Domains and Groups

I'm hosting two FQDNs on the server, Domain1 and Domain2. I also have three groups as well.
If I go to www.domain1/groups, all thee groups appear, but one of them is a 404 link, while the other two groups are fine.
Conversely, if I go to www.domain2/group, all thee groups appear and the reverse is true.... two of them are 404 links and one works fine.
As life would have it, that's actually the way I want it to work.... but don't quite understand why.
Ultimately, I'd like people visiting from Domain2 to not even know that other groups exist, let alone be able to click in and look around.
Any ideas?

Hi,
You have one server hosting two virtual domains. The wikiServer builds a listing of all the groups your server is hosting. Depending on which domain a group is assigned to (Enabled services site) it will answer on a request to that domain and return 404 if not enabled on that domain.
I've used one approach to separation, which is to build a static listing page for only those groups on a specific domain say http://domainX/Welcome.html then edit the site conf file and add the following redirect:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
RewriteRule ^/groups\/$ "/Welcome.html" [R=301]
Which will refer all requests for a domainX/groups to your welcome page with the groups listing (you need to add the links to specific groups, e.g ../groups/groupZ).
This also self contains the wikis and blogs to use "Other Wikis" in the footer as a redirect to your welcome page.
Of course, this approach could be extended to as many virtual domains as you have groups for and separates domainX from domainY. What you lose is the dynamic updating of the group listing for more control on your part but doing it manually.
HTH,
Harry

Similar Messages

  • VBS: Add domain user and group to local administrators

    I have a piece of VBS code that I have modified that basically adds a specified domain user and group to the PCs local Administrators group. It works on Windows 7, but not on Windows 8 at all.
    Call AddUserToGroup("./Administrators", "myDomain.net/NetworkAdminis")
    Call AddUserToGroup("./Administrators", "myDomain.net/Domain Admins")
    Call addDomainUser("myDomain", "myUserGroup")
    Sub AddUserToGroup(local, domain)
    Dim objLocalGroup
    Dim objDomainGroup
    Dim server
    For Each server in servers
    Set objLocalGroup = GetObject("WinNT://" & local & ",group")
    Set objDomainGroup = GetObject("WinNT://" & domain & ",group")
    With objLocalGroup
    .Add(objDomainGroup.AdsPath)
    .SetInfo
    End With
    Next
    Set objLocalGroup = Nothing
    Set objDomainGroup = Nothing
    End Sub
    Sub addDomainUser(strDomain, strUser)
    Dim strComputer
    Dim objWshNet
    Dim objGroup
    Dim objUser
    Set objWshNet = CreateObject("WScript.Network")
    strComputer = objWshNet.ComputerName
    Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators,group")
    Set objUser = GetObject("WinNT://" & strDomain & "/" & strUser & ",user")
    If Not objGroup.IsMember(objUser.ADsPath) Then
    objGroup.Add (objUser.ADsPath)
    End If
    Set objWshNet = Nothing
    Set objGroup = Nothing
    Set objUser = Nothing
    End Sub
    I have debugged the code line by line using VBA's IDE and there seems to be no error condition firing. It executes all lines, but it is not adding the users and groups as it did with Windows 7 and below. The script is being run as local administrator.

    Hi,
    The first step is to comment out your On Error Resume Next line and try again.
    Don't retire TechNet! -
    (Don't give up yet - 13,225+ strong and growing)

  • Windows 7 DNS and Group Policy Issues

    Hi,
    We have several suites of Windows 7 domain connected PC's.
    In one of the suites I have been called into look at 3 different PC's where the users have not got mapped drives, desktop backgrounds, internet connectivity - because their group policies have not applied.
    When I look at the error logs I find DNS 1014 errors, and Group Policy 1054 errors.
    I have looked at the logs on the switches, and there is nothing on them - Could a pupil pulling the network cable out cause these errors?... Possibly they could have put it back in before I got back in the room.
    The user logs off of the PC and back on again and are fine, as are the users that logon after them.
    We have 2 DC's/DNS servers, which I would have thought would be able to cope with the load here.
    Please let me know what you think the likely cause could be.

    Hello John555444,
    What is your current situation?
    Is this issue resolved?
    Best regards,
    Fangzhou CHEN
    Fangzhou CHEN
    TechNet Community Support

  • WINDOWS 8.1 - System Tools no longer displaying User and Group Settings after adding a new LOCAL user.

