href="start/graphics/SAP3232.gif" width="32" />
      </information>
      <security>
          <all-permissions />
      </security>
      <resources>
          <j2se version="1.4+" initial-heap-size="32m" max-heap-size="1024m" />
          <jar href="directory/aii_ibdir_client.jar" />
          <jar href="directory/aii_ibdir_core.jar" />
          <jar href="directory/aii_ibdir_sbeans.jar" />
          <jar href="directory/aii_ibdir_rb.jar" />
          <jar href="directory/aii_ib_client.jar" />
          <jar href="directory/aii_ib_core.jar" />
          <jar href="directory/aii_ib_sbeans.jar" />
          <jar href="directory/aii_ib_rb.jar" />
          <jar href="directory/aii_util_icons.jar" />
          <jar href="directory/aii_util_swing.jar" />
          <jar href="directory/aii_util_xml.jar" />
          <jar href="directory/aii_util_xsd.jar" />
          <jar href="directory/aii_utilxi_misc.jar" />
          <jar href="directory/aii_util_rb.jar" />
          <jar href="directory/clientaii_ib_sbeans.jar" />
          <jar href="directory/clientaii_ibdir_sbeans.jar" />
          <jar href="directory/frog.jar" />
          <jar href="directory/focus14.jar" />
          <jar href="directory/sapxmltoolkit.jar" />
          <jar href="directory/jta.jar" />
          <jar href="directory/ejb20.jar" />
          <jar href="directory/exception.jar" />
          <jar href="directory/logging.jar" />
          <jar href="directory/guidgenerator.jar" />
          <jar href="directory/jperflib.jar" />
          <jar href="directory/sapni.jar" />
          <jar href="directory/sapj2eeclient.jar" />
          <property name="sap.theme" value="Streamline" />
          <property name="jnlp.log.initialConfiguration" value="FILE, SIMPLE" />
      <property name="jnlp.com.sap.aii.ib.client.properties" value="com.sap.aii.ib.client., com.sap.aii.ib.core., com.sap.aii.util.xml., com.sap.aii.connect., com.sap.aii.repository.mapping.additionaltypes, com.sap.aii.docu., com.sap.aii.ibrep.core., com.sap.aii.ibdir.core.*" /><property name="jnlp.com.sap.aii.connect.integrationserver.r3.sysnr" value="01" /><property name="jnlp.com.sap.aii.connect.landscape.contextroot" value="sld" /><property name="jnlp.com.sap.aii.connect.cr.name" value="filp40.group.upm-kymmene.com" /><property name="jnlp.com.sap.aii.ib.client.content.languages" value="EN,DE" /><property name="jnlp.com.sap.aii.connect.repository.contextroot" value="rep" /><property name="jnlp.com.sap.aii.ib.client.login.languages" value="EN,DE" /><property name="jnlp.com.sap.aii.connect.directory.rmiport" value="50104" /><property name="jnlp.com.sap.aii.connect.cr.contextroot" value="sld" /><property name="jnlp.com.sap.aii.connect.rwb.r3.client" value="790" /><property name="jnlp.com.sap.aii.connect.directory.contextroot" value="dir" /><property name="jnlp.com.sap.aii.connect.rwb.contextroot" value="rwb" /><property name="jnlp.com.sap.aii.connect.landscape.httpsport" value="@com.sap.aii.server.httpsport.lcr@" /><property name="jnlp.com.sap.aii.connect.repository.rmiport" value="50104" /><property name="jnlp.com.sap.aii.connect.repository.httpport" value="50100" /><property name="jnlp.com.sap.aii.connect.directory.name" value="filp55.group.upm-kymmene.com" /><property name="jnlp.com.sap.aii.connect.cr.httpsport" value="@com.sap.aii.server.httpsport.cr@" /><property name="jnlp.com.sap.aii.connect.repository.name" value="filp55.group.upm-kymmene.com" /><property name="jnlp.com.sap.aii.connect.integrationserver.contextroot" value="run" /><property name="jnlp.com.sap.aii.connect.integrationserver.name" value="filp55.group.upm-kymmene.com" /><property name="jnlp.com.sap.aii.connect.rwb.httpsport" value="@com.sap.aii.connect.rwb.httpsport@" /><property name="jnlp.com.sap.aii.connect.landscape.httpport" value="50000" /><property name="jnlp.com.sap.aii.docu.languages" value="null" /><property name="jnlp.com.sap.aii.ib.client.jnlp.j2se.initialheapsize" value="32m" /><property name="jnlp.com.sap.aii.util.xml.parserFactory" value="com.sap.engine.lib.jaxp.SAXParserFactoryImpl" /><property name="jnlp.com.sap.aii.connect.directory.httpport" value="50100" /><property name="jnlp.com.sap.aii.connect.directory.httpsport" value="@com.sap.aii.server.httpsport.directory@" /><property name="jnlp.com.sap.aii.connect.integrationserver.r3.httpport" value="8001" /><property name="jnlp.com.sap.aii.connect.rwb.name" value="filp55.group.upm-kymmene.com" /><property name="jnlp.com.sap.aii.connect.integrationserver.r3.client" value="790" /><property name="jnlp.com.sap.aii.connect.cr.httpport" value="50000" /><property name="jnlp.com.sap.aii.connect.landscape.name" value="filp40.group.upm-kymmene.com" /><property name="jnlp.SAPMYNAME" value="filp55_GTX_01" /><property name="jnlp.com.sap.aii.connect.rwb.httpport" value="50100" /><property name="jnlp.com.sap.aii.docu.url" value="null" /><property name="jnlp.com.sap.aii.ib.client.applicationname.directory" value="sap.com/com.sap.xi.directory/" /><property name="jnlp.com.sap.aii.util.xml.transformerFactory" value="com.sap.engine.lib.jaxp.TransformerFactoryImpl" /><property name="jnlp.com.sap.aii.ib.client.applicationname.repository" value="sap.com/com.sap.xi.repository/" /><property name="jnlp.com.sap.aii.ib.client.login.InitialContextFactory" value="com.sap.engine.services.jndi.InitialContextFactoryImpl" /><property name="jnlp.com.sap.aii.connect.integrationserver.httpport" value="50100" /><property name="jnlp.client" value="true" /><property name="jnlp.com.sap.aii.connect.repository.httpsport" value="@com.sap.aii.server.httpsport.repository@" /><property name="jnlp.com.sap.aii.ib.client.jnlp.j2se.maxheapsize" value="1024m" /><property name="jnlp.com.sap.aii.connect.integrationserver.httpsport" value="@com.sap.aii.connect.integrationserver.httpsport@" /><property name="jnlp.com.sap.aii.connect.integrationbuilder.startpage.url" value="rep/start/index.jsp" /><property name="jnlp.com.sap.aii.connect.integrationserver.r3.httpsport" value="@com.sap.aii.connect.integrationserver.r3.httpsport@" /><property name="jnlp.com.sap.aii.connect.rwb.r3.sysnr" value="01" /><property name="jnlp.com.sap.aii.util.xml.schemaValidator" value="com.sap.engine.lib.schema.validator.SchemaValidator" /><property name="jnlp.rc.release" value="7_00" /><property name="jnlp.rc.applname" value="DIRECTORY" /><property name="jnlp.rc.supportpackage" value="09" /><property name="jnlp.rc.synctime" value="${sync.time}" /></resources>
      <application-desc main-class="com.sap.aii.ibdir.gui.appl.ApplicationImpl">
          <argument>webstart</argument>
      </application-desc>
  </jnlp>
  Please help me on this..........
  Thanks in Advacne.
  Regards,
  Chandra

