Duplicate User ID's from AD Group Discovery

Hey does anyone have a query for Duplicate User ID? We are running into user id being in SCCM 2012 to and 3 times because we are using AD for Deployments.

Hi,
User ID= User Resource ID ?
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

Similar Messages

The only user was removed from Administrators Group

Hi Experts
We are using Office 365 based Project Online and Project Server Security Mode was applied, also the Active Directory sync was switched to 'OFF' for Administrators Group in PWA. There was only one user which was in the Administrators Group and hence was the
lone user to have access to Project Server 'Groups & Categories' section.
Now I do not know how it happened, but the person logged into the PWA Site, went to Administrators Group and removed his name from the Group and clicked on Save.
As soon as it happened the access right were removed from that user also Now no one has the access to 'Server Settings' page as an administrator. Hence all the admin work is stopped.
My concern was is it possible that by any means can we add any user (or the same user) to the Administrator Group?
Thanks
Manish

Hello,
If no user has access to do this then the only option you have via the UI is to switch permission modes (to the SharePoint permission mode then back to the Project Server permission mode - this add the Company Administrators (global admins) the Admin group).
Do bear in mind this will remove all of the users from the security groups and reset ALL security so probably not an ideal option. The only other option is to open a support query via your Office 365 tenant and see what Microsoft suggest..
Paul
Paul Mather | Twitter |
http://pwmather.wordpress.com | CPS |
MVP | Downloads

Users being deleted from workspace

Hi there,
two of my users have been removed from a folder by the system
Removed: Bernd Loeschner
Nov 30, 2010 5:16 PM by System Actor. LMS-JPE-MT-AG
Removed: Peter Goldig
Dec 1, 2010 1:06 PM by System Actor. LMS-JPE-Opitz
Can you identfy why?
I am the only admin from Oracle to those Workspaces.
Thanks, Daniel

Interesting,
This can sometimes happen when a user is removed from a group -the system will try and remove them from the workspace used by that group. If they are in multiple groups they can sometimes be removed from workspaces that are used by a group with the same membership but different purpose.
Can you see them to add them back into the workspaces?
Phil

Getting error while removinf user from AD group

Hi,
In AD User process definition, there is a default taks called :Remove user from Group. This task runs after another task called Organization Name Update . Whenever, an user is moved from one org to another org, his organization gets updated in AD user form and this task"Remove user from Group" runs. The work of this task is to remove the user from old groups. BUt the task is getting rejected and i see the below error in log files.
11/07/04 00:24:17 Data AccessException:
11/07/04 00:24:17 com.thortech.xl.orb.dataaccess.tcDataAccessException: DB_READ_FAILEDDetail: SQL: select UD_ADUSRC_GROUPNAME from UD_ADUSRC where UD_ADUSRC_KEY = Description: ORA-00936: missing expression
SQL State: 42000Vendor Code: 936Additional Debug Info:com.thortech.xl.orb.dataaccess.tcDataAccessException
at com.thortech.xl.dataaccess.tcDataAccessExceptionUtil.createException(Unknown Source)
at com.thortech.xl.dataaccess.tcDataBase.createException(Unknown Source)
at com.thortech.xl.dataaccess.tcDataBase.readPartialStatement(Unknown Source)
at com.thortech.xl.dataobj.tcDataBase.readPartialStatement(Unknown Source)
at com.thortech.xl.dataaccess.tcDataSet.executeQuery(Unknown Source)
at com.thortech.xl.dataobj.tcDataSet.executeQuery(Unknown Source)
at com.thortech.xl.dataaccess.tcDataSet.executeQuery(Unknown Source)
at com.thortech.xl.dataobj.tcDataSet.executeQuery(Unknown Source)
at com.thortech.xl.adapterfactory.events.tcAdpEvent.getChildTableFieldValue(Unknown Source)
at com.thortech.xl.adapterfactory.events.tcAdpEvent.getRunTimeValue(Unknown Source)
at com.thortech.xl.adapterfactory.events.tcAdpEvent.getRunTimeValue(Unknown Source)
at com.thortech.xl.adapterGlue.ScheduleItemEvents.adpADREMOVEUSERFROMGROUP.implementation(adpADREMOVEUSERFROMGROUP.java:48)
If anybody knows the solution for this then plz let me know.
Thanks,
Kalpana.

