Generating RAR Alerts for just certain user groups
Is there any way to limit a RAR Critical Actions Alert to just certain users? Or, only if these users access certain data?
We've had a request to monitor and send out a notification for some transactions, but only for certain users. These transactions are available to many employees, but it is only a concern if someone from a certain group uses them. Even then, it's only a concern if they access certain data.
As an example (this is not the actual request), you have a transaction like say XD 03 (Customer Display) and its available to most everyone in the company. You also have customers assigned to different company codes. The issue then is that you have a certain group of users that are only supposed to look at customers for just one specific company code. Ideally, you would want to be notified if they use this transaction to look at customers for other company codes. At the very least, you want to know when they use this transaction so you would know to check on their usage.
If this can't be done using the RAR Alerts, is there maybe another way to perform this montoring/notification?
Thanks.
Hi Bob,
GRC RAR would not help you in this case. However you can restrict the Users through Roles which are assigned to them.
For example : for tcode XD03 check maintain the authorization object F_KNA1_BUK with Activity 03 and Company code 1000 (depending upon your requirement). Assign the Role to User who require the access to view the Customers for the company 1000.
Hopefully this may meet your expectations.
Regards,
Nikita Sharma.
Similar Messages
-
Identity Server has not been configured for this new user/group suffix
Hi all
I am having a problem trying to configure the Directory Server (5.2) for Messaging Server.
My configuration is as follows:
SJES Q12005
Server 1 - Directory Server 5.2
Server 1 - Access Manager (formerly Identity Server)
Server 1 - Web Server 6.1
I have successfully installed the above and can login to Access Manager.
I next installed Calendar & Messengar Server on "Server 1". Upon running "comm_dssetup.pl" from /opt/SUNWcomds/sbin, I get the following error:
"Identity Server has not been configured for this new user/group suffix"
Copy and paste of what I entered:
bash-2.05# perl comm_dssetup.pl
Welcome to the Directory Server preparation tool for
Sun Java(tm) System communication services.
(Version 6.3 Revision 1.0)
This tool prepares your directory server for use by the
communications services which include Messaging, Calendar and their components.
The logfile is /var/tmp/dssetup_20050830165940.log.
Do you want to continue [y]:
Please enter the full path to the directory where the Sun ONE
Directory Server was installed.
Directory server root [var/opt/mps/serverroot] : /opt/mps/serverroot
Please select a directory server instance from the following list:
[1] slapd-sunldap
Which instance do you want [1]:
Please enter the directory manager DN [cn=Directory Manager]: cn=DirMan
Password:
Detected DS version 5.2
Will this directory server be used for users/groups [Yes]:
Please enter the Users/Groups base suffix [dc=samplecompany-dev,dc=co,dc=uk] : ou=infrastructure,o=sampletown,dc=samplecompany-dev,dc=co,dc=uk
There are 3 possible schema types:
1 - schema 1 for systems with iMS 5.x data
1.5 - schema 2 compatibility for systems with iMS 5.x data
that has been converted with commdirmig
2 - schema 2 native for systems using Identity Server
Please enter the Schema Type (1, 1.5, 2) [1]: 2
Identity Server has not been configured for this new user/group suffix
You can opt to continue, but you will not be able to use
features that depend on Identity Server
Are you sure you want this schema type? [n]:
I have entered my user group suffix exactly as specified during the Access Manager install (hence I am able to login as "amadmin").
