Dynamic group membership detection

Does anybody know if it is possible to trigger a Workflow action if there is a change in a group’s membership list in case of a dynamic groups. What I need to achieve is to execute PS WF if a user is becoming a member of some groups based on the dynamic
criteria of the given group.
Regards, Remi www.iamblogg.com

Hi,
ok understood but I think there is nothing out-of-the-box.
Maybe you can calculate your own Delta of dynamic Groups in a custom activity, storing the before and current value of "ComputedMember". But you must find some way of storing that Information.
Regards
Peter
Peter Stapf - ExpertCircle GmbH - My blog:
JustIDM.wordpress.com

Similar Messages

Dynamic group membership Query based on alert description - IS package failed

Hi there all good people,
Ive got the following case:
i need to filter out some of the alerts raised bij the is package failed Alert rule.
All allerts raised need a override accept two alerts with a specific description. example:
Alert description: Package "Full Back-Up" failed. should still raise an alert also the
Alert description: Package "Full Db Back-Up" failed.
I.m playing arround with dynamic groups. Can somebody give me some pointers?
Or do i need to create an new alert rule? en override this one for all objects?
I hope the question is clear, im no native english speaking

Hi,
I would like to suggest you override this one for all objects and then create a new alert rule based on your requirement.
Regards,
Yan Li
Regards, Yan Li

Dynamic group membership biased on service

I need to create a dynamic group for systems with the DFS service installed BUT not if DFS is there as part of AD replication.
Any suggestions for a formula?
tconners

Hi Tconners,
I am not so good in AD DFS But,
Do you have the DFS management pack installed on your SCOM ?
If yes does it not creating any group from the MS recommended management pack like Active directory creates one and pulls all the Domain controllers in the
group.
http://www.microsoft.com/en-us/download/details.aspx?id=14669
Also look at this
http://blogs.technet.com/b/operationsmgr/archive/2010/02/03/now-available-the-dfs-namespaces-management-pack-for-system-center-operations-manager-2007.aspx
Gautam.75801

Dynamic Group Membership - All SQL Computers in a Domain

I am trying to create groups containing all SQL servers in each domain. I am using the Wizard in the console. However I appear to be having winter blues as I can't work out how to do it. Everything I try results in an empty group.
Can someone please explain what I need to do to?

Roger
Thanks for the input. The code looks logical and I applied it and imported a revised MP. However I am not getting any membership in the group. There is another group membership in the same MP and that populates correctly, so I haven't a clue where I'm going
wrong. As you can see below my rule is the same as yours, except with a different domain name.
<Expression>
             <And>
                          <Expression>
                                       <RegExExpression>
<ValueExpression>
<Property>$MPElement[Name="MicrosoftWindowsLibrary7585010!Microsoft.Windows.Computer"]/NetbiosDomainName$</Property>
</ValueExpression>
<Operator>ContainsSubstring</Operator>
<Pattern>DOMAINNAME</Pattern>
                                       </RegExExpression>
                          </Expression>
                          <Expression>
                                       <Contained>
<MonitoringClass>$MPElement[Name="MicrosoftSQLServerLibrary6410!Microsoft.SQLServer.ComputerGroup"]$</MonitoringClass>
                                       </Contained>
                          </Expression>
             </And>
</Expression>
Eric

LMS 2.6 dynamic groups with wildcards

Is is possible to build dynamic groups in RME using wildcards or regular expresions? The rules that I want to define would look similar to the following:
Device.System.Name StartsWith "SW" AND (
Device.System.Name contains "........X" OR
Device.System.Name contains "........Y" OR
Device.System.Name contains "........E" OR
Device.System.Name contains "........Z")
Where the device name begins with SW and there is either an X, Y, E or Z in the 8th position of the device name.

This is not possible. The ruleset matching is based only on the operators available for the given property.
The best workaround I can give you is to apply your first rule, then manually adjust the membership list based on the other rules. The downside of this is that the membership list would require modification when you add new devices.

Dynamic Group members error

I create 5 Dynamic Group and 1 Universal Distribution Group. I add 5 Dynamic Group in 1 Universal Distribution Group. If i view members in every all correct, but if i run in powershell Get-DynamicDistributionGroup/Get-Recipient -recipientPreviewFilter
- i view all users in domain with mailbox. How fix this?

