Extracting user group membership to a spreadsheet - tip?

Hello,
This is a tip that works for me.
Sometimes I need to extract the Group Membership names for a user or users.
What I do is have PTSpy running when I find their name from an administrative search. Clicking on the user name opens up the EDIT USER page where you can see the users groups.
At this point look in PTSpy for the line:
Create query: '/* QUERY_DYNAMIC_USERGROUPS:ANSI */ SELECT DISTINCT(a.ObjectID), a.Name, a.IsLocalized      FROM PTUSERGROUPS a, PTUSERLINKS b      WHERE a.ObjectID=b.GroupID           AND b.UserID=?           AND (b.ISSTATIC=? AND b.ISDYNAMIC=?) ORDER BY a.ObjectID DESC'
followed by 3 lines:
setInt, index: 0, value: 0001. <--user ID
setInt, index: 0, value: 1. <--Static Group Membership
setInt, index: 0, value: 0. <--Dynamic
Copy and drop that into SQL Query Analyser, plug in the value provided and save it to a spreadsheet or just copy and paste it.
If you want find dynamic groups - there is a similar query in the PTspy log - look for the /*QUERY_DYNAMIC_USERGROUPS:ANSI
in PTSpy log
If anyone has anything else to add - please do!
Thanks,
V
Computers are like Old Testament gods; lots of rules and no mercy. ~Joseph Campbell

Hi,
To identify members of a local group by using a command line, refer to:
1. Open Command Prompt.
2. To list members of a group, type: net localgroup "groupname"
Note: You must include the quotation marks.
For example, export the members of the local group Administrators to a text file named group.txt, refer to:
net localgroup “Administrators” > C:\group.txt
You can also write a script as you want.
Best Regards,
Nina Liu
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact
[email protected]  
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Thanks this does seem to work. It does seem that just copying the command does not work because of the quotes, and that you have to manually type the quotation marks into the command prompt, I'm thinking they are picked up as a different character when you
copy paste from a html page or other document.

Similar Messages

  • User Group Membership change Alert

    As a system administrator, I will like to be alerted when a user's group membership has changed on the domain. Can Spiceworks compare the imported memberships in its database with AD and alert me when they do not match? Below is an image of the information that SW imports which could be used for this comparison.
    This topic first appeared in the Spiceworks Community

    Assuming you know the dn of the groups to remove the person from and add them to, and the dn of the person to move, you should be able to do something similar to:
    Attributes attrs = new BasicAttributes(true);
    Attribute uniquemember = new BasicAttribute("uniquemember");
    uniquemember.add("uid=user,o=domain.com"); //add user to move to attribute
    attrs.put(uniquemember);
    DirContext ctx = //connect to your ldap dir
    try{
         ctx.modifyAttributes(groupToRemoveFromDN, ctx.REMOVE_ATTRIBUTE, attrs);
         ctx.modifyAttributes(groupToAddToDN, ctx.ADD_ATTRIBUTE,attrs);
    catch (NamingException ne) {
         //return error appropriately
    try{
         ctx.close();
    catch (NamingException ne) {
         //do what you want with error
    }You also might want to check out the JNDI tutorial at http://java.sun.com/products/jndi/tutorial/index.html
    --Nicole

  • Power Users group membership

    Hello.
    When debugging App-V virtualized application (java one), I found that if user is a member of "Power Users" it's VFS written to folder APPV_ROOTS instead of APPV_ROOT, and this user at same time lacks permissions to write to this folder. That causes
    application to crash with IO exception.
    Why this happens and how to fix that?