Looking at the LDAP logs to try and figure out whats going wrong I see its not getting hits on all searches it is performing:
[30/Aug/2005:16:41:18 +0100] conn=299 op=159 msgId=161 - SRCH base="ou=services,ou=infrastructure,o=northampton,dc=dataforce-
dev,dc=co,dc=uk" scope=1 filter="(|(&(numSubordinates=*)(numSubordinates>=1)(|(objectClass=*)(objectClass=ldapsubentry)))(obj
ectClass=referral)(objectClass=organization)(objectClass=organizationalUnit)(objectClass=netscapeServer)(objectClass=netscape
Resource)(objectClass=domain))" attrs="dn"
[30/Aug/2005:16:41:18 +0100] conn=299 op=159 msgId=161 - RESULT err=4 tag=101 nentries=1 etime=0
[30/Aug/2005:16:41:18 +0100] conn=299 op=160 msgId=162 - ABANDON targetop=NOTFOUND msgid=161
[30/Aug/2005:16:41:18 +0100] conn=299 op=161 msgId=163 - SRCH base="ou=people,ou=infrastructure,o=northampton,dc=dataforce-de
v,dc=co,dc=uk" scope=1 filter="(|(&(numSubordinates=*)(numSubordinates>=1)(|(objectClass=*)(objectClass=ldapsubentry)))(objec
tClass=referral)(objectClass=organization)(objectClass=organizationalUnit)(objectClass=netscapeServer)(objectClass=netscapeRe
source)(objectClass=domain))" attrs="dn"
[30/Aug/2005:16:41:18 +0100] conn=299 op=161 msgId=163 - RESULT err=0 tag=101 nentries=0 etime=0
[30/Aug/2005:16:41:18 +0100] conn=299 op=162 msgId=164 - SRCH base="ou=clientdata,ou=infrastructure,o=northampton,dc=dataforc
e-dev,dc=co,dc=uk" scope=1 filter="(|(&(numSubordinates=*)(numSubordinates>=1)(|(objectClass=*)(objectClass=ldapsubentry)))(o
bjectClass=referral)(objectClass=organization)(objectClass=organizationalUnit)(objectClass=netscapeServer)(objectClass=netsca
peResource)(objectClass=domain))" attrs="dn"
[30/Aug/2005:16:41:18 +0100] conn=299 op=162 msgId=164 - RESULT err=0 tag=101 nentries=1 etime=0
[30/Aug/2005:16:41:18 +0100] conn=299 op=163 msgId=165 - ABANDON targetop=NOTFOUND msgid=164
[30/Aug/2005:16:41:20 +0100] conn=299 op=164 msgId=166 - SRCH base="ou=services,ou=infrastructure,o=northampton,dc=dataforce-
dev,dc=co,dc=uk" scope=1 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="objectClass numSubordinates ref aci"
[30/Aug/2005:16:41:20 +0100] conn=299 op=164 msgId=166 - RESULT err=0 tag=101 nentries=41 etime=0
[30/Aug/2005:16:41:28 +0100] conn=299 op=165 msgId=167 - SRCH base="ou=services,ou=infrastructure,o=northampton,dc=dataforce-
dev,dc=co,dc=uk" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="objectClass numSubordinates ref aci"
[30/Aug/2005:16:41:28 +0100] conn=299 op=165 msgId=167 - RESULT err=0 tag=101 nentries=1 etime=0
[30/Aug/2005:16:41:28 +0100] conn=299 op=166 msgId=168 - SRCH base="ou=services,ou=infrastructure,o=northampton,dc=dataforce-
dev,dc=co,dc=uk" scope=1 filter="(|(&(numSubordinates=*)(numSubordinates>=1)(|(objectClass=*)(objectClass=ldapsubentry)))(obj
ectClass=referral)(objectClass=organization)(objectClass=organizationalUnit)(objectClass=netscapeServer)(objectClass=netscape
Resource)(objectClass=domain))" attrs="objectClass numSubordinates ref aci"
[30/Aug/2005:16:41:29 +0100] conn=299 op=166 msgId=168 - RESULT err=0 tag=101 nentries=41 etime=1
[30/Aug/2005:16:41:29 +0100] conn=299 op=167 msgId=169 - SRCH base="ou=iplanetamauthservice,ou=services,ou=infrastructure,o=n
orthampton,dc=dataforce-dev,dc=co,dc=uk" scope=1 filter="(|(&(numSubordinates=*)(numSubordinates>=1)(|(objectClass=*)(objectC
lass=ldapsubentry)))(objectClass=referral)(objectClass=organization)(objectClass=organizationalUnit)(objectClass=netscapeServ
er)(objectClass=netscapeResource)(objectClass=domain))" attrs="dn"
