Dynamic Group members error

Similar Messages

• SQL Query for members of dynamic group - Need to include Name, Path and Type

  Hello,
  I built a custom dynamic group that has all my SQL databases in it using SCOM 2012 SP1.  The group works fine as I can see the Name(ie, Database name), Health State, Path (ie, hostname/instance) and Types (ie; SQL 2005).  Now I'm trying to
  build a custom report based off this same information using a SQL query.   I'm no DBA and could use some help.  So far this is what i have
  use
  select
  SourceObjectDisplayName as
  'Group Name',
  TargetObjectDisplayName,TargetObjectPath
  from RelationshipGenericView
  where isDeleted=0
  AND SourceObjectDisplayName
  like
  'SQL_Databases_All'
  ORDERBY TargetObjectDisplayName
  This gets me the Group Name (which i really don't care about), database name, and hostname/instance. What I am missing is the Health State and most importantly the Type (ie, SQL Server 2005 DB, SQL Server 2008DB).
  If someone could assist me here I would appreciate it. I believe I need to do some type of INNER JOIN but have no idea where the SQL type info lives or the proper structure to use. Thanks
  OperationsManager

  Here's the updated Query for OpsMan 2012 R2:
  To find all members of a given group (change the group name below):
  select SourceObjectDisplayName as 'Group Name', TargetObjectDisplayName as 'Group Members' 
  from RelationshipGenericView 
  where isDeleted=0 
  AND SourceObjectDisplayName = 'Agent Managed Computer
  Group' 
  ORDER BY TargetObjectDisplayName

• How to retrieve members of  ldap dynamic groups?

  Hi,
  Can any one provide me the java-code snippet for listing the members(users) of a LDAP-dynamic group?
  Regards.

  How is this different from [your previous question|http://forums.sun.com/thread.jspa?threadID=5434523&messageID=10965220#10965220]? If it is the same queston, then please stay in the same thread.

• How to create a dynamic group to fetch "Managers" for members of another group?

  Hi
  We have a request to created 2 dynamic group. One group with all india employees and another group will managers of all india emnployees [Manager who may be out of india as well].
  We created first group. But 2nd group failed for below filter
                               "/Person[ObjectID = /*[ObjectID = '9b3009a1-0e24-4d43-bc9e-9f7a46910f0d']/ComputedMember]/Manager"
  We could get appropriate results while running the query from powershell script.  But failing when trying to update the group filter.
  We are getting below error while creating this criteria\dynamic group
  Please help provide solution.
   Microsoft.ResourceManagement.Service: System.InvalidOperationException: Operation is not valid due to the current state of the object.
     at Microsoft.ResourceManagement.FilterEvaluation.Language.MembershipCondition.Create(QueryFilter queryFilter, Int32[]& membershipConditions)
     at Microsoft.ResourceManagement.ActionProcessor.FilteredResourceActionProcessor.FilteredResourceActionProcessHelper.DoPreProcessRequest(RequestType request)
     at Microsoft.ResourceManagement.ActionProcessor.FilteredResourceActionProcessor.PreProcessRequestFromAttribute(RequestType request)
     at Microsoft.ResourceManagement.ActionProcessor.ActionDispatcher.PreProcessRequestFromAttribute(RequestType request)
     at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(CreateRequestDispatchParameter dispatchParameter)
     at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(UniqueIdentifier requestor, UniqueIdentifier targetIdentifier, OperationType operation, String businessJustification, List`1 requestParameters, CultureInfo locale, Boolean
  isChildRequest, Guid cause, Boolean doEvaluation, Nullable`1 serviceId, Nullable`1 servicePartitionId, Boolean maintenanceMode, String synchronizationSequenceIdentifier)
     at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(UniqueIdentifier requestor, UniqueIdentifier targetIdentifier, OperationType operation, String businessJustification, List`1 requestParameters, CultureInfo locale, Boolean
  isChildRequest, Guid cause, Boolean doEvaluation, String synchronizationSequenceIdentifier)
     at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Create(Message request)
  Aswathy Raj