    I jumped on my parents computer, which is on a domain.  I added a new local user(with my live.com login) and gave it admin status.  That's when the trouble began.
    The main user profile disappeared.  I used the command prompt fix (see other fixes) to add the missing user back into admin.  I logged back in, and it set up the account for the first time (WTF?).  I cannot access any files from the main account
    (that I logged into just fine before to get this debacle started.)
    When going to Local Computer Management --> System Tools, my users and groups tool is missing.
    I ran lusrmgr.msc only to find out that the most current version of Windows 8.1 and this is what it said "This snapin may not be used with this edition of Windows 8.1.  To manage user accounts for this computer, use the User Accounts tool in the
    Control Panel."   <---- Awesome!  (that was sarcasm.)
    I have spent over two hours in the User Account tool during the course of this problem only to prove that a picture of a computer is more useful that that "tool".  
    To anyone reading this ticket, the best advice I can offer you (as long as its not a crucial machine) is to back up what you can gain access to, format your hard-drive and reinstall windows and start over again.  I wouldn't recommend reinstalling 8.1,
    I would say go back to 7 and wait until 10 comes out.   Windows 8 is the new Vista.  Good luck!

    Hello AhavahOlam,
    I can understand your feelings.
    If my understanding is right, after adding a new local user in domain-joined Windows 8.1, you can’t open the local users and groups.
    Can you still add account by going to Control Panel\User Accounts and Family Safety\User Accounts\Manage Accounts?
    As this computer is domain-based, it is recommended to contact the domain administrator to see if the option is blocked.
    Best regards,
    Fangzhou CHEN
    Fangzhou CHEN
    TechNet Community Support

  • "Domain Users" group in Active Directory does not belong to any Group Membership in LC

    Active Directory user belonging to "Domain Users" group does not belong to any Group Membership in LC, why does it not belong to "Domain Users" group?
    Any way to correct this issue, without changing group membership on AD side?
    If Active Directory user is member of "Domain Admins" or "Users" then these show same group membership in LC.
    Thanks.

    If you want to use the Domain Users group for the purpose of representing all the users then you can use the "All principals in domain xxx" group which is created by UM.
    Coming back to Domain Users group. For determining group membership in AD UM uses "member" attribute of the group object. "Domain Users" group is treated differently by AD. It is the default primary group for all the users and normally members of the primary group are not specified using the member attribute.So when we sync the data from AD "Domain Users" membership does not get completed.

  • How to get the user and groups information from http header

    Hi All,
    In my current scneario, we are using Siteminder for SSO setup.. And in this process, after authentication and authorization, they are going to append the user information and group information of the user into a HTTP header and it will be sent back to our presentation services.. We have to extract the user information and group information from the http header.
    My HTTP header will look like as follows..
    SM_USER XYZ
    SM_USERDN CN=Firstname\, Lastname\, xyz, OU=GPO-Low Level Security,OU=Domain Users,OU=BU FDT,
    SM_USERGROUPS CN=GG-CA-SiteminderAdmins, OU=Global,OU=Domain Groups, DC=com^CN=GG-ServiceDeskAdmin-TCCORPCEFS
    And also if anyone explain me the overall working of SSO in detail like how presentation services will make a connection to BI server( I guess using Impersonator User), and also how our BI server will read the URL from presentation services and the over all working flow in our OBIEE..
    Thanks a lot....

    Please use the search! this topic has come up lots of times already.

  • Built-In Domain Level Groups dont have permissions on domain they should on 2012

    Hello,
    First this is a brand new domain environment with everything running server 2012 datacenter edition.
    Second I've never seen anything like the following occur in a domain environment. What I had is what appears to be a bad 2012 AD structure however so far all AD tests come back good. The problem is the built-in domain level groups do NOT offer any level
    of access that they should. For example if I add a user in the administrators group, they don't have any permissions that group is supposed to have. THe same with every other builtin, backup operators, server operators, account operators and on and on. The
    only way a user gets that level of access is if I add them into the domain admins group. As you can imagine this is crazy and not a solution for my help desk crew. (having them all be domain admins that is) So while I could very well use delegation, I need
    to find out why my builtin groups don't function as they should.  Anyone have any ideas on what to check or where to look?  I'm at the point of opening a case with Microsoft on this.
    Thanks in advance

