Finding group membership

Similar Messages

• Table for finding GROUP or WEBGROUP

  Experts, does anybody know where can I find GROUP/WEBGROUP name in the database. Is there any OOTB table provided by OBIEE. My group information is coming from Siebel.I want to know where is the group information present in OBIEE datamart?
  thx,
  parag

  Hi,
  Check the below link-
  http://obieeblog.wordpress.com/2009/06/18/obiee-security-enforcement-%e2%80%93-external-database-table-authorization/
  You can see that GROUP is assigned from some table used for authorization. Similarily you too might have tables used to assign the variable.
  Refer-
  http://www.rittmanmead.com/2012/03/obiee-11g-security-week-connecting-to-active-directory-and-obtaining-group-membership-from-database-tables/
  Hope this helped/ answered
  Regards
  MuRam

• AD Group Membership with User From Domain Outside of Forest

  Here's one to twist your brain around -
  I have kerberos authentication using Active Directory working between a client's web browser and my web-app hosted in JBoss. I also have limited authorization working by checking group memberships using LDAP. This currently only works if all users are in the same domain. The ever-helpful adler_steven has detailed in another thread (http://forum.java.sun.com/thread.jspa?threadID=603815&tstart=15) how to do a group membership check for all Users/Groups in a single forest using the Global Context.
  I need to go beyond the domain and even beyond the forest and try to authorize a user from a trusted domain by checking if the user is a member of a group in my domain. Authentication works fine using kerberos. It's the authorization by group check I am having trouble with. I believe there are two ways to approach this:
  Approach #1
  Access the MS-specific PAC in the kerberos token from the client to get the group SIDs. The structure of the PAC is nicely defined in this article: http://appliedcrypto.com/spnego/pac/ms_kerberos_pac.html. However, I have no idea how to access the decrypted token. I pass the encrypted token that I receive from the browser to myGssContext.acceptSecContext(...) to complete the authentication.
  Question: Does anyone know how to get the decrypted kerberos ticket from there, specifically the authorization-data field?
  Approach #2
  Try to walk through the Active Directory structures in both domains using LDAP. In the domain group that I am checking, I can see a member attribute that references a foreignSecurityPrincipal object. The CN of this object happens to be the objectSID of the user I am looking for in the remote domain. Unfortunately, I have to check the remote domain server directly to verify that. The foreignSecurityPrincipal object itself does not contain any hint about what user it refers to aside from the SID (no originalDomainName attribute or something similar). It is feasible that I could walk the chain of references back to the remote domain AD server. That would require that my configuration include a list of remote domain servers to check (since I could have users from multiple trusted domains) and that my JBoss server have access to those servers.
  Question: Does anyone know of some other LDAP-related way of finding information about a user from a remote, trusted domain without having to hit the server for that domain directly?
  adTHANKSvance
  Eric