  <Going through old threads>
  Look at the Unsupported Filter Definitions list here: 
  http://blog.msresource.net/2011/10/06/set-and-group-criteria-filters/
  http://technet.microsoft.com/en-us/library/ff356871(v=ws.10).aspx
  David Lundell, Get your copy of FIM Best Practices Volume 1 http://blog.ilmbestpractices.com/2010/08/book-is-here-fim-best-practices-volume.html

• Dynamic Dimension Security Error

  Hi Everyone,
  I created a dynamic security in SASS and I use the following MDX in the Allowed Member set:
  EXISTS([Sales Territory].[Sales Territory Group].Members,
  Strtoset("[Users].[User Name].&[" +Username+ "]"),  "User Dim Member Permissions").
  On trying to check the MDX Query I got the following error message:
  Check MDX script syntax failed because of the following error:
  An error occurred in the MDX script for the dimension attribute permission's allowed member set: The dimension '[Users]' was not found in the cube when the string, [Users].[User Name].&[TEST\Bi_svcSetup], was parsed.
  Please can someone assist me with this.
  Thanks
  me

  Hi Lilutchay,
  According to your description, you are trying to implement dynamic security without success, right?
  Based on my research, the issue can be caused by that you implement custom security on database dimension instead of cube dimension. So, in you scenario, please try the same thing on cube dimensions and check if this issue is persists or not.
  Reference.
  http://www.rdacorp.com/2009/01/advanced-dimension-data-security-with-sql-server-2008/
  Hope this helps.
  Regards,
  Charlie Liao
  TechNet Community Support

• Use Granfeldts Create Object to create dynamic groups

  Trying to use Sorens Granfeldts, Create Object WF activity to create dynamic groups.
  In a standard function evaluator activity I generate the Filter as [//WorkflowData/Filter]
  The "string" I set it to is:
  &lt;Filter xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot; xmlns:xsd=&quot;http://www.w3.org/2001/XMLSchema&quot; Dialect=&quot;http://schemas.microsoft.com/2006/11/XPathFilterDialect&quot; xmlns=&quot;http://schemas.xmlsoap.org/ws/2004/09/enumeration&quot;&gt;/Person[ObjectID
  = /*[ObjectID = &apos;8dfcb5e8-ff01-400c-8ca7-2a0002d2d2d4&apos;]/ComputedMember]&lt;/Filter&gt;
  In the CreateObject activity I then just have [//WorkflowData/Filter],Filter among the initial values.
  The creation works if I remove this attribute so the rest of the attributes seems to be working.
  The creation fails however end I get the error below in the Forefront Identity Manager event log.
  System.NullReferenceException: Object reference not set to an instance of an object.
     at Microsoft.ResourceManagement.WFActivities.Resolver.GetDisplayStringFromGuid(Guid id, String[] expansionAttributes)
     at Microsoft.ResourceManagement.WFActivities.Resolver.ReplaceGuidWithTemplatedString(Match m)
     at System.Text.RegularExpressions.RegexReplacement.Replace(MatchEvaluator evaluator, Regex regex, String input, Int32 count, Int32 startat)
     at System.Text.RegularExpressions.Regex.Replace(String input, MatchEvaluator evaluator)
     at Microsoft.ResourceManagement.WFActivities.Resolver.GetStringAttributeValue(Object attribute)
     at Microsoft.ResourceManagement.WFActivities.Resolver.ResolveEvaluatorWithoutAntiXSS(String match, ResolverOptions resolveOptions)
     at Microsoft.ResourceManagement.WFActivities.Resolver.ResolveEvaluatorForWithAntiXSS(String match, ResolverOptions resolveOptions)
     at Microsoft.ResourceManagement.WFActivities.Resolver.ReplaceMatches(String input, Boolean useAntiXssEncoding, ResolverOptions resolveOptions)
     at Microsoft.ResourceManagement.Workflow.Hosting.ResolverEvaluationServiceImpl.ResolveLookupGrammar(Guid requestId, Guid targetId, Guid actorId, Dictionary`2 workflowDictionary, Boolean encodeForHTML, String expression)
     at Microsoft.ResourceManagement.Workflow.Activities.ResolveGrammarActivity.Execute(ActivityExecutionContext executionContext)
     at System.Workflow.ComponentModel.ActivityExecutor`1.Execute(T activity, ActivityExecutionContext executionContext)
     at System.Workflow.ComponentModel.ActivityExecutor`1.Execute(Activity activity, ActivityExecutionContext executionContext)
     at System.Workflow.ComponentModel.ActivityExecutorOperation.Run(IWorkflowCoreRuntime workflowCoreRuntime)
     at System.Workflow.Runtime.Scheduler.Run()
  Have anyone used this WF activity to create dynamic groups and can tell how to set the Filter?