Hi,
Do you mean that you can use EAC to view members in 5 dynamic distribution groups respectively and the preview shows correct users, but shows wrong when using EMS?
Please use the following command in EMS to preview the list of members of your dynamic distribution group:
To view Group1:
$Group1 = Get-DynamicDistributionGroup "Group1"
Get-Recipient -RecipientPreviewFilter $Group1.RecipientFilter
To view Group2:
$Group2 = Get-DynamicDistributionGroup "Group2"
Get-Recipient -RecipientPreviewFilter $Group2.RecipientFilter
Please check the results with the preview in EAC:
1. In the EAC, navigate to Recipients > Groups.
2. Select a dynamic distribution group.
3. In the details pane under Membership, the number of people who received the last message sent to the dynamic distribution group is displayed.
Regards,
Winnie Liang
TechNet Community Support

Extracting user group membership to a spreadsheet - tip?

Hello,
This is a tip that works for me.
Sometimes I need to extract the Group Membership names for a user or users.
What I do is have PTSpy running when I find their name from an administrative search. Clicking on the user name opens up the EDIT USER page where you can see the users groups.
At this point look in PTSpy for the line:
Create query: '/* QUERY_DYNAMIC_USERGROUPS:ANSI */ SELECT DISTINCT(a.ObjectID), a.Name, a.IsLocalized FROM PTUSERGROUPS a, PTUSERLINKS b WHERE a.ObjectID=b.GroupID AND b.UserID=? AND (b.ISSTATIC=? AND b.ISDYNAMIC=?) ORDER BY a.ObjectID DESC'
followed by 3 lines:
setInt, index: 0, value: 0001. <--user ID
setInt, index: 0, value: 1. <--Static Group Membership
setInt, index: 0, value: 0. <--Dynamic
Copy and drop that into SQL Query Analyser, plug in the value provided and save it to a spreadsheet or just copy and paste it.
If you want find dynamic groups - there is a similar query in the PTspy log - look for the /*QUERY_DYNAMIC_USERGROUPS:ANSI
in PTSpy log
If anyone has anything else to add - please do!
Thanks,
V
Computers are like Old Testament gods; lots of rules and no mercy. ~Joseph Campbell

Hi,
To identify members of a local group by using a command line, refer to:
1. Open Command Prompt.
2. To list members of a group, type: net localgroup "groupname"
Note: You must include the quotation marks.
For example, export the members of the local group Administrators to a text file named group.txt, refer to:
net localgroup “Administrators” > C:\group.txt
You can also write a script as you want.
Best Regards,
Nina Liu
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact
[email protected]
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Thanks this does seem to work. It does seem that just copying the command does not work because of the quotes, and that you have to manually type the quotation marks into the command prompt, I'm thinking they are picked up as a different character when you
copy paste from a html page or other document.

Invoke an adapter on change of User's Group Membership details

Hi
I need to invoke an adapter on change of User’s Group Membership details. I am not able to figure out from where I can invoke my adapter.
Does anyone have any idea about this?
-- Another Question: what is the purpose of having “tcUSRautoGroupMembership” in User’s Object Form on Post Update. It would be nice if you give some details about this task.
-Hardew

Thanks for quick response.
What you have mentioned, is applicable for a specific value of a user’s OIM Profile filed; that means it will triggered only if a user has specified value i.e. "blah blah" for that field i.e. fieldA.
However my scenario is slightly different. Let me explain my scenario by example:-
I have N numbers of OIM groups i.e. g1, g2, g3, g4……, gn and a user called myUser. This user is a member of two groups’ g1 and g2, now if I make myUser to member of one more group i.e. g3 or remove i.e. g1; then I want to perform a custom task using adapter on this Group Membership change.
Is there any “Data Object Form” where I can associate my adapter on post-update to detect change of User’s Group Membership?
_hardew

PDC Emulator Dynamic Group

Hi,
I'm new to SCOM and have started with some basic monitoring of security events such as those raised when a new users is added to the Domain Admins Group and when a user account lockout occurs.
The latter of these relies on us monitoring the security logs of a Domain Controller, but specifically the PDC emulator for the domain.
We run a multi-domain environment and whilst I could make a group and then explicitely define the Servers that hold the PDC Emulator role it seems an unwise way to do things as ultimately it means we have to change the group memberships if we ever move the
role.
Is there any way to make a group that will dynamically populate? I've had a look at defining such a group but I can't see anything under the dynamic section that I could use to identify the Server holding the PDC emulator role.
Grateful for any assistance people can offer.
Pete

Hi,
Someone has asked a similar question, see the thread
here
The PDC emulator role is stored as a string on each instance of the DC role.
It would be technically feasible to create a discovery based on the output from a script to identify the FSMO role holder however this would take some time to test/implement. In this case I would simply monitor every DC and use consolidation rules to supress
duplicate alerts. This would also mean that you get the information from the originating DC (as the event is logged at the local DC first and then replicated to the DC hosting the PDC emulator role), this could potentially highlight issues with one DC/site
causing account lockouts so could be beneficial in the long run.
There’s more information on the other codes you could check
here
Hope I've understood what you're asking correctly