  Hello,
  1)
  May be the problem is a network connectivity issue. Do one thing copy the "cahce" folder from some other client PC(which has successfully opened IR and ID) to your client PC. The folder resides in "C:Documents and Settings<yourUserProfile>Application DataSunJavaDeploymentjavaws".
  Copy "cache" folder to your client PC under the above path.
  /people/shabarish.vijayakumar/blog/2006/02/13/unable-to-open-iresrid-xipipi-71-updated-for-pi-71-support
  https://www.sdn.sap.com/irj/sdn/weblogs?blog=/pub/wlg/1688 [original link is broken] [original link is broken] [original link is broken]
  2) Go to http://filp55.group.upm-kymmene.com:50100/rep/
  Click on Administration -> Java™ Web Start -> Java™ Web Start Administration ->
  Try
  1. Re-initialization (then try logging)
  2. Re-initialization and force-signing (then try logging)
  3. Delete lock (then try logging)
  Do this for IR and ID tabs.
  3) Check can be a firewall issue.
  4) Check wether sufficient roles have been assigned -> Tcode -> SU01 -> roles tab. These roles need to be assigned to your username
  SAP_BC_AI_LANDSCAPE_DB_RFC
  SAP_SLD_CONFIGURATOR
  SAP_SLD_DEVELOPER
  SAP_XI_BPE_CONFIGURATOR_ABAP
  SAP_XI_BPE_MONITOR_ABAP
  SAP_XI_DEVELOPER
  SAP_XI_DEVELOPER_ABAP
  SAP_XI_DEVELOPER_J2EE
  SAP_XI_MONITOR
  SAP_XI_MONITOR_ABAP
  SAP_XI_MONITOR_J2EE
  <b>*******************Reward,if found useful</b>
  Edited by: BVS on May 7, 2008 3:01 PM