I think the mappings and all would be correct. Here is what Kevin meant:
- Let's assume the AD user account is a part of GroupA, GroupB and GroupC
- Now on Change Organization completion if you invoke Remove user from Group then the adapter/process task has no way to know that which 3 of those groups has to be removed (or all 3 for your case)
- Alternatively if you use API's to remove the group then this task would be invoked by the original OIM process/triggers and so the actual value would be known to adapter/process task.

Getting a list of users and permission from a folder including nested groups

$project_folder = "\\servername\foldername\foldername1"
Get-Acl $project_folder |
ForEach-Object {
$_.Access | Add-Member -MemberType NoteProperty -Name Path -Value $_.Path -PassThru
} |
ft -GroupBy Path -Property IdentityReference, AccessControlType, FileSystemRights > foldertst.csv
The above command gives me a list of all the users who have access to foldername1. (including users and groups).
How do i modify this code to get the information of the nested groups for this folder

Sorry, I won't be providing a complete solution, just a few suggestions and comments.
first thing will be to determine for each ACE (access control entry) whether the IdentityReference refers to a user account or a group. If a group, you will then need to process each of its members, each of which will share the FileSystemRights of the current
ACE.
But... if any of the members are other groups, you will need to process them recursively as well. Recursively.
There are a few gotcha's, though:
you need to recognize and avoid infinite recursion when, for example, group A is a member of group B which is a member of group A. One way to do this is to keep a list of all groups encountered, processing each only once.
if one ACE belongs to group C, another belongs to group D, group A is a member of C, and group B is a member of D, you must ensure that all members of A and B are listed with ACE C and ACE D.
Once you have identified all user accounts you might find that some have multiple records. For example, user AA might belong to group A, and get unlimited access through the ACE owned by group C, but deny read access through the ACE owned by group D. If
the first mention of this user in your output shows he has unlimited access, that will, of course be incorrect. at the very least the output should be sorted by username. You could attempt to amalgamate all of his various accesses (like the effective permissions
tab) into a single one. But it would be difficult to show which group memberships contributed which aspects of his access permissions in any kind of simple or intuitive way.
security configurations can easily become overly complex. The best solution is to simplify and standardize how permissions are applied and how groups are nested. I have had to do this on occasion, and the problem of determining how things should be permitted
from how they actually are is probably the most complicated part of the job.
good luck.
Al Dunbar -- remember to 'mark or propose as answer' or 'vote as helpful' as appropriate.

Deleted user from a group returned error message

I have a group [[email protected]] with serveral users on it. I deleted one user (userA) member of the group from the system. When a user B send an email to the group [email protected] a messages is returned to all of the members of the group notifying that the user is not whithin the group.
The group [email protected] is a dynamic group.
From: [email protected]
To: [email protected]
Sent: Friday, October 9, 2009 11:12:42 AM
Subject: Notificación del estado de la entrega
Este informe se refiere a un mensaje que ha enviado con los siguientes campos de encabezado:
Message-id: <[email protected]>
Date: Fri, 09 Oct 2009 11:18:06 -0500
From: "User"<[email protected]>
To: [email protected]
Subject: Test 0ne
The message can not be delivered to the next recipients:
Dirección del destinatario: [email protected]
Dirección original: [email protected]
Motivo: recipient no longer on server
- Sun Java(tm) System Messaging Server 7.0-3.01 64bit (built Dec 23 2008)
libimta.so 7.0-3.01 64bit (built 15:22:04, Dec 23 2008)
- Delegated Administrator 6.4-3.01 B2008-10-22
- Solaris 10 10/08 SPARC
What can be happening??

bootbk wrote:
I have a group [[email protected]] with serveral users on it. I deleted one user (userA) member of the group from the system.
How did you "delete" one user? What was the exact change that you made?
When a user B send an email to the group [email protected] a messages is returned to all of the members of the group notifying that the user is not whithin the group.
If there is a problem with a mailing group (vs. a mailing list) then notifications are sent to all members of the group.
http://msg.wikidoc.info/index.php/Setting_Up_a_Proper_Mailing_List
The group [email protected] is a dynamic group.
What filter have you specified for the "dynamic group"?
Regards,
Shane.