  Hey Kent!
  I did the same thing, with Søren`s Create Object WF. I did it like this on the filter part:
  <Filter xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" Dialect="http://schemas.microsoft.com/2006/11/XPathFilterDialect" xmlns="http://schemas.xmlsoap.org/ws/2004/09/enumeration">/Person[(Department = '[//Target/ObjectID]')]</Filter>,Filter
  The whole thing looks like this:
  (I use Function evaluator to generate a AccountName for groups based on a clean version of DisplayName).
  [//Target/DisplayName],DisplayName
  SEC_[//WorkFlowData/CleanAccountName],AccountName
  [//Target/Manager],Owner
  Security,Type
  DOMAIN_STRING,Domain
  Universal,Scope
  [//Target/DisplayName]_SecGroup,Description
  [//Target/Manager],DisplayedOwner
  None,MembershipAddWorkflow
  True,MembershipLocked
  [//Target/CleanAccountName],MailNickname
  <Filter xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" Dialect="http://schemas.microsoft.com/2006/11/XPathFilterDialect" xmlns="http://schemas.xmlsoap.org/ws/2004/09/enumeration">/Person[(Department = '[//Target/ObjectID]')]</Filter>,Filter
  Regards, Remi www.iamblogg.com

• DIP fails loading dynamic groups into OID

  Hello,
  we're trying to load groups from OeBS into OID and associate them via dynamic groups feature with user records that was loaded earlier as follows:
  personid=18630,cn=dev,cn=hrsyncusers,cn=users,dc=ic,dc=lan
  orcltimezone=Asia/Yekaterinburg
  displayname=NOT ASCII
  employeetype=NOT ASCII
  givenname=NOT ASCII
  postalcode=628484
  orcldateofbirth=19610404000000
  orclgender=F
  departmentnumber=342
  uid=18630
  mail=HRNULL
  cn=NOT ASCII
  initials=NOT ASCII
  street=NOT ASCII
  employeenumber=4824
  middlename=NOT ASCII
  l=NOT ASCII
  orclhiredate=20051107000000
  sn=NOT ASCII
  personid=18630
  c=Russia
  title=NOT ASCII
  objectclass=inetorgperson
  objectclass=person
  objectclass=organizationalperson
  objectclass=orcluserv2
  objectclass=kapitalperson
  objectclass=country
  objectclass=residentialperson
  objectclass=locality
  objectclass=top
  Among other attributes each user entity has 'departmentNumber' that indicates number of his/her department.
  Now trying to load list of departments as dynamic groups with the following config
  files:
  *** DevHRAgentGroups.cfg ***
  [SELECT]
  SELECT psv.version_number
  , pos.name hierarchyname
  , hou.organization_id depno
  , poe.organization_id_parent parent_id
  , REPLACE(hou2.name, '"') parentname
  , poe.organization_id_child child_id
  , REPLACE(hou.name, '"') orgname
  , ldap://idm01.ic.lan:389/cn=DEV,cn=HRSyncUsers,cn=Users,dc=ic,dc=lan??sub?(depar
  tmentnumber='||hou.organization_id||')' ldapuri
  , hrl.meaning org_type
  FROM per_organization_structures pos
  , per_org_structure_versions psv
  , per_org_structure_elements poe
  , hr_all_organization_units hou
  , hr_all_organization_units hou2
  , hr_lookups hrl
  WHERE pos.business_group_id = psv.business_group_id
  AND pos.organization_structure_id = psv.organization_structure_id
  AND pos.primary_structure_flag = 'Y'
  AND psv.date_to IS NULL
  AND poe.org_structure_version_id = psv.org_structure_version_id
  AND poe.business_group_id = hou.business_group_id