    Now this is coming back to me.  This actually came up in one of Tim Mangan's classes.  If you look at the AppV5SP2 Application Publishing and Client Interaction white paper it says:
    "The S signifies the restricted location when the virtual service requests the change as a different elevated user from the logged on users. The non-S location stores user based changes."
    My theory is the App-V 5 client doesn't distinguish from the logged on user who has elevated privileges and a different user with elevated privileges.  See this example as further evidence.
    Using Tim's AppV Personalization tool to track the whole COW stuff, here are 2 screenshots, the first of an admin, the second of a standard user (not power user, just user)
    ADMIN
    A key written inside the VE to HKLM actually went to a COW location in  HKLM.  The filewrite to the PVAD location went to APPV_ROOTS
    USER
    In the same test repeated with a non admin user, the registry write went to the HKCU COW location, and to APPV_ROOT.
    I couldn't convince my group here to put in a MS ticket for this as it doesn't affect us currently, but to be honest I'm surprised more people aren't having issues with this.  This issue would also mean users with admin rights can't roam writes to HKLM
    properly in a VDI scenario.
    If I had to guess Power Users makes the client believe it is an elevated request, but the DIR requires admin rights to write to.  If you inspect the permissions on the APPV_ROOTS folder you may be able to confirm that.
    The short answer for you would probably be to update the package to HF4 with VFS write enabled and see if that resolves your issue.  If you can, a call to MS would be a good option also.

  • Custom Install of Acrobat, how to enable / disable Office plugin based on User group membership

    Hi,
    Just configuring Adobe Acrobat X (10.1.5) on Citrix Xenapp 6.5 (Win 2k8 R2)
    I've set up a cusom install and have already removed the context menus and a few other bits and bobs.
    I wondered if it was possible to essentially add the Office plugins in but only for certain users.
    I've removed the plugins successfully by turning off the 5 / 6 features (IE, office , outlook etc)
    Now I just wondered what files / registry entries I could create on login (using Group policy preferences etc) which will add the plugins back in.
    Thanks
    Chris

    okay no replies yet but I've just removed the office / IE features for now, adding the context menu items in for specific users is working good enough at the moment. if anyone does know how to do this just reply to this at any point i'll pick the mail up.
    thanks

  • Transformer tags and checking user group memberships

    Is the command "stringToACLGroup ('group=203;').isMember($currentuser)" in the code below, doing a Database lookup or getting it from a cached value? If this the server API or a PRC call?
    <pt:when pt:test="stringToACLGroup ('group=203;').isMember($currentuser)" xmlns:pt='http://www.plumtree.com/xmlschemas/ptui/'> Welcome corp user!<br> ... Home Office content... </pt:when>
    Thanks.
    Vanita
    Staples

    On the machine that is having this issue, run this command:
    RSOP.msc
    When the results come up, browse to this path:
    Computer Configuration->Windows Settings->Security Settings->Restricted Groups
    Do you have a listing for "Remote Desktop Users"
    I suspect what you have going on is a GPO that is applying explicit members of that group.  That would remove anyone that you specify every 15 minutes.
    - If you have found my post to be helpful, or the answer, please mark it appropriately.  Thank you.
    Chris Ream

  • User Unable to RDP in Win 2008R2 Due to Multiple Group Membership But Can RDP in Win 2003 Server

    We have built a new application server with Windows 2008R2 where set of users are local admin (application owners) and we have same kind of application server
    in Windows 2003 SP2 with same users as local admin. 
    Now in Windows 2008R2 servers these local admins are unable
    to RDP and get ACCESS
    DENIED whenever user tries to login but can login successfully in 2003 server.
    Now, strange case is, I found these admin users group membership with more than 600 groups and they are able to login win 2008 server as well if I remove their
    group membership to a minimum level say around 300.
    This is so confusing for me as user can login in WIn 2003 server with highest group membership but not in WIn 2008.
    We have applied Maxtoken registry also through GPO.
    Any idea what are we missing here.

    This has nothing to do with Directory Services so I will move to the General forum.
    One thing to look at is to make sure that you have RDP enabled on these new 2012 servers.
    http://winplat.net/post/2012/07/16/How-to-enable-Remote-Desktop-on-Windows-%E2%80%988%E2%80%99.aspx
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security, BS CSci
    2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
    Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
    Please no e-mails, any questions should be posted in the NewsGroup.
    This posting is provided AS IS with no warranties, and confers no rights.