    Because those builtin groups AREN'T domain level groups in the way you're thinking. The Administrators group on the server gives users administrator permissions on the server, but that doesn't mean permissions on the entire domain.
    If you look in the user list in ADUC you'll see that while Domain Admins are a Global security group, Administrators is only a local group, eg local to the server (or more accurately since they no longer have local details, to domain controllers), so doesn't
    grant permissions to anything outside of the domain controller. On all non DC's the machines have their own local administrators group which is independent of the domain one, and can have different memberships.
    So if you only need a user to have permissions to the DC then administrators is fine, but if you need them to have access to the entire network, eg other servers and workstations, then they need to be members of domain admins. If you only want them
    to have limited permissions then you need to grant those permissions either via a global/universal group, or by adding them to the relevant local group on each machine they need access to.

  • Migration; Exchange 2003 SP2 to Exchange 2013 on new Domain and DC

    I wasn't prepared for this task, and it was thrown at me to do...  Eyes are bleeding from planning reading and planning, would LOVE any input from you guys.  First time posting, here and have heard great things about these forums.  The Company
    I work for obtained a new client and a network that is in a cluster at the moment, so I'm having to dig through everything and restructure..
    Scenario:
    Old Domain/Server: (To be decommissioned)
    Server 2003 Standard SP2 (Domain: cosco.com; NETBIOS name: coscoex)
    Exchange 2003 SP2 (6.5.7638.1)
    Server is a domain controller and exchange server.
    Migrating to:
    Server 2012 R2 Datacenter (New Domain ad.cosco.com; NETBIOS name: cosco)
    VM #1: Server 2012 R2 Domain Controller at 2012 R2 Functionality 
    VM #2: Server 2012 R2 with Exchange 2013 Standard (Not Yet Installed) Joined to ad.cosco.com domain
    VM #3: Server 2012 R2 with Exchange 2010 (Not Yet Installed) joined to ad.cosco.com domain
    These are probably not ideal conditions, but I have to work with what I'm given.
    Host server (2012 R2) is in work group mode.  Hyper V Installed with a VM of Server 2012 R2 and as a DC at a functionality level of Server 2012 R2.  I had intended starting at a lower functionality level and raising
    it later, but.... ya I forgot to change it.  If needed I can spool up a new DC with a lower functional level.
    DNS, AD and group policy is all jacked up on the 2003 DC so that doesn't matter, All user accounts are going to be created under the new domain.  The concern is migrating the mailboxes from Exchange 2003 on the old domain to
    Exchange 2013 on the new domain.  The client is going to provide CSV of the AD accounts that are still valid (a lot of accounts are no longer used or are from people that no longer with the organization.)
    I had some ideas, but I'm not sure if they will work.  This is something I have never done before (Senior Engineer Quit).
    My thoughts:
    - Establish a two way trust relationship between the two domains.
    - Create two VM's, one with Exchange 2010 and one with Exchange 2013 (They have a 2010 licence that was not used).
    - Create the users on the new domain
    - Use the double hop method from Exchange 2003 > Exchange 2010 > Exchange 2013 
    - Link Exchange accounts to the correct user accounts on the new DC.
    Can this be done cleanly? Am I going about this the correct way?  Any feedback would be GREATLY appreciated.
    Note: We are forced to use ad.cosco.com (Obviously not the actual domain name)

    Hi,
    Base on my experience, your idea is feasible.
    However, before getting started, you should note that Exchange 2010 (with any service pack or update rollups) is not (yet) supported to install on Windows 2012 R2. More details refer to the following link: 
    http://technet.microsoft.com/library/ff728623(v=exchg.150).aspx
    After all the preparations complete, you can refer to the following articles to migration exchange 2003 to 2010, then to 2013:
    Exchange 2003 to 2010 Cross-Forest Migration Step by Step Guide
    Exchange 2010/2007 to 2013 Migration and Co-existence Guide
    Best regards,
    Niko Cheng
    TechNet Community Support

  • Domain local groups with members from other (same forest) domains?