  You should be able to work back from the foreignSecurityPrincipal object :-) He says with a wry smile..
  This post prompts me to think whether one day someone will draw the entity relationship diagram for AD. Oh well, I've been procrastinating for years, a few more won't hurt !
  If it was a user from within the same forest, you should just be able to perform a search against a GC using the objectSID as the search filter. I've forgotten, but I don't think they will be represented as foreign security principals.
  Have a look at the post titled JNDI, Active Directory and SID's (Security Identifiers) available at
  http://forum.java.sun.com/thread.jspa?threadID=585031&tstart=150 that describes how to search for an object based on their SID.
  Now if it is a user from another forest, with which you have a trust relationship, then we begin the navigation excercise.
  You'll need obtain the user's SID (either from the cn or from the objectSID attributes) from the foreignSecurityPrincipal object. For example CN=S-1-5-21-3771862615-1804478405-1612909269-2143,CN=ForeignSecurityPrincipals,DC=antipodes,DC=com
  objectSID=S-S-1-5-21-3771862615-1804478405-1612909269-2143Then obtain the domain RID, eg.S-1-5-21-3771862615-1804478405-1612909269Next you will have to recurse each of the crossRef objects in the Partitions container, in the configuration naming context (which you will find listed in the RootDSE). The crossref objects that represent trusted domains or forests will have values for their trustParent attributes. A sample query would be something like//specify the LDAP search filter
  String searchFilter = "(&(objectClass=crossRef)(trustParent=*))";
  //Specify the Base for the search
  String searchBase = "CN=Partitions,CN=Configuration,DC=antipodes,DC=com";For each crossRef object, you can then use the dnsRoot attribute to determine the dns domain name of the forest/domain (if you want to later use dns to search for the dns name,ip address of the domain controllers in the trusted domains/forests), and then use the nCName attribute to determine the distinguished name of the trusted forest/domain.dnsRoot = contoso.com
  ncName = dc=contoso,dc=comPerform another bind to the ncName for the trusted domain/forest and retrieve the objectSID attribute, which will be the domain's RID. You may want to cache this information as a lookup table to match domain RID's with domain distingusihed names and dns names.String ldapURL = "ldap://contoso.com:389";
  Attributes attrs = ctx.getAttributes("dc=contoso,dc=com");
  System.out.println("Domain SID: " + attrs.get("objectSID").get());Once you find out which domain matches the RID for the foreignSecurityPrincipal, you can then perform a search for the "real user" .And then finally you should have the user object that represents the foreign security principal !
  Just one thing to note. Assume that CONTOSO and ANTIPODES are two separate forests. If you bind as CONTOSO\cdarwin against the CONTOSO domain, the tokenGroups attribute (which represents teh process token) will contain all of the group memberships of Charles Darwin in the CONTOSO domain/forest. It will not contain his memberships if any, of groups in the ANTIPODES forest. If Charles Darwin accesses a resource in ANTIPODES, then his process token used by the ANTIPODES resource will be updated with his group memberships of the ANTIPODES forest. Also you can have "orphaned foreignn security principal", where the original user object has been deleted !
  BTW, If I was doing this purely on Windows, IIRC, you just use one API call DsCrackNames, to get the "real user", and then the appropriate ImpersonateUser calls to update the process token etc..
  Good luck.

• Group Membership under Settings/My Account is not updating

  We use an External table for User permissions/Groups to get updated in Group Membership.
  We use our custom tool to create/update new/existing users with the permissions. Then our ETL picks up the changes from the OLTP tables and update User Permission table in our DWH hourly. Now let me explain the present situation. User ABC is an existing user and never used our Report Portal before, we updated ABC user with all the necessary groups to use Report portal and with curiosity she didn't wait until Hourly ETL run and she didn't had the necessary permissions to run any reports in Report portal. But when she login after 1hr/10 hr/ 1 day/2 day, the user won't see the Permissions getting updated in Group Membership. If we check the User permission table in DWH, it is updated with all the new roles, but it is never being updated in 'My Account' Answers. I think this is some kind of Presentation Cache issue, but I did clicked "Reload Files and Metadata" under Settings and "Close All Cursors" under Settings/Manage Sessions. You may also say it may be with the Caching on Initialization Block for the User Permission table, but we did Un-check the 'Use Caching' right below the Row-wise initialization for the corresponding Initialization block. We has 3 users with the same issue now. But when the user waits for certain time (for at least 1hr), and when they login after the actual hourly ETL ran, they were able to get in and use Report Portal without any issue. So, I am kind of sure this is something with CACHING and I might be missing some thing on Clearing this type of Cache. Could someone please help me out on this? This is in PRD and we are not able to find a solution. Any help would be appreciated!
  -Dinesh

  Yes, we are using Initialization Blocks to update the User Groups. Our USER_PERMISSION table has Login, Company_ID, Roles, etc columns in it. The Initialization Block will query on this Table and the query has a where clause in it and the Where clause "where company_id=(select substr(':USER', 0, (instr(':USER', '.')) - 1) from dual) and upper(login)=upper((select substr(':USER', (instr(':USER', '.')) + 1) from dual))) and dw_delete_date is null" from which it will get the roles for each user. And YES, the Caching is turned off for this initialization block.
  And I should try deleting the user folders, but my company has a very strict policy so I should do that in DEv, then QA and in PRD. Hope this works, but I am still not convinced why this is happening. We cannot keep on deleting the user folders in future if this happens again.