  • WLS 8.1.5  console doesn't show ActiveDirectory (or custom) Users/Groups

    We currently have numerous apps running on a weblogic 8.1.4 portal domain. I am attempting to replicate this domain on 8.1.5. There are four authenticators on our old domain: a DefaultAuthenticator, an ActiveDirectoryAuthenticator, and two Custom Authenticators (based on the sample database authenticator), with JAAS flags set to OPTIONAL for all. Everything was working properly under sp4, including user/group/membership listings in console and authentication. Under sp5, while simple authentication seems to work with all providers, the user/group/membership listings in weblogic console have bad HTML (empty rows under any default authenticator users/groups). The active directory settings were migrated wholesale and I verified that authentication works against this provider. Just no usernames or groupnames. I tested with just ActiveDirectory and DefaultAuthenticator, DefaultIdentityAsserter.
    <p>
    I was able to debug a bit more using our custom authenticators. I have verified that the user and group lists are being requested and returned properly when you click on Manage Users or Manage Groups in weblogic 8.1.5 console. It just seems like somewhere in the console there is a problem and the HTML output is garbled. Here is a sample of my debug text, the method names and classes should be immediately familiar from the sample authenticator:
    <p>
    getUserLoginNamesMatching(*,50)<br>
    loginNames=[BF, DAD, NA, OTN, P1Adm1, P1User1, P2Adm1, P2User1, S, ab, admtest, gw, jb, joeschmo, kw, mf, mh, pa, rn, rt, super, test1, wf]<br>
    Success: listUsers(userNameWildcard = *, maximumToReturn = 2147483647) = Cursor0<br>
    Success: haveCurrent(Cursor = Cursor0) = true<br>
    Success: getCurrentName(Cursor = Cursor0) = BF<br>
    Success: advance(Cursor = Cursor0)<br>
    Success: haveCurrent(Cursor = Cursor0) = true<br>
    Success: getCurrentName(Cursor = Cursor0) = DAD<br>
    Success: advance(Cursor = Cursor0)<br>
    Success: close(Cursor = Cursor0)<br>
    getExistingUser(BF)<br>
    user=new UserEntry( BF, BF , BF, [PDA, ADM], com.otn.mobilelynx2.security.providers.authentication.UserGroupDatabase@7f5e61 )<br>
    Success: getUserDescription(user = BF) = BF<br>
    getExistingUser(DAD)<br>
    Success: haveCurrent(Cursor = Cursor0) = false<br>
    Success: close(Cursor = Cursor0)<br>
    getExistingUser(BF)<br>
    user=new UserEntry( BF, BF , BF, [PDA, ADM], com.otn.mobilelynx2.security.providers.authentication.UserGroupDatabase@7f5e61 )<br>
    Success: getUserDescription(user = BF) = BF<br>
    getExistingUser(DAD)<br>
    user=new UserEntry( DAD, Dummy Alcanto Demoer, LYNX, [PDA], com.otn.mobilelynx2.security.providers.authentication.UserGroupDatabase@7f5e61 )<br>
    Success: getUserDescription(user = DAD) = Dummy Alcanto Demoer<br>
    getExistingUser(NA)<br>
    user=new UserEntry( NA, Nancy Aarons, 1234, [PDA, ADM], com.otn.mobilelynx2.security.providers.authentication.UserGroupDatabase@7f5e61 )<br>
    Success: getUserDescription(user = NA) = Nancy Aarons<br>
    ---- weblogic console output sp4, Manage Users ----
    User Description Provider <br>
    portaladmin Admin for portal domain DefaultAuthenticator <br>
    weblogic This user is the default administrator. DefaultAuthenticator <br>
    yahooadmin Admin for yahoo content DefaultAuthenticator <br>
    john John Smith DefaultAuthenticator <br>
    qamean ActiveDirectoryAuthenticator <br>
    qamin ActiveDirectoryAuthenticator <br>
    ---- weblogic console output sp5, Manage Users ----
    User Description Provider <br>
    portaladmin Admin for portal domain DefaultAuthenticator
    weblogic This user is the default administrator. DefaultAuthenticator <br>
    yahooadmin Admin for yahoo content DefaultAuthenticator <br>
    --- html for above (with weird empty rows) ---
    <FORM NAME=FilterUsers METHOD=POST ACTION=><P>Filter By: <INPUT TYPE=text NAME=filter SIZE=10> <INPUT CLASS='buttons' TYPE=submit VALUE=Filter></FORM><b>Displayed 68 of 357 Total, use filter to narrow your search results.<b><table border='1' cellpadding='4' cellspacing='0' height='20'><tr bgcolor='#b8cece'><th>User</th><th>Description</th><th>Provider</th><th> </th></tr><tr bgcolor='#FFFFFF'><td>portaladmin</td><td>Admin for portal domain</td><td>DefaultAuthenticator</td><td><img border='0' src='http://localhost:7001/console/images/delete.gif' title='Delete'/></td></tr><tr bgcolor='#FFFFFF'><td>weblogic</td><td>This user is the default administrator.</td><td>DefaultAuthenticator</td><td><img border='0' src='http://localhost:7001/console/images/delete.gif' title='Delete'/></td></tr><tr bgcolor='#FFFFFF'><td>yahooadmin</td><td>Admin for yahoo content</td><td>DefaultAuthenticator</td><td><img border='0' src='http://localhost:7001/console/images/delete.gif' title='Delete'/></td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr></table>
    Message was edited by:
    srhutch444