[30/Aug/2005:16:41:29 +0100] conn=299 op=167 msgId=169 - RESULT err=0 tag=101 nentries=1 etime=0
[30/Aug/2005:16:41:29 +0100] conn=299 op=168 msgId=170 - ABANDON targetop=NOTFOUND msgid=169
[30/Aug/2005:16:41:29 +0100] conn=299 op=169 msgId=171 - SRCH base="ou=iplanetamauthldapservice,ou=services,ou=infrastructure
,o=northampton,dc=dataforce-dev,dc=co,dc=uk" scope=1 filter="(|(&(numSubordinates=*)(numSubordinates>=1)(|(objectClass=*)(obj
ectClass=ldapsubentry)))(objectClass=referral)(objectClass=organization)(objectClass=organizationalUnit)(objectClass=netscape
Server)(objectClass=netscapeResource)(objectClass=domain))" attrs="dn"
[30/Aug/2005:16:41:29 +0100] conn=299 op=169 msgId=171 - RESULT err=0 tag=101 nentries=1 etime=0
[30/Aug/2005:16:41:29 +0100] conn=299 op=170 msgId=172 - ABANDON targetop=NOTFOUND msgid=171
[30/Aug/2005:16:41:29 +0100] conn=299 op=171 msgId=173 - SRCH base="ou=iplanetampolicyconfigservice,ou=services,ou=infrastruc
ture,o=northampton,dc=dataforce-dev,dc=co,dc=uk" scope=1 filter="(|(&(numSubordinates=*)(numSubordinates>=1)(|(objectClass=*)
(objectClass=ldapsubentry)))(objectClass=referral)(objectClass=organization)(objectClass=organizationalUnit)(objectClass=nets
capeServer)(objectClass=netscapeResource)(objectClass=domain))" attrs="dn"
[30/Aug/2005:16:41:29 +0100] conn=299 op=171 msgId=173 - RESULT err=0 tag=101 nentries=1 etime=0
[30/Aug/2005:16:41:29 +0100] conn=299 op=172 msgId=174 - ABANDON targetop=NOTFOUND msgid=173
[30/Aug/2005:16:41:29 +0100] conn=299 op=173 msgId=175 - SRCH base="ou=iplanetamauthenticationdomainconfigservice,ou=services
,ou=infrastructure,o=northampton,dc=dataforce-dev,dc=co,dc=uk" scope=1 filter="(|(&(numSubordinates=*)(numSubordinates>=1)(|(
--More--(83%)
The list goes on.
Can anyone give me any pointers?
ThanksHi
Thanks for your reply!
I did mis-type, my mistake - sorry about that.
If I dont over-ride the default it works, I've pretty much got the whole setup working now but I'm not particularly over the moon about the way the ldap tree is setup, I'd like finer granuality as we are going to attempt to get syncronization working with AD.
I have an idea about how I'd like to set up our Mail/Calendar/LDAP infrastructure the 2nd time around (I'm just testing at the mo) - so I might have a question or two for you if you dont mind taking a look when you have a minute?
Thanks Jay -
Restrict password resets to certain user groups in UME
I am investigating if it is possible to create a UME action which restricts admins to unlocking/locking IDs and resetting passwords for users in a certain user group. I know you may need to create a UME permission class and action. Has anyone done this? If so how?
Thanks and Regards,
MosiHi Mosi,
did you have a look at the <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/2b/306bb5bc98f24f8a85d489449af456/frameset.htm">Documentation about the Company Concept</a>? This can also be used to delegate administrative taks in your case.
Regards,
Patrick -
Hi!
Win 8.1 pro, domain workstation. How Block all access, except for a fews users/groups and domain controller information/date.
Nuance:
From domain AD is locked Workstation Firewall "Domain profile" edit.
Possible?
cenubitHi GirtsR,
I am not sure the command to use the SID to accomplish what you want to achieve, if you only know the SID, you could take use Powershell to find the related information, more information, please check:
Working with SIDs
And a similar thread for reference:
How to find user/group known only SID
More reference: Default local groups.