• Not inheriting group membership / users not showing in workgroup "Everyone"

  Hi,
  In the new OS X Lion Server Profile Manager, there is a default group called Everyone, that should contain all users.
  However, it only shows the first user I created (UID 1025).
  Users created after that are not automatically added to the group Everyone
  I can assign these newer users to a Workgroup I created myself, but since they are absent in the Everyone group, I cannot assign devices to these users, and thus not properly manage these users and their devices.
  Using Workgroup Manager to check on the membership of the users with UID>1025 I see that the inherited workgroup membership of Users (GID 403) is missing.
  How can fix a problem with the inherited group membership of users?
  Thanks in advance.
    Patrick

  did you configure the people picker
  http://technet.microsoft.com/en-us/library/gg602075(d=lightweight,v=office.14).aspx#section4
  http://jaredmatfess.wordpress.com/2013/02/26/sharepoint-2010-people-picker-is-having-a-hard-time-finding-people/
  Please remember to mark your question as answered &Vote helpful,if this solves/helps your problem. ****************************************************************************************** Thanks -WS MCITP(SharePoint 2010, 2013) Blog: http://wscheema.com/blog
  No need to configure the People Picker in a full trust between domains of the same forest.
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Mapping shares based on ADS Group membership

  Hello,
  I am a pc person and do not know much about Macs. I have been charged to find a way to attach all of our new macs to our Active Directory. I have been able to bind a test machine to the directory and get the home share. Now the "higher ups" want the macs to mimic a pc in logon. They want the mac to map all the shares based on group membership at login. Some of these people connect to 4 to 5 different shares depending on their job duties.
  I have looked on line and all the questions/answers like this seem to end at binding to the ADS and getting a home share. I need to go one step further. Any help would be greatly appriciated.

  Logon scripts, not Active Directory, are typically used to map drives to Windows computers at login. You assign a script to a user via Active Directory.
  Macs can't be administered from Active Directory and therefore can't use the logon scripts from Active Directory, so you'll need a different solution. The Workgroup Manager from Mac OS X Server used with Active Directory in a Golden Triangle is a common solution. It does require a Mac OS X Server.
  You won't find many other options, if any.
  Hope this helps! bill
  1 GHz Powerbook G4   Mac OS X (10.4.8)  

• Group membership alterations timeout

  Hello,
  I've imported about 100 security groups with their members from AD to FIM and have altered precedence so that FIM now manages these groups. I want to change the groups to criteria based membership and have successfully done so in a number of cases,
  however I am finding that groups with more than apx. 700 members are causing an error in the portal.
  Event viewer says that the diagnostic log may contain more information but it does not. It also suggests checking the SharePoint log but unfortunately I have been unable to find an appropriate log.
  I've had this error occur before in similar circumstances and my guess is that there is some sort of timeout cancelling the operation.
  Does anyone know of a fix for this? Is there a way to empty the group memberships?
  Many thanks 
  Portal error:
  "Unable to process your request. Please contact your help desk or system administrator."
  Event viewer:
  "The portal was unable to complete a request and showed a user the default error page.
  An unhandled exception was caught.
  Check the product diagnostic log file and then check the SharePoint log file."

  Hello FIM-EN,
  You probably have a timeout issue. Tyr to increase the value in the file "C:\Program Files\Microsoft Forefront Identity Manager\2010\Service\Microsoft.ResourceManagement.Service.exe.config":
  /configuration/ resourceManagementClient/ @timeoutInMilliseconds
  [0,360000]
  90,000
  The timeout of the client side of communication.
  link:
  http://technet.microsoft.com/en-us/library/ff800821%28v=ws.10%29.aspx
  Regards,
  Sylvain

• How to create Nested Group membership in OAM?