    i have reinstalled solaris and the problem continues.
    Under Solaris Management Console groups and users doesn't run ok. Editing an user i can't see groups and editing groups i can't see its users...very very extrange.
    A bug?
    I don't know what is happening :(

  • Reconcile user groups to OIM (11g)

    I would appreciate it if someone may let me know how to reconcile the organization and leadership structure information from an Oracle DB based identity vault into OIM (11g) to create organizational roles, for example, into the user group and user group membership tables, i.e. the UGP and USG table series. Many thanks.

    yesy, I have defines correct search value but its again and again throwing error. I change the search values too. But its not working.

  • AD account used for running SIA locked during group membership querying

    Hello,
    I have code that is querying user / group membership from the BOE repository using the Java Enterprise SDK.  When running against an environment using an AD service account to run the SIA, an error is thrown and the AD account is subsequently locked when I execute my code.  The error is as follows:
    com.crystaldecisions.sdk.exception.SDKServerException: The Active Directory Authentication plugin failed to verify the currently specified administration credentials required to connect to Active Directory. Please contact your system administrator. 
    cause:com.crystaldecisions.enterprise.ocaframework.idl.OCA.oca_abuse: IDL:img.seagatesoftware.com/OCA/oca_abuse:3.2
    detail:The Active Directory Authentication plugin failed to verify the currently specified administration credentials required to connect to Active Directory. Please contact your system administrator. 
    The server supplied the following details: OCA_Abuse exception 10505 at [.\exceptionmapper.cpp : 79]  50068 { ,  , secWinAD}
         ...The Active Directory Authentication plugin failed to verify the currently specified administration credentials required to connect to Active Directory. Please contact your system administrator.   Plugin error: SecWinAD Error: an error occurred in CADCredentialManager::SwitchSecurityContexts().
    If the account is successfully running the SIA, I'm not understanding why this message is being thrown.  Also - I'm assuming some internal login is happening with this AD account when I query for group membership (?), as I am able to query for other types of metadata without error / locking the account.  Based on the error thrown, the authentication with this ID is failing, and is probably being attempted multiple times, resulting in the account being locked?  Can anyone provide insight here?
    Thanks...

    Ted is right on the mark with this one.
    The cause is outlined in the exception indicating a problem with the SwitchSecurityContexts() function.  The Active Directory plugin requires a set of credentials with which to connect to Active Directory and perform any necessary lookups.  Therefore, the issue is not with the account running your SIA (and by extension your CMS), but the Active Directory administration credentials you've set on the plugin (either via the CMC or through code).  When the CMS tries to impersonate, or switch security context to the other account, it fails to authenticate against Active Directory.
    Check to make sure this property is set identically to the account running the SIA, and like Ted said, that you can successfully update the plugin via the CMC.
    Thanks,
    Jim

  • Neat OAM Trick (showing users' groups), but a problem...