Best regards
Michael Shao
TechNet Community Support -
Setting Up Alerts for Always on Availability Groups Failover
Hi Folks,
In SQL Server 2008R2 we set up alerts for Mirroring failover using WMI Alerts. As Like this.
Now we need to configure similar alerts for Always on Availability Groups(AAG) in SQL Server 2012, but it seems that there is no such WMI Alerts or any standard way to set up the alerts for getting notified for AAG Failover. Click
Here
Should I manually Create a SQL Agent Job using
these DMVs and schedule it at frequent Interval to get notified about any AAG failover or is there any standard way as for mirroring Failover alerts? Any suggestion or help is appreciated.
Pranshul GuptaMaybe you wanna have a look at this:
http://blogs.msdn.com/b/sqlalwayson/archive/2012/02/13/monitoring-alwayson-health-with-powershell-part-1.aspx
http://blogs.msdn.com/b/sqlalwayson/archive/2012/02/13/monitoring-alwayson-health-with-powershell-part-2.aspx
http://blogs.msdn.com/b/sqlalwayson/archive/2012/02/15/monitoring-alwayson-health-with-powershell-part-3.aspx
http://blogs.msdn.com/b/sqlalwayson/archive/2012/02/15/the-always-on-health-model-part-4.aspx
Bodo Michael Danitz - MCT, MCITP - free consultant - performance specialist - www.sql-server.de -
Which factory calendar is valid for a certain user
Hi all,
is there a way to get the factory calendar for a certain user.
E.g. if the user works in Germany, I want the german factory calendar, and if he lives in India, I want the Indian calendar.
Regards,
DanielOY05 - Maintain the SAP Factory Calendar
SAP Factory Calendar allows companies to key in their own factory work days. Individual SAP application such as MRP will take into consideration these individual factory customizing.
For alternate Saturday, you set Saturday as a normal working day and key in all the off-days in the Special rules button.
In your abap program, you can calculate whether a particular day is a non-working day, with reference to the Factory Calendar.
ABAP Program to check for holidays using the factory calendar
include zday .
substitute tdate = 'yyyymmdd'.
tholiday_found = 'X' -> Holiday
TABLES THOCS.
DATA: BEGIN OF INT_THOCS OCCURS 100,
THOCS LIKE THOCS.
DATA: END OF INT_THOCS.
DATA: TDAY(1),
TDATE LIKE SY-DATUM,
THOLIDAY_ATTRIBUTES,
THOLIDAY_FOUND(1).
FORM HOLIDAY.
CALL FUNCTION 'HOLIDAY_CHECK_AND_GET_INFO'
EXPORTING
DATE = TDATE
HOLIDAY_CALENDAR_ID = 'XX'
WITH_HOLIDAY_ATTRIBUTES = ' '
IMPORTING
HOLIDAY_FOUND = THOLIDAY_FOUND
TABLES
HOLIDAY_ATTRIBUTES = INT_THOCS
EXCEPTIONS
CALENDAR_BUFFER_NOT_LOADABLE = 1
DATE_AFTER_RANGE = 2
DATE_BEFORE_RANGE = 3
DATE_INVALID = 4
HOLIDAY_CALENDAR_ID_MISSING = 5
HOLIDAY_CALENDAR_NOT_FOUND = 6
OTHERS = 7.
CALL FUNCTION 'DATE_COMPUTE_DAY'
EXPORTING
DATE = TDATE
IMPORTING
DAY = TDAY
EXCEPTIONS
OTHERS = 1.
For checking.
*if tholiday_found = 'X'.
write: /1 'Holiday ', tdate.
*else.
write: /1 'Not Holiday ', tdate.
*endif.
*case sy-subrc.
when 0. write: /1 tdate, tday.
when others. write: /1 'Unknown day ', tdate.
*endcase.
ENDFORM. -
Spool printing takes a long time for just one user
Hello,
Could someone please guide on what could be the reason that spool printing takes a long time for just one user ?