  Hello,
  I am facing a problem now about creating nested group membership in OAM. Although all documents mention that nested group membership is available in OAM and the "uniquemember" attribute's target object class covers both "inetorgperson" and "groupofUniqueNames", I still cannot find the option in Selector to add "group" members.
  Please kindly suggest.
  Thank you.
  Liu Peng

  Liu,
  You've been very helpful, so I thought that I'd try to "return the favor" :)...
  If you want to change the background color of that bar that contains the "Users Groups" to something other than dark blue, you can do it by editting the following file (this path is on Windows):
  C:\Program Files\NetPoint\identity\oblix\lang\shared\sltr_navbar.xsl
  I changed the line:
  <table width="100%" border="0" bgcolor="#006699" cellpadding="0" cellspacing="0">
  TO:
  <table width="100%" border="0" bgcolor="#CCCCCC" cellpadding="0" cellspacing="0">
  which, on my system, changes the bar background color from dark blue to gray.
  Obviously, you can change the color to whatever you feel is appropriate, but the gray background definitely makes the links more visible :)!!
  Here's a website that'll let you experiment with the color codes:
  http://colorcombos.com/combotester.html
  or choose a color visually:
  http://www.liu.edu/cwis/CWP/library/colors.htm
  You'll need to restart the OAM servers after making the change for it to become effective.
  Thanks for your help!
  Jim

• Extracting user group membership to a spreadsheet - tip?

  Hello,
  This is a tip that works for me.
  Sometimes I need to extract the Group Membership names for a user or users.
  What I do is have PTSpy running when I find their name from an administrative search. Clicking on the user name opens up the EDIT USER page where you can see the users groups.
  At this point look in PTSpy for the line:
  Create query: '/* QUERY_DYNAMIC_USERGROUPS:ANSI */ SELECT DISTINCT(a.ObjectID), a.Name, a.IsLocalized      FROM PTUSERGROUPS a, PTUSERLINKS b      WHERE a.ObjectID=b.GroupID           AND b.UserID=?           AND (b.ISSTATIC=? AND b.ISDYNAMIC=?) ORDER BY a.ObjectID DESC'
  followed by 3 lines:
  setInt, index: 0, value: 0001. <--user ID
  setInt, index: 0, value: 1. <--Static Group Membership
  setInt, index: 0, value: 0. <--Dynamic
  Copy and drop that into SQL Query Analyser, plug in the value provided and save it to a spreadsheet or just copy and paste it.
  If you want find dynamic groups - there is a similar query in the PTspy log - look for the /*QUERY_DYNAMIC_USERGROUPS:ANSI
  in PTSpy log
  If anyone has anything else to add - please do!
  Thanks,
  V
  Computers are like Old Testament gods; lots of rules and no mercy. ~Joseph Campbell

  Hi,
  To identify members of a local group by using a command line, refer to:
  1. Open Command Prompt.
  2. To list members of a group, type: net localgroup "groupname"
  Note: You must include the quotation marks.
  For example, export the members of the local group Administrators to a text file named group.txt, refer to:
  net localgroup “Administrators” > C:\group.txt
  You can also write a script as you want.
  Best Regards,
  Nina Liu
  TechNet Subscriber Support in forum
  If you have any feedback on our support, please contact
  [email protected]  
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
  Thanks this does seem to work. It does seem that just copying the command does not work because of the quotes, and that you have to manually type the quotation marks into the command prompt, I'm thinking they are picked up as a different character when you
  copy paste from a html page or other document.

• SAML 2.0 and AD Security Group Membership

  In ADFS 2.0, as a part of the token, I can pass the AD
  security groups the user is in. Does SAP SSO have the ability to send and
  receive SAML 2.0 tokens with AD security group membership?