Restrict people to see only spool requests from one group of users

I would like to restrict people to see only spool requests from one group of users defined somewhere inside role.
I am playing with S_SPO_ACT authorisation object but with no positive result,
Please help

There is a note Note 119147 - Spool: Authorizations (https://service.sap.com/sap/support/notes/119147)
Object for "Selection authorization for spool requests" is S_ADMI_FC where "Operation authorization" use S_SPO_ACT
Regards

Remove user from multiple groups

Hello everyone, first time posting here with a question and I apologize if I'm asking in the wrong location.
To give an idea of what I'm attempting to do, I've recently been developing a vbscript that will take a nightly csv export from my student information system and either create or deactivate student accounts based upon their enrollment status. I have
this function working great now, another function I've been developing is to have accounts moved between OU's based upon the school building code assigned to students which I have working as well. The problem I'm running into right now is having students
removed from existing active directory groups when they move between OU's. Essentially what I would like to do is have the script load the users group membership into an array and then remove any groups that end with STUDENTS, below is the code I have
been working on to accomplish this but have literally hit a brick wall. If it helps all my student groups for each location runs in this fashion.
ABCD_STUDENTS
ABCE_STUDENTS
Any suggestions would be greatly appreciated.
' Student changing OU then we need to update their account to reflect appropriate group memberships.
Set UserObj = GetObject("WinNT://server.domain.net/" & ADusrname) 'This must be hardcoded to domain controller
strUserDN = DN
strUserCN = objuser.cn
'Add user to the school group if not correct
Set objGroup = GetObject(varSchoolGroup)
strUserDN = DN ' Bind to the user object.
strGroupDN = varSchoolGroup ' Specify group Distinguished Name and check for membership.
Set objADObject = GetObject("LDAP://"& strUserDN)
objmemberOf = objadobject.GetEx("memberOf")
If Not (funIsMember (GetObject("LDAP://" & strUserDN),varSchoolGroup)) Then
objmemberOf = objadobject.GetEx("memberOf")
For Each objGroup in objmemberOf
Set objGroupDelete = GetObject ("LDAP://" & objGroup)
If Mid(objgroup,7,8) = "STUDENTS" Then
msgbox "test remove"
objGroupDelete.PutEx ADS_PROPERTY_DELETE,"member",Array(strUserDN)
objGroupDelete.setinfo
subUpdateLogFile studentcounter & " - Removed from student group " & objgroup,student_guid,student_username,student_fullname,"removed group"
End If
Next
'Add user to school group
Set objGroup = GetObject(varSchoolGroup)
objGroup.PutEx ADS_PROPERTY_APPEND, "member", Array(struserdn)
objGroup.SetInfo
subUpdateLogFile studentcounter & " - Updated school group to " & student_schoolgroup_ldap,student_guid,student_username,student_fullname,"school group"
objUser.SetInfo
updated = "yes"
End If
Any suggestions would be greatly appreciated.