    I'm confused about granting access to a share via a domain local group that contains members from other domains. Consider this scenario:
    Joe Smith logs into his own domain (DALLAS.CORP.COM) and his token gets the DALLAS\sales global group.
    A share (named sales) in a different domain within the same forest (FORTSMITH.CORP.COM) assigns ntfs modify on its DACL via the FORTSMITH\sales_modify domain local group, which contains the DALLAS\sales global group.
    Joe goes to access the sales share...what happens, exactly?
    Since Joe logged into a DC in the DALLAS domain (outside the replication scope of the sales_modify group), his token does not contain sales_modify, right? So when he goes to access the sales share, that file server in FORTSMITH checks his token, doesn't
    see FORTSMITH\sales_modify in his token, and boom: access denied...right?

    Universal group is ok within the same forest but different domain.
    Domain local is ok between separate forest (Trust should be in place).
    Global is ok for same domain.
    See this for more details.
    http://msmvps.com/blogs/acefekay/archive/2012/01/06/using-group-nesting-strategy-ad-best-practices-for-group-strategy.aspx 
    Written by Ace Fecay-DS MVP.
    Regards~Biswajit
    Disclaimer: This posting is provided & with no warranties or guarantees and confers no rights.
    MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
    MY BLOG
    Domain Controllers inventory-Quest Powershell
    Generate Report for Bulk Servers-LastBootUpTime,SerialNumber,InstallDate
    Generate a Report for installed Hotfix for Bulk Servers

  • Mapping NT user accounts and groups in BOXI 3.1.i'm getting below error

    Mapping NT user accounts and groups in BOXI 3.1.i'm getting below error
    In BOXI 3.1 CMC
    .NT Authentication is enabled check box is selected.
    In the Mapped NT Member Groups area, entered the NT domain\group in the Add NT Group text box.
    like : secWindowsNT:
    BLRKEC148827D\BusinessObjects NT Users
    getting error like
    "The secWindowsNT security plugin is not enabled. Contact your system administrator for details. (FWB 00002) "

    You shouldn't be using the NT plugin in 3.1, is there a reason you are using this plugin over AD? If you really want to use it you may need to open a case with support and trace the CMS. Are there any groups currently mapped? if you hit update without adding/removing what happens? What if you remove the NT users group and hit update?
    Regards,
    Tim

  • Event ID 1085 on DC - Failed to Apply the Group Policy Local Users and Groups Settings

    I have a domain with 2 DCs.  The primary DC is running Server 2012 and is raising Event ID 1085 every 10 minutes and 20 seconds.
    Windows failed to apply the Group Policy Local Users and Groups settings. Group Policy Local Users and Groups settings might have its own log file. Please click on the "More information" link.
    System
    - Provider
    [ Name] Microsoft-Windows-GroupPolicy
    [ Guid] {AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}
    EventID 1085
    Version 0
    Level 3
    Task 0
    Opcode 1
    Keywords 0x8000000000000000
    - TimeCreated
    [ SystemTime] 2014-10-20T20:09:03.706992400Z
    EventRecordID 130087
    - Correlation
    [ ActivityID] {FDDFB8C5-9ECF-41B9-B2B4-3AD0B345A37A}
    - Execution
    [ ProcessID] 1000
    [ ThreadID] 3280
    Channel System
    Computer SERVER.DOMAIN.NAME
    - Security
    [ UserID] S-1-5-18
    - EventData
    SupportInfo1 1
    SupportInfo2 4404
    ProcessingMode 0
    ProcessingTimeInMilliseconds 10343
    ErrorCode 183
    ErrorDescription Cannot create a file when that file already exists.
    DCName \\SERVER.DOMAIN.name
    ExtensionName Group Policy Local Users and Groups
    ExtensionId {17D89FEC-5C44-4972-B12D-241CAEF74509}
    Everything I look up for Event ID 1085 seems to be about a different cause.
    Any ideas?