• Local User Group pointing to Domain users group

  Is there a specific terminology in the active directory area for having local groups that contains domain groups? want to find more information on this technique so i can understand/learn more about it.

  > Is there a specific terminology in the active directory area for having
  > local groups that contains domain groups? want to find more information
  Maybe you are thinking of AGDLP (or AGGUDLP)?
  http://en.wikipedia.org/wiki/AGDLP
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• Directory Groups

  Hi again...amedius here...
  I have a problem with the directoy groups and users...i add a directory user to a directory group programatically, by building up an xml string and parsing it...that is, i use the <update> tag and <ref> tags for the same..but i am wondering if i could use someother similar tags and parse the xml, so that i could remove an user from a group?? Also,i have the directorygroups object under my control...but the iFS API dosent dosent seem to have a method such as DirectoryGroup.removeUserFromGroup(String username) or something like that...would be really greatful if someone could help me out in this...
  Thanks
  Bye
  Amedius
  null

  try DirectoryGroup.removeMember(DirectoryObject member) instead....should work
  CU
  Gerald

• Active Directory, Can Join the Domain but some accounts can't log in

  We can put our Macs in AD just like we could in 10.7.4, but some users can login and some can't.  The ones that cant get an error message about an invalid Primary Group. All users in question have their Primary group set to "Domain Users"
  We called Apple Support and the Tech checked with his supervisor and then told us AD isn't supported in Mountain Lion.
  BTW, all these users can login on our 10.7.5 systems.

  Sorry to resurrect an old thread but I just moved to Mountain Lion and have encountered this error.
  I just tested the ID command on a number of user accounts and most of my Tech accounts are coming back "No such user".
  I've got a 10.7.5 system right beside me and when I run the ID <user> on it they all come back reporting normally.
  I've also verified that all the dsconfigad settings match and the Authentication & Search paths are identical.
  Is indicative of the 10.8.2 AD plug in being the problem? or is there something I'm missing?

• Add a mac to an active directory group using a script?

  I am managing a bunch of Macs and we are using Active Directory groups to assign certificates for 802.11x. I am binding the device to AD using JAMF software and was wondering if I could use a script to then add the deive to an active directory group.
  Thanks in advance...

  I think I misunderstood your question.  If you are trying to add the computer record to a location other than the Computers container, then just change your binding script to target the folder you want.  Remember that the user account you are using to bind must have access rights to this folder.
  For example, the sample command from the man page shows you how.  Say you have a subfolder inside Computers called Macs.  You would do this in your binding script.  Note the notation of an organizational unit within the Computers container.
  dsconfigad -a ThisComputer -u "administrator"
  - ou "CN=Computers,OU=Macs,DC=ads,DC=demo,DC=com" -domain domain.ads.apple.com
  Is that what you are looking to do?

• Active Directory Group Cleanup - Help Needed

  Hi All,
  I need to clean up our Active Directory and the first stage of this is to remove any unused groups. I have been trying to work out what these are using powershell. Can anyone please provide me with a simple powershell script that will identify any AD groups
  that have no members in them? 
  Many thanks
  James

  Greetings!
  Try this:
  import-module activedirectory
  Get-ADGroup –Filter * -Properties Members | where { $_.Members.Count –eq 0 }
  Regards.
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or
  to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?
  Adding in: Watch out for users having customized groups (e.g groups other than Domain Users and Domain Admins) as their primary group, they will not be reflected in the member attribute and hence not be reflected in the above count, I know it's a rare case,
  but could be good to know.
  Enfo Zipper
  Christoffer Andersson – Principal Advisor
  http://blogs.chrisse.se - Directory Services Blog

• FCS 1.5 Not all Active Directory groups visible in list

  Hi,
  We just upgraded Final Cut Server to 1.5 and want to make use of Active Directory groups to set permissions in FCS. I've created a few groups in AD which do not appear in the list when I want to add these to Group Permissions. I do see many AD groups but some are not in the list. I can find the group in the Directory application and also with dscl (dscl /Active Directory/domain.tld -read /Groups/fcs-editor).
  Please advice.
  Thanks in advance,
  Martin