With Bill. This can be done with AD and PowerShell in a couple of lines for reach item.
You are taking an incorrect approach which is making this much harder than it needs to be. Your question is also hard to understand.
Each AD usre object obtained via ADSI will have a list of groups the account is a member of. You use this to remove the user from the group. How you choose this is up to you. You can use an array or a file. You can also =just use
OU associated groups. A user then is added to all or some groups associated with the OU and removed from the groups associated with the OU by just returning the OU associated group list from the OUs.
Designing AD systems is a specialty. Once you fully understand the features and capabilities of AD these things are usually simple and painless. If the design is not done well they are painful and faulty.
We can answer specific questions. Understaning the design and capabilities of AD is mostly up to you.
Start with a tool that is designed to work well with AD like PowerShell. VBScritp is onluy useful to those who are skilled with AD and scripting in VBSdcript. From your script we can see you are a beginner at both. As Bill notes...do yourself
a favor and switch to PowerShell.
¯\_(ツ)_/¯

Unable to remove user from SharePoint Group using PowerShell

I am trying to remove a user from a SharePoint Group using PowerShell.
I can see the user in the Site Collection as part of the SharePoint Group, however, when I attempt to run the script, I get an error message stating "Can not find the user with ID: 10"
Below is the PowerShell script that I am using:
$url = "https://sharepointdev.spfarm.spcorp.com/sites/desitecoll"
$userName = "spfarm\sp2013_svc"
#$userName = "spfarm\spprofileimport";
$site = New-Object Microsoft.SharePoint.SPSite($url)
$web = $site.OpenWeb()
$siteGroups = $web.SiteGroups;
Clear-Host
$mySiteGroups = @();
foreach($group in $siteGroups)
Write-Host $group
$mySiteGroups += $group;
}#foreach
$members = $web.SiteGroups[$mySiteGroups[0]];
$owners = $web.SiteGroups[$mySiteGroups[1]];
$visitors = $web.SiteGroups[$mySiteGroups[2]];
#Remove the user from the specified SharePoint Group
$spUser = Get-SPUser -Identity $userName -Web $url
Write-Host $spUser.ID
Remove-SPUser -Identity $spUser -Web $url -Group $owners
$web.Update();
$web.Dispose();
Write-Host "User " $userName "removed from " $owners
Please advise.

I had to update the code to the following because Get-SPUser was not working properly:
$url = "https://sharepointdev.spfarm.spcorp.com/sites/desitecoll"
$userName = "spfarm\spprofileimport";
$site = New-Object Microsoft.SharePoint.SPSite($url)
$web = $site.OpenWeb()
$siteGroups = $web.Groups;
Clear-Host
$mySiteGroups = @();
foreach($group in $siteGroups)
Write-Host $group
$mySiteGroups += $group;
}#foreach
$members = $web.Groups[$mySiteGroups[0]];
$owners = $web.Groups[$mySiteGroups[1]];
$visitors = $web.Groups[$mySiteGroups[2]];
#Convert the user name to an SPUser account
$spUser = $web.Site.RootWeb.EnsureUser($userName);
Write-Host $spUser.ID
Remove-SPUser -Identity $spUser -Web $url -Group $owners
$web.Update();
$web.Dispose();
Write-Host "User " $userName "removed from " $owners
Was I not using Get-SPUser correctly?

Script Help - Adding Users from AD Group to Computer Object Attribute

Environment:
Computer Objects have the following name convention - USERNAME-INV#-PC. An example is TEST1-54321-D. There is a GPO in place that adds any user populated under the managedBy attribute in a computer object to the administrators group for that computer
object.
Scenario:
Create "Local PC Admin" group
When user TEST1 gets added to the "Local PC Admin" group, a powershell script that runs on an hourly scheduled task goes out and finds any computer object (that is not a server) that has TEST1 in its name. For example, TEST1-54321-D for desktop
and TEST1-98765-L for laptop.
It then adds the user to the managedBy attribute of the computer object and appends the text "added as local admin on <currentdate>" to the computerobject description.
If TEST2 is added to the group later, the script should see that TEST1 has already been added and only add TEST2 to the managedBy attribute to the appropriate computer as well as the "added as local admin on <currentdate>".
Still thinking how this can be automated when a user is removed from the "Local PC Admin" group.
Can somebody please find holes in this scenario or suggest a better method to approach this?