  Hi Jeff,
  SAP SAML 2.0 Identity Provider is able to include any group (or role) assignment of the user (available in the NetWeaver AS Java UME) as SAML Attribute in the generated SAML 2.0 Assertion.
  These group assignments of the user can be local (maintained in local UME database) or remote ones if the UME is configured with other Data Source.
  So in order to be able send the AD group assignments of the user you need to change the NetWeaver UME Data Source to your AD. More information how to do that you can find at this page: Identity Management - SAP Library.
  Then in your Identity Provider you can configured so called "Authorization-Based Assertion Attributes" in the "Identity Federation" tab of your trusted Service Provider configuration. An example with such attributes is provided at this page: Configuring Identity Federation with Transient Users - Identity Provider for SAP Single Sign-On and SAP Identity Managem… (although the page is for Transient federation these attributes are supported for all supported NameID formats).
  Regarding the receiving part:
  In SAP SAML 2.0 Service Provider of NetWeaver AS Java received SAML 2.0 Attribute can be either assigned to any UME attribute of the authenticated user, or to be used in rules that assign specific role(s) or group(s) to the user. For more details see these pages: Configuring Federation Type Persistent Users (Advanced) - User Authentication and Single Sign-On - SAP Library and Configuring Federation Type Virtual Users - User Authentication and Single Sign-On - SAP Library
  Regards,
  Stefan

• ISW 6.1 not replication group membership

  Perhaps I misunderstand what should be happening .....
  Groups are synchronizing between my LDAP directory server and my Windows 2008R2 ADS however, group membership is not. I.E. The fact that bob is a member of the testgroup is NOT replicated .....
  Any ideas what I might be missing in my config?
  Thanks,

  did you configure the people picker
  http://technet.microsoft.com/en-us/library/gg602075(d=lightweight,v=office.14).aspx#section4
  http://jaredmatfess.wordpress.com/2013/02/26/sharepoint-2010-people-picker-is-having-a-hard-time-finding-people/
  Please remember to mark your question as answered &Vote helpful,if this solves/helps your problem. ****************************************************************************************** Thanks -WS MCITP(SharePoint 2010, 2013) Blog: http://wscheema.com/blog
  No need to configure the People Picker in a full trust between domains of the same forest.
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Computer's group membership

  I am trying to find a way to list the groups a computer knows it is a member of. Normally a computer only picks up a group membership change after a reboot. You can purge the kerb tickets and it will sometimes pick up the new membership.
  I have a requirement to determine if a group membership has propigated to >300 servers for GPO filtering, but the only way I can find to validate this is by running a gpresult and checking the computer group memberships.
  I started by trying to run a gpresult remotely but that does not always return the computer group membership. Is there a wmi call that can pull this or can a kerb ticket be dissasembled to get the memberships?

  jrv,
  I understand how Active Directory and the various methods of GPO provisioning work.
  The systems in question (>300 production servers) have been added to a provisioning group. This group is used to filter application of a GPO. I need to validate the systems have picked up the new group membership before moving forward with a multi-step
  implementation.
  When a gpresult is run the output displays the groups the system is a member of in order to determine GPO application. I am trying to get this data from remote systems programatically, hence why I posted in this forum since I am specifically asking if anyone
  knows of a WMI (or other) call that would return the computer group memberships.
  As I re-organize a GPO structure in dire need of cleanup I am going to have to do this validation multiple times over a large number of servers. Being able to automate this process would help quite a bit.
  "For computer accounts this requires a reboot." - See this article: 
  http://setspn.blogspot.com/2010/10/updating-servers-security-group.html

• ACS 5.3 Group Mapping based on AD group membership

  Hi,
  I am configuring a new ACS 5.3 system. Part of the rules is that I want to match the users specific AD group membership, and match appropriatly to an identity group.
  What i'm trying to do is say that if the user is a member of the AD Group (G-CRP-SEC-ENG) then associate them with the Identity Group SEC-ENG. The under the access service, authorization portion, i assign shell profiles and command sets based on Identity Group.
  It seems that the ACS server will not match the AD Group for the user, and it will match the Default of teh Group Mapping portion of the policy every time.
  I tried several configuration choices from : AD1:ExternalGroups contains any <string showing in AD>, AD1:memberOf <group>.
  Is there something special i need to do in the Group Mapping Policy to get it to match and active directory group and result in assigning the host to an Identity Group?
  Thank you,
  Sami