    I enabled tracing on a domain gpo and I still get the error when running gpupdate /force .
    I'm also still getting Event 1085.  Here's the trace file.  I've anonymized the site/domain and the GUIDs.
    2014-10-21 11:16:54.003 [pid=0x3e8,tid=0xcd0] Entering ProcessGroupPolicyExLocUsAndGroups()
    2014-10-21 11:16:54.018 [pid=0x3e8,tid=0xcd0] SOFTWARE\Policies\Microsoft\Windows\Group Policy\{GUID-1}
    2014-10-21 11:16:54.018 [pid=0x3e8,tid=0xcd0] BackgroundPriorityLevel ( 0 )
    2014-10-21 11:16:54.018 [pid=0x3e8,tid=0xcd0] DisableRSoP ( 0 )
    2014-10-21 11:16:54.018 [pid=0x3e8,tid=0xcd0] LogLevel ( 2 )
    2014-10-21 11:16:54.018 [pid=0x3e8,tid=0xcd0] Command subsystem initialized. [SUCCEEDED(S_FALSE)]
    2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] Background priority set to 0 (Idle).
    2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] ----- Parameters
    2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] CSE GUID : {GUID-1}
    2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] Flags : ( X ) GPO_INFO_FLAG_MACHINE - Apply machine policy rather than user policy
    2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] ( X ) GPO_INFO_FLAG_BACKGROUND - Background refresh of policy (ok to do slow stuff)
    2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] ( ) GPO_INFO_FLAG_SLOWLINK - Policy is being applied across a slow link
    2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] ( ) GPO_INFO_FLAG_VERBOSE - Verbose output to the eventlog
    2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] ( ) GPO_INFO_FLAG_NOCHANGES - No changes were detected to the Group Policy Objects
    2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] ( ) GPO_INFO_FLAG_LINKTRANSITION - A change in link speed was detected between previous policy application and current policy application
    2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] ( ) GPO_INFO_FLAG_LOGRSOP_TRANSITION - A change in RSoP logging was detected between the application of the previous policy and the application of the current policy.
    2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] ( X ) GPO_INFO_FLAG_FORCED_REFRESH - Forced Refresh is being applied. redo policies.
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] ( ) GPO_INFO_FLAG_SAFEMODE_BOOT - windows safe mode boot flag
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] ( ) GPO_INFO_FLAG_ASYNC_FOREGROUND - Asynchronous foreground refresh of policy
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Token (computer or user SID): S-1-5-18
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Abort Flag : Yes (0x313be090)
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] HKey Root : Yes (0x80000002)
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Deleted GPO List : No
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Changed GPO List : Yes
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Asynchronous Processing : Yes
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Status Callback : No (0x00000000)
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] WMI namespace : Yes (0x32273740)
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] RSoP Status : Yes (0x320cc7f4)
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Planning Mode Site : (none)
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Computer Target : No (0x00000000)
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] User Target : No (0x00000000)
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Calculated list relevance. [SUCCEEDED(S_FALSE)]
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] ----- Changed - 0
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Options : ( ) GPO_FLAG_DISABLE - This GPO is disabled.
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] ( ) GPO_FLAG_FORCE - Do not override the settings in this GPO with settings in a subsequent GPO.
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Options (raw) : 0x00000000
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Version : 19267878 (0x01260126)
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] GPC : LDAP://CN=Machine,CN={GUID-2},CN=Policies,CN=System,DC=SITE,DC=DOMAIN
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] GPT : \\SITE.DOMAIN\sysvol\SITE.DOMAIN\Policies\{GUID-2}\Machine
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] GPO Display Name : Default Domain Policy
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] GPO Name : {GUID-2}
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] GPO Link : ( ) GPLinkUnknown - No link information is available.
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] ( ) GPLinkMachine - The GPO is linked to a computer (local or remote).
