Dsget - query users *NOT* part of a group

Similar Messages

• Check if user is part of AD group using System.DirectoryServices.AccountManagement namespace

  I am trying to validate a user from SharePoint to see if a user exists within an AD group. SharePoint does not allow you to do this so I am using the:
  using
  System.DirectoryServices.AccountManagement;
  to validate user existance within that AD group. I found the following method that allows me to validate but bombing on me:
  public bool IsUserInGroup(string username, string groupname, ContextType type)
  PrincipalContext context = new PrincipalContext(type);
  UserPrincipal user = UserPrincipal.FindByIdentity( context, IdentityType.Name, username);
  GroupPrincipal group = GroupPrincipal.FindByIdentity(context, groupname);
  return user.IsMemberOf(group);
  When I call my method, i get
  An operations error occurred.
  I read that it might be an impersination error but I have my web.config set up already with:
  <
  authentication mode="Windows" />
  <
  identity impersonate="true" />
  Any suggestions from someone that has worked with that namespace on SharePoint? I just want to plainly check to see if a user is part of a certain group on AD from SharePoint.
  Victor Palma

  “An operations error occurred. “ may suggest a COMException is occurred.
  I wrote an simple console application that works:
      static void Main(string [] args)
          Console .WriteLine(IsUserInGroup("Administrator" , "Domain Admins" ));
      public static bool IsUserInGroup(string username, string groupname)
          var foundUser = false ;
          var context = new PrincipalContext (ContextType .Domain, "DC" );
          var group = GroupPrincipal .FindByIdentity(context, groupname);
          if (group == null )
              context.Dispose();
              throw new Exception ("Group could not be found: " + groupname);
          // GetMembers(true) is recursive (groups-within-groups)
          foreach (var member in group.GetMembers(true ))
              try
                  if (member.SamAccountName.Equals(username))
                      foundUser = true ;
                      break ;
              catch (Exception )
                  // One of the members could not be retrieved, moving on...
          group.Dispose();
          context.Dispose();
          return foundUser;
  Reference:
  Recursive Active Directory group membership using System.DirectoryServices in .NET 3.5(http://www.lessanvaezi.com/recursive-active-directory-group-membership-using-system-directoryservices-in-net-3-5/)
  Another important notice:
  How to use the System.DirectoryServices namespace in ASP.NET(http://support.microsoft.com/default.aspx/kb/329986)
  Keep It Simple and Stupid.

• Query HUD not listing Keyword Parent Group

  I've been using keywords through grouped sets. For instance. Same guy (John Doe) under two seperate parents:
  Family > John Doe
  Work > John Doe
  This typically produces a result in the query (search) HUD like:
  John Doe (Family)
  John Doe (Work)
  However, I have two names that are not doing this. They Display like:
  John Doe
  John Doe
  If you check one or the other and look at the individually files with the inspector the keywords do list thier proper group. Additionally, if you go to the project itself...and use a query...in one project it may work and the other it may not.
  I've tried rebuilding the library but can't figure out why these are caching differently.
  Anyone have any ideas?

  Well...after much research, this seems to be a bug in the HUD.
  After rebuilding did nothing...I started a new library and did some experimenting while looking at the actual 'version-1.apversion' file that is stored with each photo. (Apparently, this is the data that is parsed to rebuild the database.) The file structure of the displaying groups and non-displaying groups seems to be indentical. Therefore, I began to suspect that this was a problem with the way Aperture was displaying them.
  Indeed it seems to be. I began testing by making identical keyword of 12 letters and 1 space under multiple parents named
  1
  12
  123
  1234
  12345
  123456
  1234567...so on
  Once the combination of Keyword and Parent contained more than 20 letters, it ceased to work properly. BUT THIS IS THE STRANGE PART...if the combination of keyword and parent was more than 25 letters, Aperture will begin displaying an abrevated version. For instance...
  Gymanstics >Lauren Hodges
  will display 'Lauren Hodges'
  but
  Gymanstics A > Lauren Hodges
  will display 'Lauren Hodges (Gymn...)
  This also explains why sometimes using the library search HUD vs. a project search HUD yields different results. The number of items helps detirmine the size of the HUD list and therefore column widths, i guess.
  There you have it. Don't rebuild for this issue.