    Hi,
    I took an OAM class this week, and the instructor showed us a way to show users' group membership in User Manager.
    To do this, create a derived attribute for the inetorgperson attribute, e.g., named "ThisUsersGroupMembership", and configure it with:
    Self
    groupofuniquenames
    uniquemember
    Then, add the derived attribute to the user panel, and then go into User Manager and display an individual user's profile. The user's group membership should be displayed as the "ThisUsersGroupMembership".
    I thought that this was pretty nice, but I noticed that if I go to the User Manager's main page and customize it to display the "ThisUsersGroupMembership" attribute,
    the attribute name is shown, but no values are shown for that attribute.
    I'm trying to figure out why the values for the derived attributes are not being displayed on the main User Manager page, and also if it's possible to get that working?
    Thanks,
    Jim

    Jim,
    Yes even I am not able to list users. I did not understand what you were exactly pointing to in your earlier mail.
    This seems to be a bug with OAM but before we arrive at this conclusion. I think we should try and look at the xml response sent by OAM for search result. I am not able to recall how we can see the xml response in the browser. If you know then you can try and see if the Groups of the user are returned? If groups are returned then you will have to look at the stylesheet being used and modify it to display the groups.
    If groups are not fetched then it must be a bug with OAM.
    Thanks
    Preetam

  • Read group membership for a user object and populate every group with matching user from another domain

    I have LON\JSmith in LON domain and DEL\JimSmith in DEL domain
    I would like to extract group memberships of LON\JSmith in LON domain and append matching by email (i.e. DEL\JimSmith) user object in every group in LON domain.
    for instance
    LON\JSmith and DEL\JimSmith is the same person and has same email address [email protected]
    LON\JSmith belongs to 3 groups - LON\localadmingroup;LON\univdesktop;LON\globalsurvey
    The outcome of the script should be
    LON\JSmith; DEL\JimSmith    should be in 3 groups - LON\localadmingroup;LON\univdesktop;LON\globalsurvey.
    How can i do it?
    Navgup

    Hi Navgup,
    Please refer to the script below, to query users in other domain by specifying the parameter "-Server" in the cmdlet "get-aduser", and also note I haven't tested the script below:
    import-module activedirectory
    get-adgroupmember "group"|foreach{
    $email=(get-aduser $_.samaccountname -properties *).EmailAddress#get the user email
    Get-ADUser -filter {EmailAddress -eq $email} -properties * -server DomainB.company.com|select samaccountname, memberof}#filter user name and group with the email in other domain
    To get users across domain, please also refer this blog:
    Adding/removing members from another forest or domain to groups in Active Directory:
    http://blogs.msdn.com/b/adpowershell/archive/2010/01/20/adding-removing-members-from-another-forest-or-domain-to-groups-in-active-directory.aspx?Redirected=true
    I hope this helps.

  • OIM 9.1.0.2 Group Membership Removal for Disabled Users

    Hello
    In OIM 9.1.0.2, when a user is disabled, they are removed from the groups they are a member of within 24 hours. i was wondering if this is a set time and if so, can this be extended to a specified time so membership can be left for a week before it is removed from the user. If you can let me know on this I would appreciate it.
    Thanks
    Nick

    Today, when accounts are disabled, within 24 hours all the group memberships are removed on the OIM side. I would like to change the interval for the cleanup so that when an account is disabled, all the existing group (role) memberships stay assinged to the account then after 30 days of the account being disabled, the group (role) memberships are removed. Not sure if this would be an ORM thing or OIM, but I think it would be OIM since ORM still has the role mappings for users when they are disabled.
    Thanks
    Nick