Dynamic Group Integration

I'm trying to use the weblogic.security.ldaprealmv2.LDAPRealm class that comes with
Weblogic Version 6.0. along with iPlanet Direcory Server. Below is a copy of my
configuration data:
user.filter=(&(uid=%u)(objectclass=person))
user.dn=ou=people,dc=directv,dc=com
membership.filter=(&(uniquemember=%M)(objectclass=groupofuniquenames))
server.principal=uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot
group.filter=(&(cn=%g)(objectclass=groupofuniquenames))
group.dn=ou=groups,dc=directv,dc=com
server.host=127.0.0.1
My issue is that the group is dynamiccaly defined, so the attribute uniquemember
is not defined and memberurl is. The memberurl is a ldap query defining all the
groups/people that are in the group.
My question is; Can I modify the membership.filter to pickup the memberurl. My guess
is yes, but then how does Weblogic get the unique members from that?
Do I need to write a custum realm?

Hi Mark,
Netscape dynamic groups do not work with WebLogic's LDAP realm in WLS 6.x or lower. (Not
sure about 7.0)
You could definitely write your own custom realm to handle dynamic groups
Cheers
Joe Jerry
Mark Celano wrote:
I'm trying to use the weblogic.security.ldaprealmv2.LDAPRealm class that comes with
Weblogic Version 6.0. along with iPlanet Direcory Server. Below is a copy of my
configuration data:
user.filter=(&(uid=%u)(objectclass=person))
user.dn=ou=people,dc=directv,dc=com
membership.filter=(&(uniquemember=%M)(objectclass=groupofuniquenames))
server.principal=uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot
group.filter=(&(cn=%g)(objectclass=groupofuniquenames))
group.dn=ou=groups,dc=directv,dc=com
server.host=127.0.0.1
My issue is that the group is dynamiccaly defined, so the attribute uniquemember
is not defined and memberurl is. The memberurl is a ldap query defining all the
groups/people that are in the group.
My question is; Can I modify the membership.filter to pickup the memberurl. My guess
is yes, but then how does Weblogic get the unique members from that?
Do I need to write a custum realm?

Dynamic group not working

Hi,
I'm trying to get a dynamic group working with the oracle directory server enterprise edition 11.1.1.5.0 .
I've created a dynamic group like this:
dn: cn=employees,ou=groups,dc=example,dc=com
cn: employees
objectclass: top
objectclass: groupOfURLs
ou: groups
memberURL: ldap:///ou=people,dc=example,dc=com??sub?(uid=*)
but when I check for the membership, I'm just getting the dn of the user with uid = "me", but nothing else.
ldapsearch -h localhost -p 389 -D "cn=Directory Manager" -w password \
-b dc=example,dc=com "(uid=me)" isMemberOf
There was a similar question like that in the forum, but no useful answer.
Does anyone know how dynamic groups work correctly?
best regards, solst_ice

Hi,
Ismemberof is supported for static groups only in DSEE. Dynamic group are group definition that client apps can retrieve but there is no built-in membership evaluation in the core server.
You might want to consider Oracle Unified DIrectory that support ismemberOf for static and dynamic groups
See http://docs.oracle.com/cd/E37116_01/index.htm and Managing Users and Groups - 11g Release 2 (11.1.2)
Regards,
-Sylvain

Administration group vs Dynamic group in 12c

Hi All,
I was going thru 12cR2 documentation, and description for Administration group and Dynamic group looks same to me.
Do any one of you know what's the real difference between them?
Any one of you started using this new feature in 12c?
Thanks in advance....

Hi,
Administration groups and dynamic groups are similar in that their membership is dynamic, i.e. you specify the membership criteria based on target properties, and Enterprise Manager will automatically add the targets into the appropriate administration group and/or dynamic group(s) if the targets' properties match their criteria.
However, administration groups have additional semantics. As it is mentioned in the doc: "Administration groups greatly simplify the process of setting up targets for management in Enterprise Manager by automating the application of management settings such as monitoring settings or compliance standards. Typically, these settings are manually applied to individual target, or perhaps semi-automatically using custom scripts. However, by defining administration groups, Enterprise Manager uses specific target properties to direct the target to the appropriate administration group and then automatically apply the requisite monitoring and management settings. This level of automation simplifies the target setup process and also enables a datacenter to easily scale as new targets are added to Enterprise Manager for management."
So you use administration groups primarily to automate the process of setting up your targets for monitoring/management. Once a target joins an administration group, then Enterprise Manager automatically applies to the target the monitoring templates and/or compliance standards and/or cloud policies that you have associated with your administration group. Because of this feature, a target can belong to at most one administration group. This is to prevent conflicting scenarios where a target is part of multiple administration groups that have different associated monitoring templates.
Both dynamic groups and administration groups support group operations -- running jobs, reports, etc.
So if you want to leverage the automation of target setup provided by administration groups/template collections... then use administration groups.
If you want to leverage the dynamic membership of groups and have requirements that a target needs to be part of multiple of such groups, use dynamic groups.
Regards,
Ana