• User not displayed under a Group

  HI All,
  We are using BOXIR2 SP2 with .NET and have configured Windows AD authentication.
  A user belongs to multiple groups. Some times a user may belong to 14- 20 groups. All these groups are added in CMC.
  The issue is when I do a manual update of the AD graph some user accounts are not being updated. The only fix I have right now is to restart the CMS.
  Also, when we see the properties of a UserA and check Member of we can see it belongs to GroupA.
  But when we see the propertis of the same GroupA and check Users, the UserA is not displayed.
  Could you please help me with this as this is our Production box and restarting the CMS is not a good solution.
  Thanks in advance for your help,
  V

  If you are unable to resolve then you should open a message with support (authentication team) Issues like this typically require considerable tracing and analysis or the CMS and packet scans. We have never reproduced a bug with the AD plugin so in most cases the problem is usually in the configuration or AD setup. It's unlikely that changing the graph timeout will make any difference if the update is not occurring when you press update in CMC > Auth > AD.
  Regards,
  Tim

• User should not able to delete group in sharepoint

  Hi,
  I have a requirement like,
  user added a document in CRM2011 and clicked on open sharepoint then he is redirecting to sharepoint.There if he clicks on manage permissions then all the groups inside the document he can see and delete also but perticular group he should not delete how
  can i restrict user to delete the perticular group.
  Thanks in advance.

  Hi,
  According to your post, my understanding is that you wanted to control particular user not to delete particular groups.
  There is no out of the box way to accomplish this with SharePoint.
  If you wanted to achieve this function, you should create some custom codes, there are some suggestions for your reference.
  You can create a list to store the users and the matched groups with the users.
  Then you should edit the user.aspx page with some custom code, invoke the list, make some conditions to determine whether the user has permission to remove the groups.
  2. Another workaround is that you can create a time job for the particular groups, if the groups have been removed , then use the time job to recreate them.
  Thanks & Regards,
  Jason
  Jason Guo
  TechNet Community Support

• I'm trying to get into game center to download some things. Enter user id/password then keep getting a "you are not part of this/the administrator group" then a cancel or retry command. What do I do? (I am using a friends wi-fi) What d

  I am trying to get into the Game Center and download some apps. I enter my user id/password the keep getting a "you are not part of the/this administrators group" message then a cancel/retry command. What do I do to become part of this/the administrators group? I am using a friend's wi-fi...Help!

  I am trying to get into the Game Center and download some apps. I enter my user id/password the keep getting a "you are not part of the/this administrators group" message then a cancel/retry command. What do I do to become part of this/the administrators group? I am using a friend's wi-fi...Help!

• Error : Query does not exist in user group

  Hello,
  I copied the one existing transaction i.e. Z10SD25 and made the new transaction.
  Also i created the new Infoset and Query in an existing User group.
  I also assigned the Infoset to user group and query to Infoset.
  But while running the new transaction it is giving me error that 'Query does not exist in user group'.
  Kindly help me with this.
  Thanks in advanced.
  Regards,
  Darshana

  Hi,
  After assigning the Infoset to user group and query to Infoset, click on 'Generate' button.
  Note: The query can only be generated when the InfoSet is assigned to a user group.
  Also check whether the usergroup is given or not for queries.
  SQ01 - Select Environment u2013 Select Standard Area - Enter -- If new user group is to be created, enter name of the user group, click on create and enter necessary information and exit after saving

• A device which is not part of this management group has attempted to access this Health Service.

  Has anyone found an answer to this yet?  I have uninstalled/reinstalled the agents both manually and through the push. Rebooted the client, rebooted the  sce server. Forced the group policy to reapply, forced the health agent to /reportnow and I still get the error. The client shows up under the agent managed section but under the health state column it shows not monitored. The clients can ping the SCE server by FQDN and RDP to it as well so name resolution is working fine.
  On the the SCE server I get this in the log
  Event Type: Information
  Event Source: OpsMgr Connector
  Event Category: None
  Event ID: 20000
  Date:  6/25/2009
  Time:  10:09:40 AM
  User:  N/A
  Computer: *******
  Description:
  A device which is not part of this management group has attempted to access this Health Service.
  Requesting Device Name : *****
  And this
  Event Type:            Information
  Event Source:           OpsMgr Connector
  Event Category:       None
  Event ID: 21042
  Date:                        6/25/2009
  Time:                       10:25:14 AM
  User:                        N/A
  Computer:                ***********
  Description:
  Operations Manager has discarded 1 items in management group Servername_MG, which came from $$ROOT$$.  These items have been discarded because no valid route exists at this time.  This can happen when new devices are added to the topology but the complete topology has not been distributed yet.  The discarded items will be regenerated.
  On the client I get
  Event Type: Error
  Event Source: OpsMgr Connector
  Event Category: None
  Event ID: 20070
  Date:  06/25/2009
  Time:  10:06:13 AM
  User:  N/A
  Computer: ******
  Description:
  The OpsMgr Connector connected to ****** but the connection was closed immediately after authentication occured.  The most likely cause of this error is that the agent is not authorized to communicate with the server, or the server has not received configuration.  Check the event log on the server for the presence of 20000 events, indicating that agents which are not approved are attempting to connect.
  And this as well
  Event Type:            Error
  Event Source:           OpsMgr Connector
  Event Category:       None
  Event ID: 21016
  Date:                        06/25/2009
  Time:                       10:06:18 AM
  User:                        N/A
  Computer:                ******
  Description:
  OpsMgr was unable to set up a communications channel to **** and there are no failover hosts.  Communication will resume when ******* is both available and allows communication from this computer.
  And this
  OpsMgr has no configuration for management group Servername_MG and is requesting new configuration from the Configuration Service.