Security nightmare? How so? Regular domain users cannot modify the "managedBy" computer object attribute.
The "Local PC Admin" group would be a ADUC security group. The Help Desk and Network Admins would be the only ones that can either add users to the group or directly modify the "managedBy" computer object attribute.
The Group Policy that runs against the desktops/laptops looks to see if the managedBy attribute of the computer object is populated. If so, it adds that user as a local admin to their workstation/laptop and removes any other user/group not specified
and given local admin rights. This would only be done for a handful of users (those in the Local PC Admin group) that need admin access ; in other words, the attribute would only be populated for a few computer objects and not the entire organization.
If it is not populated, it does nothing and leaves the default admins on it.
More info on how the GPO works here: http://fbinotto.blogspot.com/2014/01/making-user-object-set-in-managedby.html

Bulk move users from one group to another in XI 3.1

Hi all,
I have a group that contains approximately 20,000 users. I now need to move around 7,500 of these users into a different group.
How can I do this programatically in bulk as I don't want to go through and manually change the groups of 7,500 users?
Thanks,
Chris

Hi Christian,
Assuming you would need to move users from one group to another and remove them from the previous group, you could use the attached java code.
To run the code, you would need to save it as .jsp file and paste it inside AdminTools application context.
The pre-requisite to run this code is to create a Text file with all the 7500 user names in it. The text file should contain one user per line
(example:
User1
User2
User3
You can get this information from query builder by running the below query
Select top 20000 si_name from ci_systemobjects where si_kind='user'
Initially do it for 2-3 users to text the results.
You would need to edit the jsp and modify these three lines
1.
                * Assign user to a group
               //Query for the group ID
               boQuery = "Select SI_ID From CI_SYSTEMOBJECTS Where SI_KIND='UserGroup' And SI_Name='UserGroup name'";
Above in SI_NAME, you would need to provide the usergroup name you want your users to be added to.
2.
if (boUserInfoObject.getGroups().remove(Group Id from which it has to be removed)) {
                        out.print("User removed from group successfully. ");
Above you would need to provide the id of the group you want the users to be removed from(i.e the current group from where you want them to be moved).
3.
* Path to file containing User names.
final String USER_FILE_PATH = "<Path of txt file from which list of users will be imported>";
Above you need to specify the path of the text file which contains all the user names.
Incase you require further assistance on SDKs, raise your concerns in the below space
http://scn.sap.com/community/bi-platform/java-sdk
Thanks,
Prithvi

My user was removed from the wheel group automatically.

On the second day after doing a system update (which installed Gnome 3) I noticed that my user was removed from the wheel group. Any idea what did it?

Hmmm.. actually the only thing I did was turn on auto-login as my non-root user in System settings->User Accounts after unlocking it (the prompt asks for root pass). I'm not sure if that was before or after this happened though.
I haven't changed any group related settings since almost a year ago. It seems a little odd that this happened. Not a big deal though, since I re-added my user to the wheel group, but I'd still like to know how and what changed it.

User in 2 user groups always picks the rights from the group with least access -BOBJ 4.1 SP2

We have BOBJ 4.1 SP2 installed.
Lets say User1 is in a role1(User group) that has restricted access(no access to design menu for WEBI report in launchpad). Works fine when User1 logs into the launchpad. Cannot see the Design menu in Launchpad.
User1 is also in another role2(user group) that has Design access for WEBI report (more like Power user access).
Now when logged into a launch pad via SAP portal, and opening WEBI report on which role2 (user group) is applied that has Design access, user1 cannot see the Design menu of WEBI report. This is probably happening because User1 is also part of role1 that has restricted access. So it looks like it is always picking
the role with least access and applying it no matter which report I am opening.
I would expect the role to regulate the authorizations on the report. And one user could be a simple end user for one report and a power user for another report.
Please advise if this is a Known issue or expected behavior. Is there a work around?
Thank you very much
Suman

Hello Suman,
Try avoid denial based security rights assignment instead you can specify the unspecifed. As Greg said
Denied + Granted = Denied
Denied + Not Specified = Denied
Granted + Not Specified = Granted.
You should not deny rights for HR End User usergroup, Instead make them as unspecified. If you do so the whenever the user part of both the groups , your security rights aggregation would be
Granted + Not Specified = Granted.
Make sure you follow the approach as above. You can refer the blog below for how to structure the folder, report and User group hierarchy and effective maintenance of security
BusinessObjects Administration - Content Management Plan
Regards
Mani

How to stop users not in any group and users from other groups accessing sites they have no permission to access on top link bar?