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] ( ) GPLinkSite - The GPO is linked to a site.
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] ( X ) GPLinkDomain - The GPO is linked to a domain.
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] ( ) GPLinkOrganizationalUnit - The GPO is linked to an organizational unit.
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] ( ) GP Link Error
    2014-10-21 11:16:54.096 [pid=0x3e8,tid=0xcd0] lParam : 0x00000000
    2014-10-21 11:16:54.096 [pid=0x3e8,tid=0xcd0] Prev GPO : No
    2014-10-21 11:16:54.096 [pid=0x3e8,tid=0xcd0] Next GPO : Yes
    2014-10-21 11:16:54.096 [pid=0x3e8,tid=0xcd0] Extensions : [{00000000-0000-0000-0000-000000000000}{GUID-3}][{GUID-1}{GUID-3}][{GUID-4}{GUID-5}{GUID-6}{GUID-7}{GUID-8}][{GUID-9}{GUID-10}][{GUID-11}{GUID-5}{GUID-6}]
    2014-10-21 11:16:54.096 [pid=0x3e8,tid=0xcd0] lParam2 : 0x3146f978
    2014-10-21 11:16:54.096 [pid=0x3e8,tid=0xcd0] Link : LDAP://DC=SITE,DC=DOMAIN
    2014-10-21 11:16:54.096 [pid=0x3e8,tid=0xcd0] Purge GPH : C:\ProgramData\Microsoft\Group Policy\History\{GUID-2}\Machine\Preferences\Groups\Groups.xml
    2014-10-21 11:16:54.096 [pid=0x3e8,tid=0xcd0] Read GPE XML data file (592 bytes total).
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] ----- Changed - 1
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] Options : ( ) GPO_FLAG_DISABLE - This GPO is disabled.
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] ( ) GPO_FLAG_FORCE - Do not override the settings in this GPO with settings in a subsequent GPO.
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] Options (raw) : 0x00000000
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] Version : 1245203 (0x00130013)
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] GPC : LDAP://CN=Machine,CN={GUID-12},CN=Policies,CN=System,DC=SITE,DC=DOMAIN
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] GPT : \\SITE.DOMAIN\sysvol\SITE.DOMAIN\Policies\{GUID-12}\Machine
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] GPO Display Name : Default Domain Controllers Policy
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] GPO Name : {GUID-12}
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] GPO Link : ( ) GPLinkUnknown - No link information is available.
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] ( ) GPLinkMachine - The GPO is linked to a computer (local or remote).
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] ( ) GPLinkSite - The GPO is linked to a site.
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] ( ) GPLinkDomain - The GPO is linked to a domain.
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] ( X ) GPLinkOrganizationalUnit - The GPO is linked to an organizational unit.
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] ( ) GP Link Error
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] lParam : 0x00000000
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] Prev GPO : Yes
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] Next GPO : No
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] Extensions : [{00000000-0000-0000-0000-000000000000}{GUID-3}][{GUID-1}{GUID-3}][{GUID-9}{GUID-10}]
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] lParam2 : 0x324e8198
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] Link : LDAP://OU=Domain Controllers,DC=SITE,DC=DOMAIN
    2014-10-21 11:16:54.127 [pid=0x3e8,tid=0xcd0] Purge GPH : C:\ProgramData\Microsoft\Group Policy\History\{GUID-12}\Machine\Preferences\Groups\Groups.xml
    2014-10-21 11:16:54.127 [pid=0x3e8,tid=0xcd0] Read GPE XML data file (592 bytes total).
    2014-10-21 11:16:54.143 [pid=0x3e8,tid=0xcd0] Completed get next GPO. [SUCCEEDED(S_FALSE)]
    2014-10-21 11:16:54.143 [pid=0x3e8,tid=0xcd0] WQL : SELECT * FROM RSOP_PolmkrSetting WHERE polmkrBaseCseGuid = "{GUID-1}"
    2014-10-21 11:16:54.143 [pid=0x3e8,tid=0xcd0] Purged 2 old RSoP entries.
    2014-10-21 11:16:54.143 [pid=0x3e8,tid=0xcd0] Logging 2 new RSoP entries.
    2014-10-21 11:16:54.159 [pid=0x3e8,tid=0xcd0] RSoP Entry 0
    2014-10-21 11:16:54.174 [pid=0x3e8,tid=0xcd0] RSoP Entry 1
    2014-10-21 11:16:54.174 [pid=0x3e8,tid=0xcd0] Completed get GPO list. [SUCCEEDED(S_FALSE)]
    2014-10-21 11:16:54.174 [pid=0x3e8,tid=0xcd0] IsRsopPlanningMode() [SUCCEEDED(S_FALSE)]
    2014-10-21 11:17:04.252 [pid=0x3e8,tid=0xcd0] Completed settings update (csePostProcess). [ hr = 0x800700b7 "Cannot create a file when that file already exists." ]
    2014-10-21 11:17:04.252 [pid=0x3e8,tid=0xcd0] Completed CSE post-processing. [ hr = 0x800700b7 "Cannot create a file when that file already exists." ]
    2014-10-21 11:17:04.267 [pid=0x3e8,tid=0xcd0] Leaving ProcessGroupPolicyExLocUsAndGroups() returned 0x000000b7