  Hey Nathan,
  Yea I have sent the script to eveyone that has aked for it. I dont know if its helped anybody else as none has given me any feedback either way.
  I guess I can post it here for everyone to use.
  Please keep in mind that if you use this script from MS its at your own risk, If your DB blows up, massive catastrophic failure ensues and so forth ITS YOUR OWN FAULT. MAKE SURE YOU HAVE GOOD BACKUPS
  Step 1) Run this against your SCE 2007 DB
  DECLARE @BaseManagedEntityInternalId int
  DECLARE @BaseManagedEntityId uniqueidentifier
  DECLARE @ViewName sysname
  DECLARE @Statement nvarchar(max)
  SET @BaseManagedEntityInternalId = 0
  WHILE EXISTS (SELECT * FROM BaseManagedEntity WHERE (BaseManagedEntityInternalId >
  @BaseManagedEntityInternalId))
  BEGIN
  SELECT TOP 1
  @BaseManagedEntityInternalId = bme.BaseManagedEntityInternalId
  ,@BaseManagedEntityId = bme.BaseManagedEntityId
  ,@ViewName = met.ManagedTypeViewName
  FROM BaseManagedEntity bme
  JOIN ManagedType met ON (bme.BaseManagedTypeId = met.ManagedTypeId)
  WHERE (bme.BaseManagedEntityInternalId > @BaseManagedEntityInternalId)
  AND (bme.IsDeleted = 0)
  ORDER BY BaseManagedEntityInternalId
  SELECT @Statement = 'IF NOT EXISTS (SELECT * FROM ' + QUOTENAME(@ViewName) + '
  WHERE BaseManagedEntityId = ''' + CAST(@BaseManagedEntityId AS varchar(50)) + ''')
  PRINT ''' + CAST(@BaseManagedEntityId AS varchar(50)) + ' ' + @ViewName + ''''
  EXECUTE(@Statement)
  END
  STEP 2) 
  If your problem was the same a mine you should get some GUID’s returned.  (For example 93790c0B-09C4-3A4D-CE72-F4E3Dd917D78 MTV_DeploymentSettings)
  Using the GUID that we got in the output file
  Execute the below given query:
  ==========================
  select fullname
  from basemanagedentity
  where basemanagedentityid = ‘<GUID>’
  ==========================
  Verify that the device or the object mentioned in the above output is not displayed in Operations console.
  Only in case if the object is not displayed then use the below given query to delete it from database.
  ==========================
  update basemanagedentity
  set isdeleted = 1
  where basemanagedentityid = ‘<GUID>’
  ==========================
  Before executing the above query please ensure that you have the backup of the database. Also note that you need to run the above said query only incase if you do not see the object in the Operations console.
  After executing this query, run this stored procedure:
  ==========================
  exec p_Detectandfixinstancespaceinconsistencies
  ==========================
  Once it is done:
  > Stop all the three OpsMgr services: health, Config and SDK on Management Server
  > Cleared the health service state folder.
  > Start all the three OpsMgr services: SDK, Config, and health on Management Server.
  > Wait for 30 minutes and see if the agents start getting monitored.
  I hope this helps everyone

• Same user with administrative rights on all the servers in single domain versus domainadmin as a part of administrator group in all the servers

  same user with administrative rights on all the servers in single domain user as a part of administrator group in all the servers:
  same user is configured as administrator on all the servers in one domain at windows 2003 server. Should this user be made part of domain admin and then this can be set up in the group of administrator for all the servers.
  How this is technically different?
  If same user is set up as an administrator on all the servers in domain, will it have the same access on all the files as a domain admin user?
  dhomya