  AND poe.organization_id_child = hou.organization_id
  AND poe.business_group_id = hou2.business_group_id
  AND poe.organization_id_parent = hou2.organization_id
  AND hrl.lookup_code = hou.type
  AND hrl.enabled_flag = 'Y'
  AND hrl.lookup_type = 'ORG_TYPE'
  AND hrl.lookup_code NOT IN (30,40)
  AND TRUNC(SYSDATE) BETWEEN hou.date_from AND NVL(hou.date_to, TO_DATE('31.12.4712','dd.mm.yyyy'))
  AND hou.last_update_date >= to_date(:BINDVAR,'YYYYMMDDHH24MISS')
  *** DevHRAgentGroups.map ***
  DomainRules
  NONLDAP:cn=DEV,cn=HRSyncGroups,cn=Groups,dc=ic,dc=lan:departmentID=%,cn=DEV,cn=HRSyncGroups,cn=Groups,dc=ic,dc=lan
  AttributeRules
  orgname:1: : :cn: :groupOfUniqueNames
  depno:1: : :departmentID: :kapitalDepartment
  ldapuri: : : :labeledURI: :orclDynamicGroup
  We're getting the following error in ?/ldap/odi/log/DevHRAgentGroups.trc during HRAgent execution at mapping phase:
  Normalized DN : departmentid=82,cn=dev,cn=hrsyncgroups,cn=groups,dc=ic,dc=lan
  Changetype is 5
  Processing modifyRadd Operation ..
  Entry Not Found. Converting to an ADD op..
  Processing Insert Operation ..
  Performing createEntry..
  Exception creating Entry : javax.naming.NamingException: [LDAP: error code 1 - Dynamic group cache update failed.]; remaining name 'departmentid=82,cn=dev,cn=
  hrsyncgroups,cn=groups,dc=ic,dc=lan'
  [LDAP: error code 1 - Dynamic group cache update failed.]
  javax.naming.NamingException: [LDAP: error code 1 - Dynamic group cache update failed.]; remaining name 'departmentid=82,cn=dev,cn=hrsyncgroups,cn=groups,dc=i
  c,dc=lan'
  at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3028)
  at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2934)
  at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2740)
  at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:777)
  at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:319)
  at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:248)
  at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:236)
  at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:176)
  at oracle.ldap.odip.gsi.LDAPWriter.createEntry(LDAPWriter.java:1162)
  at oracle.ldap.odip.gsi.LDAPWriter.insert(LDAPWriter.java:425)
  at oracle.ldap.odip.gsi.LDAPWriter.modifyRadd(LDAPWriter.java:822)
  at oracle.ldap.odip.gsi.LDAPWriter.writeChanges(LDAPWriter.java:349)
  at oracle.ldap.odip.engine.AgentThread.mapExecute(AgentThread.java:655)
  at oracle.ldap.odip.engine.AgentThread.execMapping(AgentThread.java:376)
  at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:237)
  DIP_LDAPWRITER_ERROR_CREATE
  Error in executing mapping DIP_LDAPWRITER_ERROR_CREATE
  DIP_LDAPWRITER_ERROR_CREATE
  Please, note. Loading is successful if we commenting out mapping line for labeledURI attribute (that's loading static groups).
  Loading is also successful when labeledURI is mapped to
  'ldap://idm01.ic.lan:389/cn=DEV,cn=HRSyncUsers,cn=Users,dc=ic,dc=lan??sub?(objec
  tclass=person)' but this definetly is not what we are going to get.
  I don't have ideas what's wrong for example with the following generated 'labeledURI' attribute:
  ldap://idm01.ic.lan:389/cn=DEV,cn=HRSyncUsers,cn=Users,dc=ic,dc=lan??sub?(departmentnumber=82)
  Any help is appreciated
  Thanks,
  Edward