  Ok, my case is like this.
  I use ACS 5.3 for VPN authentication, using AD and an external RSA for token authentication (2 factor authentication)
  I didn't add all the VPN users in the ACS, because it will be troublesome, the users authentication will be managed by AD and RSA server.
  In some cases where we need to restrict a group of user to only access certain resources, downloadable ACL is used.
  Following the Cisco docs, i manage to get downloadable ACL works when the authorization profile matching criteria is username, but when i change the matching criteria to Identity group, the downloadable ACL won't work.
  I have a case with Cisco engineer now and still in the middle to sort things out.
  The advice from the Cisco engineer is to have the Access Service set to Internal User instead of RSA server, but that will require us(the admin) to import all the VPN users into the ACS database.
  Wondering whether there is a fix for this.
  Thanks.

• Weblogic 10.3.0 -  Security Violation when Group Membership Lookup enabled

  Dear Admins,
  We're running a Weblogic 10.3.0 cluster with our own software deployed.
  We're using SQL authentication (JDBC to Oracle DB) to authenticate users.
  Recently we've been tuning our WL cluster to improve performance, and have enabled Group Membership Lookup Hierarchy Caching.
  Sometimes users log into our application and get inssuficient rights (or some other error). This appears to happen at random. Most of the times they can log in without problems.
  We determined it's not something to do with the cluster, although it can happen on one node and the other node will work as normal.
  In the Managed server we see this error (with test user):
  Managed7Server.out00011:java.rmi.AccessException: [EJB:010160]Security Violation: User: 'test' has insufficient permission to access EJB: type=<ejb>, application=leanapps, module=process_general.jar, ejb=LaLifeProcessController,
  method=create, methodInterface=Home, signature={}.
  When we disable Group Membership Lookup Hierarchy Caching, this error never occurs.
  Our settings (Security Realms -> myrealm -> Providers -> SQL Authenticator -> Performance):
  Max Group Hierarchies In Cache: 5000 (we have approx. 2000 groups)
  Group Hierarchy Cache TTL: 3600
  provider specific settings :
  Group Membership Searching: unlimited
  Max Group Membership Search Level: 0
  Also in Myrealm -> Performance we have set :
  Enable WebLogic Principal Validator Cache
  Max WebLogic Principals In Cache: 5000
  If we put the TTL really low (default 60 seconds), the error hardly ever occurs. But we want to have cache that lasts longer then one minute.
  This might be a bug, as we have other clusters running on WL 10.3.5, 12c where we use the same cache settings. This issue does not occur there.
  I'm more then willing to provide more info or config files
  Edited by: user5974192 on 21-nov-2012 5:17

  This is fixed now. Someone had defined a Servlet for the web service in web.xml that was preventing the EJB container to kick in.
  Edited by: user572625 on Aug 25, 2011 11:54 PM

• OIM: What is the purpose of "Update" while editing group memberships

  Hi,
  This is when you lookup a user's Resource Profile and go to "Edit" link. The process form shows up along with a drop down to edit the group memberships. When we select one of the choices such as "Groups" another window pops up where we could add more entires into the child form. In this form there is an "Update" column with a radio button besides a "Remove" column. What is the purpose of this "Update" column? We can add or delete child entries but what does update do? Is there a way to remove this selection altogether?
  Thanks in advance

  Update I can see used for a cases where you have multiple columns on a child table entry and want to change one of them. Strictly speaking, you can update a single column child table rather than delete and insert also. Access policies always do insert and delete actions, but you will want to implement an update task as well if you expect anyone to be editing child tables on resources directly.