  If the account is not admin on the domaincontrollers and the account is not member of domain admins or any other privileged AD group, the account has only user privileges on AD and thus cannot perform actions like creating and managing  accounts,
  groups, OUs,policies, sites, ...in other words cannot potentially ruin Active Directory.
  I think that is a pretty big difference.
  In fact, it is bad practice to perform you daily server management with an AD privileged account.
  In regards of file access. The domain administrator will be just an admin, and thus has the privilies assigned to the local admin group, just as any other admin. But if it are different accounts they might be member of different groups assigning different
  privileges. Always be carefull when assuming resulting privileges will be the same.
  MCP/MCSA/MCTS/MCITP

• Active Directory users not made member of Local Network group

  Hi all,
  I've just done a clean install from 10.6 Server to 10.8.4.
  The issue I seem to be having is a mismatch between what Groups in Server.app is reporting as members (who happen to be users or groups from our Active Directory domains) of a Local Network group and what dseditgroup reports as members of the same network.
  The Setup:
  In Groups in Server.app under Local Network Group I have created a group call "AccessServer"
  Members in that group are:
       - AD-Domain User Group (so should be all users in the domain)
       - MacOS X "netaccounts" group (again, should capture all users that connect through the network I've used this in the past/10.6 very handy)
       - AD User 1
       - AD User 2
       - AD User 3
  The Server is bound to the AD Domain, All-Domains is not selected and a Search Path is added for each Domain needed and set at the top of the search order.
  The Behaviour:
  AD User 1 can access AFP and other services as expected.
  AD User 2 and 3 cannot.
  Another user within AD-Domain User Group or netaccounts can access AFP and other services as expected
  Yet other users within AD-Domain User Group or netaccounts cannot
  Furthermore: 
  If I REMOVE AD User 1 (a working user) *and* the AD Domain Group and netaccounts Group.  I can still login with that account!
  Diagnosis:
  I tried checking group membership with dseditgroup, the results match the behaviour, not the setup.
  >dseditgroup -o checkmember -m ADUser1 accessserver
  yes ADUser1 is a member of accessserver
  >dseditgroup -o checkmember -m ADUser2 accessserver
  no ADUser2 is NOT member of accessserver
  >dseditgroup -o checkmember -m ADDomainUser/netacc accessserver
  yes ADDomainUser/netacc is a member of accessserver
  >dseditgroup -o checkmember -m n accessserver
  no ADUser2 is NOT member of accessserver
  When non-member users try to connect I get a message in the logs of (IP/DNS values anonymized):
  2013-06-25 3:04:36.794 PM sshd[5217]: error: PAM: authentication error for illegal user ----- from ----.mala.bc.ca via x.x.
  I get the same results even after removing the user from the Groups screen!
  Failed Solutions
  - As we are a large AD I've tried specifying specific Active Direcotry servers that might better be able to find the users in question and authenticate.
  - I've let the system just sit, in hopes delayed replication would solve the problem overnight.
  - I've deleted and recreated the groups.

  Upon further investigation we have discovered:
  a) the main behaviour that is causing the problem is best described as AD users that are added to a Local or Network OS X group... either individually or through a Domain group.... are not actually recognized as members of that OS X group even though the GUI or CLI tool have added them and acknowledge them as being in the list.
  b)  This is NOT limited only to MacOS X Server 10.8.  The same behaviour is occuring on a long-running 10.6 server as well.
  c) The problem remains whether we nest AD groups to capture a large bunch of users, or add users individually.  If the user is part of the mysteriously denied set, how they are added to the OD or local group is irrelevant, including if added from the command line.
  d) Which users are allowed and which are not is unclear and appears generally random.  We have found 3 'classes' of users:    
            1 - those that are successfully becoming members every time.
            2 - those that are intermittent members.  Members on one server or another, or in one case even go from being reported as a member (by dseditgroup), to not being a member, to being a member again within the span of only a minute or two.
            3 - those that are never successfully admitted as a member.
  So the problem is both Apple's and Windows in that:
  Apple: Is allowing a group and/or user to be added and implying then membership in the group even though that membership is not being honoured in some way and there is no feedback or communication of that fact aside from generic 'denied' or 'illegal user' errors.
  Windows:  Is passing along membership through its groups and users, but not completely, for reasons that are, at this point, a mystery.
  Really hoping people have some ideas on this.  This system of nested groups or individual user access is something we have of course being using for many years.  So this is a major setback.