  • Populating users and groups - design considerations/best practice

    We are currently running a 4.5 Portal in production. We are doing requirements/design for the 5.0 upgrade.
    We currently have a stored procedure that assigns users to the appropriate groups based on the domain info and role info from an ERP database after they are imported and synched up by the authentication source.
    We need to migrate this functionality to the 5.0 portal. We are debating whether to provide this functionality by doing this process via a custom Profile Web service. It was recommended during ADC and other presentation that we should stay away from using the database security/membership tables in the database directy and use the EDK/PRC instead.
    Please advise on the best way to approach(With details) this issue. We need to finalize the best approach to take asap.
    Thanks.
    Vanita

    So the best way to do this is to write a custom Authentication Web Service.  Database customizations can do much more damage and the EDK/PRC/API are designed to prevent inconsistencies and problems.
    Along those lines they also make it really easy to rationalize data from multiple backend systems into an orgainzation you'd like for your portal.  For example you could write a Custom Authentication Source that would connect to your NT Domain and get all the users and groups, then connect to your ERP system and do the same work your stored procedure would do.  It can then present this information to the portal in the way that the portal expects and let the portal maintain its own database and information store.
    Another solution is to write an External Operation that encapsulates the logic in your stored procedure but uses the PRC/Server API to manipulate users and group memberships.  I suggest you use the PRC interface since the Server API may change in subtle ways from release to release and is not as well documented.
    Either of these solutions would be easier in the long term to maintain than a database stored procedure.
    Hope this helps,
    -Akash

  • RDS - .local domain and external users. Best way to get rid of SSL warnings

    I am evaluating MS RDS as a possible solution for a VDI implementation at the college I work for.  When we setup our AD years ago we set it up as a .local domain.  I am running into issues with the .local machine name on the connection broker for
    external users.  I know for internal domain systems we can setup the self signed .local cert as a trusted root cert to bypass the self signed untrusted warning  but for the bulk of our users which will be using systems external to our domain they
    will get the SSL warning about the self signed certificate when they try to connect to a remote app or a desktop.
    Initially I thought if I setup a local AD CA that we could setup a trust relationship with the SSL cert.  After further reading I believe that this would only work for systems internal to our domain and we would still have the issue with external devices.
    The other option would be to tell our users to click the box to never display the warning message again and to go on or to add the self signed cert to their trusted list.  Of course when ever you ask the user to do something there will be issues.  We
    have also found that in our testing that we can not seem to connect via the web portal with a macbook.  We get an error that there is a problem with the trust relationship with the server after we login and click on an app or a desktop to connect.  We
    have been able to connect with iOS devices.  
    We could of course rename the .local domain to a .edu domain which would permit us to use our wildcard certificate but that is a major undertaking that we don't want to cross at the moment.  I think I might have some up with a solution and wanted to
    bounce the idea off of those on this forum.
    If we setup a second domain on campus that is not a .local.  Join the non internet facing RDS systems to this new domain that would have a SSL cert that was trusted and then setup a full trust relationship between the two domains such that users and
    systems in one domain could communicate with the systems in the other domain would that remove the certificate warnings for external users?

    Hi AKlein,
    Initially I thought if I setup a local AD CA that we could setup a trust relationship with the SSL cert.  After further reading I believe that this would only work for systems internal to our domain and we would
    still have the issue with external devices.
    Just add the root CA certificate of the internal CA into Trusted Root Certification Authorities store on external clients manually (or through group policy if there is an external domain), then SSL certificate warning would be gone.
    We could of course rename the .local domain to a .edu domain which would permit us to use our wildcard certificate but that is a major undertaking that we don't want to cross at the moment.
    Yes, renaming domain is not recommended due to its complexity.
    If we setup a second domain on campus that is not a .local.  Join the non internet facing RDS systems to this new domain that would have a SSL cert that was trusted and then setup a full trust relationship between
    the two domains such that users and systems in one domain could communicate with the systems in the other domain would that remove the certificate warnings for external users?
    If you are setting up a new domain with two way trust, then root CA certificate of the internal CA still needs to be distributed manually (or through group policy). If you are setting up a child domain, then enterprise CA would be trusted within the same
    forest.
    As long as there are enough external users and devices to manage, an external private network exists and extra domain management tasks are acceptable, then setting up a new domain is a good choice since domain provides secure boundary.
    Or, you could just create a new site from the other network location, which saves you from creating a new domain, new users and trust.
    Best Regards,
    Amy
    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
    [email protected]