  Hi Frank,
  there is something wrong with departmentnumber attribute of user records. Searching users with ldapsearch using "departmentnumber=*" filter fails with the following error:
  ldap_search: DSA is unwilling to perform
  ldap_search: additional info: Function Not Implemented
  I think this is probably the cause of failing creation of dynamic groups.
  Searching on other user attributes (cn, uid, employyenumber) works fine.
  Still don't understand what's wrong with this particular attribute.

• Deleted user from a group returned error message

  I have a group [[email protected]] with serveral users on it. I deleted one user (userA) member of the group from the system. When a user B send an email to the group [email protected] a messages is returned to all of the members of the group notifying that the user is not whithin the group.
  The group [email protected] is a dynamic group.
  From: [email protected]
  To: [email protected]
  Sent: Friday, October 9, 2009 11:12:42 AM
  Subject: Notificación del estado de la entrega
  Este informe se refiere a un mensaje que ha enviado con los siguientes campos de encabezado:
  Message-id: <[email protected]>
  Date: Fri, 09 Oct 2009 11:18:06 -0500
  From: "User"<[email protected]>
  To: [email protected]
  Subject: Test 0ne
  The message can not be delivered to the next recipients:
  Dirección del destinatario: [email protected]
  Dirección original: [email protected]
  Motivo: recipient no longer on server
  - Sun Java(tm) System Messaging Server 7.0-3.01 64bit (built Dec 23 2008)
  libimta.so 7.0-3.01 64bit (built 15:22:04, Dec 23 2008)
  - Delegated Administrator 6.4-3.01 B2008-10-22
  - Solaris 10 10/08 SPARC
  What can be happening??

  bootbk wrote:
  I have a group [[email protected]] with serveral users on it. I deleted one user (userA) member of the group from the system.
  How did you "delete" one user? What was the exact change that you made?
  When a user B send an email to the group [email protected] a messages is returned to all of the members of the group notifying that the user is not whithin the group.
  If there is a problem with a mailing group (vs. a mailing list) then notifications are sent to all members of the group.
  http://msg.wikidoc.info/index.php/Setting_Up_a_Proper_Mailing_List
  The group [email protected] is a dynamic group.
  What filter have you specified for the "dynamic group"?
  Regards,
  Shane.

• LDAP Dynamic Groups

  Hi,
  I have been trying to do some coding around - fetching members of dynamic ldap groups. In both these code snippets.. I get the same exception:
  java.lang.ClassCastException: com.sun.jndi.ldap.LdapCtx
  no matter whatever i tried. Can anyone please - let me know what could be causing this exception.
  Regards.
  String filter = LDAPRealm.DYNAMIC_GROUP_FILTER;
            String[] targets = new String[] { target, "memberUrl" };
            try {
                 SearchControls ctls = new SearchControls();
                 ctls.setReturningAttributes(targets);
                 ctls.setSearchScope(SearchControls.SUBTREE_SCOPE);
                 ctls.setReturningObjFlag(true);
                 NamingEnumeration e = context.search(baseDN, filter, ctls);
                 while(e.hasMore()) {
                      SearchResult res = (SearchResult)e.next();
                      Object searchedObject = res.getObject();
                      //if(searchedObject instanceof com.sun.jndi.ldap.obj.GroupOfURLs){ // dynamic group
                           com.sun.jndi.ldap.obj.GroupOfURLs gurls = (com.sun.jndi.ldap.obj.GroupOfURLs) searchedObject;
                           Principal x500principal = new X500Principal(userDN);
                           if (gurls.isMember(x500principal)) {
  and
  java.security.acl.Group obj = (java.security.acl.Group)ctx.lookup(groupDN);
                 Enumeration members = obj.members();
                 Principal member = null;
                 while (members.hasMoreElements()) {
                      member = (Principal)members.nextElement();
                      memberDNs.add(member.getName());
                 }