  I found a solution, though it might be still temporary. See if you can narrow down your Directory Search Policy. In your AD forest, you might need just one domain for your department, location, etc.
  So, in Directory Utility, click on Search Policy, delete "/Active Directory/All Domains", don't apply yet, but click on the plus sign, and see what specific domains you can choose from there. Do the same to contacts.
  Though still I can see now 1.592 records of groups or users when I run dscl but at least I know that AD administrators can really clean up our groups listings ( some of those groups are not being used) , and try to keep the number under 2,000.
  It has to be a way to increase the default number of 2,000 in Search Policy, but I haven't had time to do that

• Cannot Retrieve Active Directory Groups

  Hi All
  I recently connected my ACS deployment to Active Directory 2003. However when I try to add the active directory groups for group mapping, i.e. navigating to Users and Identity Stores > External Identity Stores > Active Directory > Directory Groups Tab and click select.
  My GUI on IE just loops and does not display anything(it does not freeze). On Firefox I receive "The connection was reset" error.
  Any ideas?
  Thanks in Advance

  Do you have the proper AD permissions set for the AD account used to join ACS to the domain?
  Note: AD account required for domain access in ACS should have either of these:
  Add workstations to domain user right in corresponding domain.
  Create Computer Objects or Delete Computer Objects permission on corresponding computers container where ACS machine's account is created before joining ACS machine to the domain.
  Thank you for rating helpful posts!

• Active Directory Group Policies

  We are having a problem with Active Directory Group Policies crashing FCP 6.0.4. Staff accounts that have Administrator privileges may log in and use the app with no problem. Students who have more restrictive policies may log in once but when they try to log in again, the application will not open. I would like to avoid making Students administrators. We can't figure out which policy is blocking access. Has anyone else had this problem? How are you solving it?

  At the school I teach at part time, we have no problems like you describe. If you'll email me I'll get you in touch with our IT dept and they can tell you how we're set up...
  Jerry
  [email protected]

• Lion Server not reading Active Directory Groups reliably

  I am trying to upgrade one of our XServes from Snow Leopard Server to Lion Server and am running into a strange issue with our Active Directory based users and Groups.
  The current Snow Leopard Server serving files from a XSan volume is running fine, though we find a very long Lag time for Windows users to connect. Once a few users have connected the lag seems to go away, but it is still not nearly as fast as Mac users connecting or Windows connecting to a PC server.
  So I have connected a second Xserve to the SAN and performed a clean install of Lion Server. Initially while it would find my Active Directory Groups it would not import any of the users, so obvioulsly no one could connect. In a last ditch effort I installed the beta of 10.7.4, which seemed to resolve the issue for a small group of test users. However as I expanded the test I found that some users would get a message that the were no resources available to them, or they didn't have the correct permissions. This is very strange as everyone is in the same group so should have the same permissions. As a test I took one of the user accounts and created a new share and gave him R/W permission to that share and suddenly all of the shares that he should have had permission to in the first place popped up.
  The only thing that I can think of is that we have such a large Active Directory structure that the authentication is timing out or reaching some user limit and stops looking. (we have over 50,000 users and thousands of groups spread through multiple OUs in the AD structure)
  The new Server.app in Lion looks nice, but it does not seem to have nearly the robustness of the previous Server Admin tools. For instance, I never needed or wanted to setup a "Golden Triangle" but with Lion it is required. Perviously I could search for AD users or groups and drag them from the search window to the share to assign permission, now even though I've imported the groups and users it needs to search the entire directory when assigning permissions - why can't it see the groups that are already there? Why can I run a dscl search and find a user or group instantly, but the Server.app hangs for 5 minutes and shows 0 results?
  Has anyone found a way to make Lion Server work in an enterprise environment?

  Yesterday morning I bound a 10.7.4 server to our AD, and in the afternoon I eventually saw all the AD users, groups, etc show in Workgroup Manager. Now, with dscl, I can see all the AD user and group records, and with Workgroup Manager, I can search the groups, users, and computers, but with the Server.app, when trying to create new group of the type "Imported group from another directory", the searches returned nothing. Directory Utility can show all the AD information also. Our AD has thousands of user record, and so it is reasonable that it may take some time for the Mac server to get all the info. But from the add users or groups interface, I just could not get any search results. What could be wrong then?