• Assign SQ03 Abap Query User Group to role

  Please advise how to assign SQ03 Abap Query User Group to a role. Thanks.
  Moderator message: please do more research before asking.
  [Rules of engagement|http://wiki.sdn.sap.com/wiki/display/HOME/RulesofEngagement]
  [Asking Good Questions in the Forums to get Good Answers|/people/rob.burbank/blog/2010/05/12/asking-good-questions-in-the-forums-to-get-good-answers]
  Edited by: Thomas Zloch on May 12, 2011 5:40 PM

  Hello Sunil,
  The problem is that I have hundreds of users to maintain user groups.
  found out that it is possible to assign user group to role and role to user groups. implementing hr authorization with in-direct assignment of auth. So if I could use sq10, user groups could also be link to position in the org chart.
  sq10 does allow you to assign a user group to a role but when you assign the role to a user and the user runs a query, it reports that no user group has been assigned.
  Suspect that there must be a parameter or switch that is not turned on
  Regards

• Retrieve users who are not added to any group in site permissions page

  Hi,
  In the OOB (Site Permissions) "user.aspx" page, I have some users who are directly added to the site and not part of any OOB or custom group.
  Is it possible to retrieve only those users who are directly added to site permissions page programmatically  ( Using C# ) ?
  Thanks

  Hi,
  You can use the
  SPWeb.Users property which “Gets the collection of user objects that are explicitly assigned permissions in the website”.
  Thanks
  Patrick Liang
  Forum Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support,
  contact [email protected]
  Patrick Liang
  TechNet Community Support

• Approval Query to skip for one Vendor Group - Not working

  Dear All,
  I am trying to create an approval query wherein when a user creates a Purchase Order for a Particular Vendor Group then the approval check is not required and for other Vendor Group approval check is required. The query is as under :
  SELECT distinct 'true'  FROM OPOR T0  INNER JOIN OCRD T1 ON T0.CardCode = T1.CardCode INNER JOIN OCRG T2 ON T1.GroupCode = T2.GroupCode WHERE T2.GroupName <> 'Supplier Own Group'
  I don't want that which vendors are in Supplier Own Group check go for an approval process. Means all vendors in this group should get skipped for approval.
  How to achieve this because this query seems not to be working in the approval process because when a user creates a PO whose Vendor group is under Supplier Own Group then also the approval checking is happening.
  Please help how to resolve this issue.
  Regards,
  Depika

  Hi,
  Try this
  SELECT distinct 'true'  FROM OPOR T0  INNER JOIN OCRD T1 ON T0.CardCode = T1.CardCode INNER JOIN OCRG T2 ON T1.GroupCode = T2.GroupCode
  AND T2.GroupName <> 'Supplier Own Group' where T0.CardCode = $[$4.1.0]
  Hope this helps,
  Son.

• Checking to see if the current User is part of the "Administrator Group"

  I am writing an installer for my program - in java - that basically just executes a .jar file. In the past, my software had a disclaimer that just tells the user to make sure that they are an administrator before installing - but we are not currently enforcing that.
  So my task is to develop a snippet of code that returns a boolean (true if the user has privileges, false if the user does not). Essentially checking to see if the user is part of the Administrators Group in windows. I created a creative solution for the Unix side of this problem, checking the root group, and some path names for root... but I am stumped on the Windows side of things. I KNOW there is a solution in C, in fact I have already created it (it involves a simple import of windows.h and a static variable check), but I would like a java solution instead.
  I have researched a bit in the java.security API and the JNI interface for executing my C code in java... but I would like to post here in case there is a simpler solution that I may be overlooking. The windows platform is XP for the most part, but possibly Vista as well.
  Thanks in advance for your replies, and sorry if this is a double-post, I tried searching beforehand.

  i found out that the fsutil command will not run correctly you are not a local administrator it gives the error message "The FSUTIL utility requires that you have administrative privileges.", right now i am using some string manipulation to try and catch this - another good command line option is net localgroups Administrataor

• Sql Query To Find Out list of users not having a particular resource provisioned

  Hi,
  I know the query for all the resources tagged to user with their account status.
  Can anybody help me with a query to fetch just the user details for the following scenario:
  1)Active users having  having no instance of a particular resource.
  Condition: Exclude Active users having one provisioned instance of the resource and fetch user details having no provisioned account for that resource .
  it is just for report purposes.So format is not of concern.Just need the list of users not having a single provisioned account for a particular resource.

  Hi,
  Please try the below query :
  select distinct usr.usr_login from USR,OIU where USR.USR_KEY not in (select OIU.USR_KEY from OIU)
  and OIU.APP_INSTANCE_KEY= (select APP_INSTANCE_KEY from APP_INSTANCE where APP_INSTANCE_NAME='ADResource');
  Change the app instance name acording to you need.
  -Saurabh