  How is this different from [your previous question|http://forums.sun.com/thread.jspa?threadID=5434523&messageID=10965220#10965220]? If it is the same queston, then please stay in the same thread.

• SUN One LDAP Retrieving Dynamic group

  Hi, I would like to know how can I retrieve the groups a user belongs to, if the groups are of dynamic type.
  can I use the attribute memberOf?
  //Create the initial directory context
  LdapContext ctx = new InitialLdapContext(env,*null*);
  //Create the search controls
  SearchControls searchCtls = new SearchControls();
  //Specify the search scope
  searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
  //specify the LDAP search filter
  String searchFilter = "(&(objectClass=user)(CN=Andrew Anderson))";
  //Specify the Base for the search
  String searchBase = "DC=antipodes,DC=com";
  //initialize counter to total the group members
  int totalResults = 0;
  //Specify the attributes to return
  String returnedAtts[]={"*memberOf*"};
  searchCtls.setReturningAttributes(returnedAtts);
  //Search for objects using the filter
  NamingEnumeration answer = ctx.search(searchBase, searchFilter, searchCtls);

  Hello Vinay,
  when configuring multiple Ldap directories, There are a number of prerequisities that you need to
  consider.
  For example, One prerequisite for Multi domains is that logon IDs must be unique across mutliple LDAP datasources. This will cause issue if duplicate IDs exist.
  Please see the following Documentation and notes for more information on this.
  Examples of Data Source Configuration Files - Identity Management - SAP Library
  Example: Configuration of Multiple LDAP Data Sources - Identity Management - SAP Library
  1618342 - Multiple LDAP Datasources - Active Directories where logon IDs
  are not unique
  762419 - Multi-Domain Logon Using Microsoft Active Directory
  Please have a look at the above notes which documet this and also tells
  you what to do in these situations.
  Regards,
  David

• Group Calendar Error in UWC

  Hi,
  We are having a problem in view Group Calendar, After creating group calendar and adding members, when we try to view it in UWC, it gives following error:
  Calendar Not Available*
  Could Not Display View*
  The selected calendar(s) was either deleted or does not exist or you do not have permissions to view it. Select another calendar(s).*
  How ever we can View / Edit the same group calendar through "SUN Java Calendar Express"....Any idea which patch level can fix this issue..???
  Here below are the Product versions:
  UWC Patch Level:
  Patch: 118540-21 Obsoletes: 117287-99, 117819-13, 119156-07 Requires: Incompatibles: Packages: SUNWuwc
  Patch: 118540-42 Obsoletes: 117287-99, 117819-13, 119156-07 Requires: Incompatibles: Packages: SUNWuwc
  Calendar Server Patch level:
  Patch: 116577-24 Obsoletes: 117706-08 Requires: Incompatibles: Packages: SUNWica5, SUNWics5
  Patch: 117860-16 Obsoletes: Requires: Incompatibles: Packages: SUNWica5, SUNWics5
  Patch: 118186-16 Obsoletes: Requires: Incompatibles: Packages: SUNWica5, SUNWics5
  Patch: 118458-03 Obsoletes: Requires: Incompatibles: Packages: SUNWscics
  Patch: 117776-08 Obsoletes: Requires: Incompatibles: Packages: SUNWscics

  Sp00ky_Geek wrote:
  We are having a problem in view Group Calendar, After creating group calendar and adding members, when we try to view it in UWC, it gives following error: Which interface did you use to create the group calendar, how many members did you add and what were they?
  Calendar Not Available*
  Could Not Display View*
  The selected calendar(s) was either deleted or does not exist or you do not have permissions to view it. Select another calendar(s).*Are there any errors in the uwc.log file to indicate what the problem may be?
  How ever we can View / Edit the same group calendar through "SUN Java Calendar Express"....Any idea which patch level can fix this issue..???Not enough information to determine what the cause may be. I would start narrowing down the problem by removing group members one by one and seeing if there is a particular member which is causing the problem. Then look at that account and see if there is anything different/unusual etc.
  Regards,
  Shane.