  • Migrate to new domain and new SCCM

    The migration scenario is this:
    All Clients are in Domain1 and are managed through SCCM 2012 with System Center Endpoint Protection 2012.
    Some of the clients need to join a new domain and be managed through a new SCCM 2012 R2 server with System Center Endpoint Protection 2012 R2.
    There are no trusts between the forests. Do we need to uninstall the SCCM 2012 Agent and SCEP 2012 and then install the new SCCM 2012 R2 Agent and SCEP 2012 R2?
    Or can we just uninstall SCCM 2012 Agent only and keep SCEP 2012 and later install.

    There are multiple ways to go about it.
    Assuming that the AD forest is properly extended and the new site's info is properly published, then you can simply run a script:
    http://msdn.microsoft.com/en-us/library/cc146558.aspx
    http://gallery.technet.microsoft.com/scriptcenter/Change-sccm-configmgr-cf6e0327/view/Discussions
    If the two assumptions above aren't correct, then the client has no way of getting the trusted root key gracefully for the new site and running ccmsetup  is the best way.
    The ccmsetup bootstrapper will download files as needed from the closest DP but (from memory) won't redownload files if they are already present in the ccmsetup folder.
    A client push is probably the easiest method to initiate ccmsetup because it can be managed from a central location -- just make sure you select the checkbox for always reinstall. Of course, as mentioned above, if someone has previously used the "group
    policy" to assign the site to your clients, you'll need to clean up that mess first otherwise the clients will always try to assign to the old site.
    Jason | http://blog.configmgrftw.com

  • Unity 7.0 - AD Domain Admin Group

    I have Unity 7.0 with failover, AD, and Exchange 2010.  Unity accounts are created in AD in the Domain Admin Group.  Most that I have read states if Unity is a domain controller it needs to be in the Domain Admin group.  I do not know how to see if Unity is a domain controller and do not know why (previous to me), Unity was setup in the Domain Admin Group.
    Can you help me understand why Unity might be setup in the Domain Admin Group, reasons?
    Thanks,

    Melinda;
    -> if you use the tools depot option in the unity server you will see an option called dc\gc reconnect tool to check if unity looks at itself as a domain controller; here is a link that will give you more informaiton on this tool;  http://www.ciscounitytools.com/Applications/Unity/DCGCReconnect/Help/DCGCConnectionManager.htm
    -> Can you clarify if you are asking whether the unity reference account ( unityinstall/unimgstoresvc/unitydirsvc) needs to be domain admin or not ? If you query is related to the above mentioned accounts ; what permissions do they need is documented in the following link;
    http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/unity/5x/installation/guide/umexfo/5xcuigumefox/5xcuigumefo070.html
    -i hope this helps.

Maybe you are looking for

  • Excise duty rates for each PO's

    Hi All, There is a enchancement of a Z report in our project, this report provides the GR/IR ageing Report, in which all the GR and IR details of the PO are displayed. but Now the user require a new coloumn in the report which should show the unclear

  • Small CD Stuck in drive

    I had some software on a small CD , which I've inserted in to my Macbook . I know this was a mistake . The CD is stuck , but the macbook does not show anything in the drive . How can I remove the CD ? Thanks

  • Width of phtmlb:ganttChart

    I just inserted a phtmlb:ganttChart into my WebAS application. Cool stuff. Now, I wonder how to set the width of the chart. In my case, the chart is inserted into a table, which has width="100%". If the time frame that is shown in the chart is too bi

  • Z1 White Balance Displa Setting

    May I ask how to see the white balance setting into the display setting for Xperia Z1? Bec. I have Xperia Z also and the white balance setting is already seen but into my Z1 I can't see the white balance setting to adjust the screen display hope to a

  • Query Extensions: in Enterprise Edition only?

    Hi, I want to try to clarify something in the docs. Section 7.4 of the Kodo 2.4.2 docs states this: "Kodo JDO Enterprise Edition allows developers to optimize and customize their datastore queries by adding new custom operations to JDOQL. In addition