I've monitored all the spool processes through SM50, and I've found that a very long time elapses before the printing job appears in one of the four spool processes.
Thanks in advance.
RedaHi,
very long time elapses before the printing job appears in one of the four spool processes.
can u check the trace file(Red color error) of that spool process. Also can u see if there are any system logs in SM21 related to that spool request.
Also see how many pages the user is giving print @ 1 shot. Suppose if the printer to whcih the user is giving print is a network printer, see the network response time.
Have u tried to ask the same user to give print to some other printer. Also have u asked some other user to print to that problematic printer. Check the responses under this scenario also.
Regards,
Ravi -
Restricting certain users groups to read only for certain folders
Hi
I'm not sure if this is the correct forum, but hey, hopefully someone might now the answer or direct me to the correct one.
I'm writing a VB program to amend ACLs for specific user groups.
Effectively, I make all prior year folders read only, whereas the default for the group is Modify, Delete etc. This means they can continue to work in the "new year folders", but historic years is List/read only.
I've got to the point the program does everything I want, i.e. stops folder creation7deletion, file & folder name changes, copying for the historic years, but does not prevent deletion of files in the folder. Effectively I set Deny access on the
historic folders.
Testing using the Windows GUI would appear to resolve the problem is I change the Deny Special Permission (for the group) from "This folder only" to "This folder & files".
Question then is how to I set this in VB, the default appearing to be "This folder only"
Here's extract of my code
Thanks
IfvarDirectoryName.IndexOf("\"&
Date.Now.Year) = -1
Then
FileAcl3.AddAccessRule(
NewFileSystemAccessRule(GroupAdmin(0),
FileSystemRights.Modify,
AccessControlType.Deny))
FileAcl3.AddAccessRule(
NewFileSystemAccessRule(GroupAdmin(0),
FileSystemRights.DeleteSubdirectoriesAndFiles,
AccessControlType.Deny))
FileAcl3.RemoveAccessRule(
NewFileSystemAccessRule(GroupAdmin(0),
FileSystemRights.ReadAndExecute,
AccessControlType.Deny))
FileAcl3.RemoveAccessRule(
NewFileSystemAccessRule(GroupAdmin(0),
FileSystemRights.ListDirectory,
AccessControlType.Deny))
Dim FileInfo3 As IO.FileInfo = New IO.FileInfo(varDirectoryName)
Dim FileAcl3 As New FileSecurity
If varDirectoryName.IndexOf("\" & Date.Now.Year) = -1 Then
FileAcl3.AddAccessRule(New FileSystemAccessRule(GroupAdmin(0), FileSystemRights.Modify, AccessControlType.Deny))
FileAcl3.AddAccessRule(New FileSystemAccessRule(GroupAdmin(0), FileSystemRights.DeleteSubdirectoriesAndFiles, AccessControlType.Deny))
FileAcl3.RemoveAccessRule(New FileSystemAccessRule(GroupAdmin(0), FileSystemRights.ReadAndExecute, AccessControlType.Deny))
FileAcl3.RemoveAccessRule(New FileSystemAccessRule(GroupAdmin(0), FileSystemRights.ListDirectory, AccessControlType.Deny))
FileInfo3.SetAccessControl(FileAcl3)
End IfHo Rohn
Your right, when I added the flags I got the following error at execution
{"No flags can be set. Parameter name: inheritanceFlags"}
I've developed a work around, which gives me exactly - subject to further testing - what I want. I simply mark each file in the relevant folders with a Deny Delete option.
I will however explore the DirectorySecurity class option, but initial review of the www seems a little shy on VB examples.