• Dynamic Group Resolution Limit?

  We recently created a few dynamic groups to assign certain roles and access automatically. I have it set up to resolve these groups via a script that runs at the end of a maintenance job.
  The issue we encountered upon our initial load was that it would only add 1000 users at a time via the script. Is there a setting somewhere in the console that puts this limit in place?
  Alternatively, I tried to resolve the group from the group properties themselves. This also failed as it gave me a time out message; however it would not allow me to retry because a process to resolve the group was already running! Has anyone encountered this and found a way to terminate that process?
  I was just wondering if anyone else had encountered these issues and how they resolved them.
  Thanks,
  Jared

  Yes, on the initial load, they will only load 1000 at a time. We ran into this problem too (had one group of 12,000 people) but just ran it 13 times using Right Click -> Recalculate.
  When they crash or deadlock, they will claim to still be running for a long time. This is because of the way they do locking:
  1) When the recalculation starts, it chcecks the ModifyTime column on the attribute "MX_DG_AUTORESOLVE_INTERVAL" for that Dynamic Group. If it is in the past, it continues to step two, otherwise it aborts with the error saying it is already running.
  2) It sets the ModifyTime on that attribute to a future date (I forget how long exactly, but we're talking about DAYS in the future).
  3) It does the calculations.
  4) It sets the ModifyTime to the time it finished.
  So, you see the problem -- when it crashes, the time remains far in the future.
  You mentioned you run the update from a script, and that is what we do too. There is supposed to be a way to trigger the calculation based on an Attribute Change, but the feature does not work as documented in the manual. Frustrating...
  Anyway, this is how I get around the issue in our script:
  function recalcInternetGroups(Par){
       uSleep(10000); //Give any previous attempts at least 10 seconds to finish resolving
       importPackage(Packages.com.valero.idm);
       var sqlClass = new SQLServerConnection();
       var SQL = "Select MSKEY FROM dbo.MXIV_SENTRIES WHERE searchvalue LIKE 'INTERNET_LEVEL_%' AND attrname = 'MSKEYVALUE'"
       groups = uSelect(SQL);
       var result = groups.split('!!');  //We have 9 INTERNET_LEVEL groups, refresh them all
       for (var i=0; i<result.length; i++) {
            dynamic_group = result<i>;
            // Manually set the date into the past (picked the date I wrote this script, as it doesn't matter how far in the past)
            var sql2 = "update MXI_VALUES set Modifytime = '2010-10-15 00:00:00.000' where MSKEY = " + dynamic_group + " and Attr_ID = 33";
            var resultUpdate = '' + sqlClass.uUpdate(sql2);
            recalc = uIS_ResolveDynamicGroup(dynamic_group);
            if (recalc.indexOf("ERROR")>0) {
                 uError("Recalculating " + uIS_GetValue(dynamic_group, uGetIDStore(), "MSKEYVALUE"));
                 uError(recalc);
            } else {
                 uWarning("Recalculating " + uIS_GetValue(dynamic_group, uGetIDStore(), "MSKEYVALUE") + ' ' + recalc);
  You'll note we have our own function to allow us to run database updates in Javascript, which is required for this to work, since uSelect() won't perform updates. Anyway, doing that solves the problem. I guess you could do the same thing if you just made a To Database pass that runs before this and does these changes.
  If you pick up any other tips or tricks on dealing with Dynamic Groups, let me know, as we use them fairly extensively and still find them somewhat frustrating at times.