Hello Community
    Using SharePoint 2010 Server and UI, a web application
was created with subsites.
    The subsites have unique permissions and Owner, Member
and Visitor groups.
    The problem is however even if a user does not exist
in a group that user can access the top link bar/navigation
bar and its sub sites.
    Also any user in any group can access any top link bar/navigation bar and its subsites.
    How do you enforce that if a user is not in a group
they are denied access the top link bar/navigation bar and its
subsites?
    Thank you
    Shabeaut

If you are using the built in SharePoint navigation links, SharePoint will automatically hide links to sites that a given user doesn't have access to.
The problem is, it sounds to me like you have a fixed top link bar that lists the content and if a user doesn't have access, the link still shows up.
You may want to look at how the top link bar was encapsulated in the design of the page. If it isn't wrapped in the permissions provider code, that could be the problem.
I trust that answers your question...
Thanks
C
|
RSS |
http://crayveon.com/blog |
SharePoint Scripts | Twitter |
Google+ | LinkedIn |
Facebook | Quix Utilities for SharePoint

Duplicate Users in Permission on Internal Partition Causing I/O Error?

Sigh ... apologies in advance for the novel. I have searched and read and experimented with many of the solutions on these forums but, being a Terminal novice, I am somewhat apprehensive about applying some of the commands listed for fear of causing irreparable damage. For example:
http://discussions.apple.com/thread.jspa?messageID=7257833
I upgraded from Tiger and have the dreaded "unknown user" issue, which has not caused problems (to my knowledge) to date. I've been waiting for a fix from Apple, which does not appear forthcoming. However, I now wonder if the "unkown user" is the source of my current dilema.
I have an iPhoto library on an internal partition, set up as per the instructions on http://support.apple.com/kb/HT1198. The "unknown user" appeared in the permissions list so I deleted it using System Preferences>File Sharing. I am the admin and can access this library without problems. However, my wife (non-admin) can mount the drive but not access the iPhoto library due to "Error -36 Cannot read or write ..."
When I mount the partition under my profile, the permissions are as expected, Read-Write for both my wife and I and Read Only for "Everyone" ans "Staff." However, when I mount the partition under my wife's profile, Get Info Permissions shows two (duplicate) users for my wife, each with Read-Write permissions and shows no permissions for me or "Staff." One of these duplicates disappears when I add myself to the permissions list but then on restart, we are back to duplicate user permissions for my wife and none for me.
I've changed th GID on both my and my wife's accounts to 20. I tried Old Toad's suggestions using iPhoto Manager here: http://discussions.apple.com/thread.jspa?messageID=7939561 to no avail. I've copied the library and re-imported it into iPhoto to no avail. I've run Disk Utility from the Leopard DVD to repair permissions and check for errors to no avail and I've tried:
sudo dscl .delete /users/"my wife's shortname"
and subsequent steps to re-active my wife's accoudn listed in the post to which I've linked above (but have not gone on to the subsequent steps to delete the unknown user from the partiton).
I am at my wit's end and beginnning to regret my change to Apple from Windows (although I have yet to try Vista).
Little help?
Message was edited by: MarRxK

Unfortunately, there wasn't much help to be found on this forum. However, I seem to have resolved the issue. I renamed the group "wifesname" to "_wifesname" as outline here:
http://docs.info.apple.com/article.html?artnum=307128
I then fixed permissions with Disk Utility (again). Then I deleted the disk image on the partition where I had stored iPhoto's library and created a new disk image using a different name, changed the permissions as outlined the links above. Voila ... functioning shared iPhoto.
Hope that helps anyone with the same problem.

Duplicate User ID's from AD Group Discovery

Similar Messages

Maybe you are looking for