  • AD Group Membership with User From Domain Outside of Forest

    Here's one to twist your brain around -
    I have kerberos authentication using Active Directory working between a client's web browser and my web-app hosted in JBoss. I also have limited authorization working by checking group memberships using LDAP. This currently only works if all users are in the same domain. The ever-helpful adler_steven has detailed in another thread (http://forum.java.sun.com/thread.jspa?threadID=603815&tstart=15) how to do a group membership check for all Users/Groups in a single forest using the Global Context.
    I need to go beyond the domain and even beyond the forest and try to authorize a user from a trusted domain by checking if the user is a member of a group in my domain. Authentication works fine using kerberos. It's the authorization by group check I am having trouble with. I believe there are two ways to approach this:
    Approach #1
    Access the MS-specific PAC in the kerberos token from the client to get the group SIDs. The structure of the PAC is nicely defined in this article: http://appliedcrypto.com/spnego/pac/ms_kerberos_pac.html. However, I have no idea how to access the decrypted token. I pass the encrypted token that I receive from the browser to myGssContext.acceptSecContext(...) to complete the authentication.
    Question: Does anyone know how to get the decrypted kerberos ticket from there, specifically the authorization-data field?
    Approach #2
    Try to walk through the Active Directory structures in both domains using LDAP. In the domain group that I am checking, I can see a member attribute that references a foreignSecurityPrincipal object. The CN of this object happens to be the objectSID of the user I am looking for in the remote domain. Unfortunately, I have to check the remote domain server directly to verify that. The foreignSecurityPrincipal object itself does not contain any hint about what user it refers to aside from the SID (no originalDomainName attribute or something similar). It is feasible that I could walk the chain of references back to the remote domain AD server. That would require that my configuration include a list of remote domain servers to check (since I could have users from multiple trusted domains) and that my JBoss server have access to those servers.
    Question: Does anyone know of some other LDAP-related way of finding information about a user from a remote, trusted domain without having to hit the server for that domain directly?
    adTHANKSvance
    Eric

    You should be able to work back from the foreignSecurityPrincipal object :-) He says with a wry smile..
    This post prompts me to think whether one day someone will draw the entity relationship diagram for AD. Oh well, I've been procrastinating for years, a few more won't hurt !
    If it was a user from within the same forest, you should just be able to perform a search against a GC using the objectSID as the search filter. I've forgotten, but I don't think they will be represented as foreign security principals.
    Have a look at the post titled JNDI, Active Directory and SID's (Security Identifiers) available at
    http://forum.java.sun.com/thread.jspa?threadID=585031&tstart=150 that describes how to search for an object based on their SID.
    Now if it is a user from another forest, with which you have a trust relationship, then we begin the navigation excercise.
    You'll need obtain the user's SID (either from the cn or from the objectSID attributes) from the foreignSecurityPrincipal object. For example CN=S-1-5-21-3771862615-1804478405-1612909269-2143,CN=ForeignSecurityPrincipals,DC=antipodes,DC=com
    objectSID=S-S-1-5-21-3771862615-1804478405-1612909269-2143Then obtain the domain RID, eg.S-1-5-21-3771862615-1804478405-1612909269Next you will have to recurse each of the crossRef objects in the Partitions container, in the configuration naming context (which you will find listed in the RootDSE). The crossref objects that represent trusted domains or forests will have values for their trustParent attributes. A sample query would be something like//specify the LDAP search filter
    String searchFilter = "(&(objectClass=crossRef)(trustParent=*))";
    //Specify the Base for the search
    String searchBase = "CN=Partitions,CN=Configuration,DC=antipodes,DC=com";For each crossRef object, you can then use the dnsRoot attribute to determine the dns domain name of the forest/domain (if you want to later use dns to search for the dns name,ip address of the domain controllers in the trusted domains/forests), and then use the nCName attribute to determine the distinguished name of the trusted forest/domain.dnsRoot = contoso.com
    ncName = dc=contoso,dc=comPerform another bind to the ncName for the trusted domain/forest and retrieve the objectSID attribute, which will be the domain's RID. You may want to cache this information as a lookup table to match domain RID's with domain distingusihed names and dns names.String ldapURL = "ldap://contoso.com:389";
    Attributes attrs = ctx.getAttributes("dc=contoso,dc=com");
    System.out.println("Domain SID: " + attrs.get("objectSID").get());Once you find out which domain matches the RID for the foreignSecurityPrincipal, you can then perform a search for the "real user" .And then finally you should have the user object that represents the foreign security principal !
    Just one thing to note. Assume that CONTOSO and ANTIPODES are two separate forests. If you bind as CONTOSO\cdarwin against the CONTOSO domain, the tokenGroups attribute (which represents teh process token) will contain all of the group memberships of Charles Darwin in the CONTOSO domain/forest. It will not contain his memberships if any, of groups in the ANTIPODES forest. If Charles Darwin accesses a resource in ANTIPODES, then his process token used by the ANTIPODES resource will be updated with his group memberships of the ANTIPODES forest. Also you can have "orphaned foreignn security principal", where the original user object has been deleted !
    BTW, If I was doing this purely on Windows, IIRC, you just use one API call DsCrackNames, to get the "real user", and then the appropriate ImpersonateUser calls to update the process token etc..
    Good luck.