ACS 5.3 Group Mapping based on AD group membership

Hi,
I am configuring a new ACS 5.3 system. Part of the rules is that I want to match the users specific AD group membership, and match appropriatly to an identity group.
What i'm trying to do is say that if the user is a member of the AD Group (G-CRP-SEC-ENG) then associate them with the Identity Group SEC-ENG. The under the access service, authorization portion, i assign shell profiles and command sets based on Identity Group.
It seems that the ACS server will not match the AD Group for the user, and it will match the Default of teh Group Mapping portion of the policy every time.
I tried several configuration choices from : AD1:ExternalGroups contains any <string showing in AD>, AD1:memberOf <group>.
Is there something special i need to do in the Group Mapping Policy to get it to match and active directory group and result in assigning the host to an Identity Group?
Thank you,
Sami

Ok, my case is like this.
I use ACS 5.3 for VPN authentication, using AD and an external RSA for token authentication (2 factor authentication)
I didn't add all the VPN users in the ACS, because it will be troublesome, the users authentication will be managed by AD and RSA server.
In some cases where we need to restrict a group of user to only access certain resources, downloadable ACL is used.
Following the Cisco docs, i manage to get downloadable ACL works when the authorization profile matching criteria is username, but when i change the matching criteria to Identity group, the downloadable ACL won't work.
I have a case with Cisco engineer now and still in the middle to sort things out.
The advice from the Cisco engineer is to have the Access Service set to Internal User instead of RSA server, but that will require us(the admin) to import all the VPN users into the ACS database.
Wondering whether there is a fix for this.
Thanks.

Weblogic 10.3.0 - Security Violation when Group Membership Lookup enabled

Dear Admins,
We're running a Weblogic 10.3.0 cluster with our own software deployed.
We're using SQL authentication (JDBC to Oracle DB) to authenticate users.
Recently we've been tuning our WL cluster to improve performance, and have enabled Group Membership Lookup Hierarchy Caching.
Sometimes users log into our application and get inssuficient rights (or some other error). This appears to happen at random. Most of the times they can log in without problems.
We determined it's not something to do with the cluster, although it can happen on one node and the other node will work as normal.
In the Managed server we see this error (with test user):
Managed7Server.out00011:java.rmi.AccessException: [EJB:010160]Security Violation: User: 'test' has insufficient permission to access EJB: type=<ejb>, application=leanapps, module=process_general.jar, ejb=LaLifeProcessController,
method=create, methodInterface=Home, signature={}.
When we disable Group Membership Lookup Hierarchy Caching, this error never occurs.
Our settings (Security Realms -> myrealm -> Providers -> SQL Authenticator -> Performance):
Max Group Hierarchies In Cache: 5000 (we have approx. 2000 groups)
Group Hierarchy Cache TTL: 3600
provider specific settings :
Group Membership Searching: unlimited
Max Group Membership Search Level: 0
Also in Myrealm -> Performance we have set :
Enable WebLogic Principal Validator Cache
Max WebLogic Principals In Cache: 5000
If we put the TTL really low (default 60 seconds), the error hardly ever occurs. But we want to have cache that lasts longer then one minute.
This might be a bug, as we have other clusters running on WL 10.3.5, 12c where we use the same cache settings. This issue does not occur there.
I'm more then willing to provide more info or config files
Edited by: user5974192 on 21-nov-2012 5:17

This is fixed now. Someone had defined a Servlet for the web service in web.xml that was preventing the EJB container to kick in.
Edited by: user572625 on Aug 25, 2011 11:54 PM

OIM: What is the purpose of "Update" while editing group memberships

Hi,
This is when you lookup a user's Resource Profile and go to "Edit" link. The process form shows up along with a drop down to edit the group memberships. When we select one of the choices such as "Groups" another window pops up where we could add more entires into the child form. In this form there is an "Update" column with a radio button besides a "Remove" column. What is the purpose of this "Update" column? We can add or delete child entries but what does update do? Is there a way to remove this selection altogether?
Thanks in advance

Update I can see used for a cases where you have multiple columns on a child table entry and want to change one of them. Strictly speaking, you can update a single column child table rather than delete and insert also. Access policies always do insert and delete actions, but you will want to implement an update task as well if you expect anyone to be editing child tables on resources directly.

Dynamic group membership detection

Similar Messages

Maybe you are looking for