• List Local Group members with PowerShell 5

  This script:
  $Server="."
  $LocalGroup = "Administrators"
  $Group= [ADSI]"WinNT://$Server/$LocalGroup,group"
  $Members = @($Group.psbase.Invoke("Members"))
  $Members | ForEach-Object {
      $_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)
  works fine in powershell 2 (windows 7), but fails on powershell 5
  "Error while invoking GetType. Could not find member."
  It returns only domain groups. No local groups or local users or domain users.
  Is there a reason why? And can it be modified for powershell 5?
  Thanks

  Try it like this:
  $group=[ADSI]"WinNT://$env:COMPUTERNAME/Administrators,group"
  $group.Members() |
  ForEach-Object {
  ($_.GetType()).InvokeMember('Name', 'GetProperty', $null, $_, $null)
  ¯\_(ツ)_/¯

• Convergence group members for invitations

  Dear all,
  we use Convergence with latest patch level. For invitations of groups and using check availability the group members are not resolved and therefore the busy/free time of group members is not displayed. Instead the group name is displayed but the group itself have not calendar.
  Is there any possibility - maybe in the config of convergence of ldap settings groups - that the individual calendars of the invited group members with showing free/busy time show up and in consequence the auto select time will work, too.
  The invitation of the group members itself works fine.
  Thanks for any help

  How are the group members defined in the LDAP entry for the group?
  With the assumption that you are using Calendar 7 with Convergence, the Calendar configuration considers the following attributes for members in an LDAP group:
  <tt>
  davcore.ldapattr.dngroupmember=uniquemember
  davcore.ldapattr.urlgroupmember=memberurl
  davcore.ldapattr.mailgroupmember=mgrprfc822mailmember
  </tt>
  Only <tt>uniqueMember</tt> is considered for ACL checking, along with invitation and free/busy scheduling.
  The <tt>mgrprfc822mailmember</tt> attribute is taken into account only when inviting the group.
  This is because, when doing the ACL check, we are relying on the LDAP Directory to provide us with the <tt>isMemberOf</tt> attribute directly on the logged in user LDAP entry (as opposed to looking at all the members of the group). The <tt>isMemberOf</tt> operational attribute is itself derived from the <tt>uniqueMember</tt> attribute only.
  Doing a group expansion for ACL purposes would be too expensive an operation.
  As a side note, we also check for dynamic group membership through the <tt>memberurl</tt> LDAP attribute of the group, both for scheduling and ACL purposes.
  Reference KM Doc:
  Calendar 7: Allowing Members Of A Migrated LDAP Group To Subscribe To Calendars (Doc ID 1483916.1)
  -Deb

• LDAP- large dynamic groups - performance

  A dynamic group is to a static group what a view is to a table
  A group is to its members what a table or view is to its records.
  When the memebrs of a dynamic group is very large are there any performance problems or is that eliminatable by some indexing means?

  Just an FYI ...
  I found out from iPlanet that this is a bug in SP3 and will be fixed in SP4.
  In the meantime, you can call tech support and get a patch.
  Matt
  "Matt Raible" <[email protected]> wrote in message
  news:9nldgs$[email protected]..
  I discovered today that the dynamic group does not seem to work for
  form-based authentication with iPlanet App Server. I have a group,
  Employees, in my LDAP server, and it has a dynamic group configured as
  ldap:///o=douglas.co.us??sub?dcRoles=ttEmployee, where each user has a
  custom attribute, dcRoles. I can test this dynamic group and expectedusers
  are found.
  However, I cannot authenticate with a user in this group when "Employees"is
  my configured role to authenticate with.
  If I open the group Employees in my LDAP Server, and under the Members,
  Static Group tab - I add a user, I can authenticate with them.
  I also tried adding "ttEmployee" as well as "Employee" to my deployment
  descriptors - but no luck. The method of adding a user (above) is the only
  way I found to work.
  Can someone shed some light on this?
  Thanks,
  Matt