  • "Domain Users" group in Active Directory does not belong to any Group Membership in LC

    Active Directory user belonging to "Domain Users" group does not belong to any Group Membership in LC, why does it not belong to "Domain Users" group?
    Any way to correct this issue, without changing group membership on AD side?
    If Active Directory user is member of "Domain Admins" or "Users" then these show same group membership in LC.
    Thanks.

    If you want to use the Domain Users group for the purpose of representing all the users then you can use the "All principals in domain xxx" group which is created by UM.
    Coming back to Domain Users group. For determining group membership in AD UM uses "member" attribute of the group object. "Domain Users" group is treated differently by AD. It is the default primary group for all the users and normally members of the primary group are not specified using the member attribute.So when we sync the data from AD "Domain Users" membership does not get completed.

  • Getting list of all users and their group memberships from Active Directory

    Hi,
    I want to retrieve a list of all the users and their group memberships through JNDI from Active Directory. I am using the following code to achieve this:
    ==================
    import javax.naming.*;
    import java.util.Hashtable;
    import javax.naming.directory.*;
    public class GetUsersGroups{
         public static void main(String[] args){
              String[] attributeNames = {"memberOf"};
              //create an initial directory context
              Hashtable env = new Hashtable();
              env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
              env.put(Context.PROVIDER_URL, "ldap://172.19.1.32:389/");
              env.put(Context.SECURITY_AUTHENTICATION, "simple");
              env.put(Context.SECURITY_PRINCIPAL, "[email protected]");
              env.put(Context.SECURITY_CREDENTIALS, "p8admin");
              try {
                   // Create the initial directory context
                   DirContext ctx = new InitialDirContext(env);     
                   //get all the users list and their group memberships
                   NamingEnumeration contentsEnum = ctx.list("CN=Users,DC=filenetp8,DC=com");
                   while (contentsEnum.hasMore()){
                        NameClassPair ncp = (NameClassPair) contentsEnum.next();
                        String userName = ncp.getName();
                        System.out.println("User: "+userName);
                        try{
                             System.out.println("am here....1");
                             Attributes attrs = ctx.getAttributes(userName, attributeNames); // only asked for one attribute so only one should be returned
                             System.out.println("am here....2");
                             Attribute groupsAttribute = attrs.get(attributeNames[0]); // memberOf
                             System.out.println("-----"+groupsAttribute.size());
                             if (groupsAttribute != null){
                                  // memberOf is a multi valued attribute
                                  for (int i=0; i<groupsAttribute.size(); i++){
                                  // print out each group that user belongs to
                                  System.out.println("MemberOf: "+groupsAttribute.get(i));
                        }catch(NamingException ne){
                        // ignore for now
                   System.err.println("Problem encountered....0000:" + ne);
                   //get all the groups list
              } catch (NamingException e) {
              System.err.println("Problem encountered 1111:" + e);
    =================
    The following exception gets thrown at every user entry:
    User: CN=Administrator
    am here....1
    Problem encountered....0000:javax.naming.NamingException: [LDAP: error code 1 -
    000020D6: SvcErr: DSID-03100690, problem 5012 (DIR_ERROR), data 0
    ]; remaining name 'CN=Administrator'
    I think it gets thrown at this line in the code:
    Attributes attrs = ctx.getAttributes(userName, attributeNames);
    Any idea how to overcome this and where am I wrong?
    Thanks in advance,
    Regards.

    In this sentence:
    Attributes attrs = ctx.getAttributes(userName, attributeNames); // only asked for one attribute so only one should
    It seems Ok when I add "CN=Users,DC=filenetp8,DC=com" after userName, just as
    userName + ",CN=Users,DC=filenetp8,DC=com"
    But I still have some problem with it.
    Hope it will be useful for you.

Maybe you are looking for