Thanks
Perry
You should be able to use FileSecurity and DirectorySecurity the same way (they have identical methods). Since this is a scripting forum, I'll provide a PowerShell example (which is fairly close to C# and VB; they all use the exact same classes):
$varDirectoryName = "c:\folder"
$GroupAdmin = "Admin Group"
$FileInfo3 = New-Object System.IO.DirectoryInfo $varDirectoryName
$FileAcl3 = $FileInfo3.GetAccessControl()
$FileAcl3.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule (
$GroupAdmin,
[System.Security.AccessControl.FileSystemRights]::Modify,
([System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit),
[System.Security.AccessControl.PropagationFlags]::None,
[System.Security.AccessControl.AccessControlType]::Allow
$FileInfo3.SetAccessControl($FileAcl3)
I could have taken a lot of shortcuts when using the enumerations, but I think keeping it verbose helps show how similar the code can be.
Does that make sense? -
Would you implement GRC for just 2500 users
Hi
I've tried searching but my brain hurts so I'll probably get a roasting for asking a stupid and basic question
If you have a 4.6C system with around 2.5k users in it how would you establish the cost effectiveness of buying and implementing RAR 5.3 (AC10) initially?
Okay, I've hidden under the desk ready for abuse!
Cheers
DavidDavid Berry wrote:
You would start with 10 singles to sort out and, by the time you had analysed who had what in which user group there would be 30 shiny new singles bobbing up and down and eager to go to PRD.
Exactly that is why I don't like them and why they also popup all over the place when you remediate a single role used by several composites and you don't know what the dependencies are.
You should only split roles because of Org-Levels.
The music (as far as authority-checks are concerned) are in the singles (with generated profiles).
Luckily (or not when remote enabled and the user can influence input parameters) newer concepts allow you substitute the org-level with programatic validations (for example "Business Partner" assignment of the "Person" mapped to the sy-uname).
I have 3 million users in a system with only 3 roles. How is that for a ratio?
GRC has a great value for backend config, support, development, etc such as other ABAP based authorization object concepts and you can map services and other applications to "actions" as if they were transactions, and you can do this logical system independently.
It is still tempting, but not really a hard requirement to be able to control the access and combinations in a limnited number of systems. It is certainly independent of the number of users!
A good build is always better - which is what GRC RAR will ultimately tell you anyway...
Cheers,
Julius
ps: The "blue boxes" are like this:
{quote} David said that composite roles are a dog's breakfast {quote}
Result =
David said that composite roles are a dog's breakfast -
Cannot generate dynamic alert for initial column in SNP.
Hello,
I have an SNP alert macro with a simple condition running from Initial column for 158 weeks. The alert is generated correctly for all other weeks but not for initial column.
The IF condition works correctly because a CELL_BG() in the same alert macro is correctly changing the color of the Initial column cell.
Is there some setting I need to make to generate alert for initial column?
Regards,
SSHello jejeje,
thanks for your efforts - what you describe is something users have found out on our side too - a problem remains: you can save this setting "Period from last Selection" and it brings you to the INITIAL column but: once you have scrolled forward in the SNP data view (so that the INITIAL column has disappeared) and you leave the SNP data view or select another product ... it "remembers" that you last time left the data view NOT having INITIAL column as a start column.
So, my users say that they scroll back to INITIAL column before selecting another part or using another SelectionID or leaving the SNP data view ... and of course they hate this since they have to do this a few hundred times a day worse case.
We had a call open to SAP on this and I told them that is about productivity and usabaliity issue moving from SCM5.0 to SCM7.0 - but they have nothing more to say than "not supported anymore" - and the ultimate solution is / will be to modifiy SAP SCM standard coding - unless somebody from SAP is reading the discussioons here and is dedicated to help their customers which pay millions every year into SAP support fees.
Thanks for your responses and effort !
Regards
Thomas -
Generate trace file for a certain transaction by dates
Experts,
I am trying to generate a trace file for a certain transaction for a period of time.
I used tx st03 > transaction profile > double click on transaction and am able to get a list for the day. How do I set the date to generate for the month for example?
Thanks,
IqbalHi Iqbal,
In Tr. ST03 itself, you have three ranges. Day, Week and Month.
Just select the month. Expand it. Select which month you want.
Then check Transaction Profile. It should give you the details for the whole month.
Cheers....,
Raghu -
Why cant i change user password or pwdlastset after delegation for only certain users in an ou?
I remembered a while ago I used delegate control to assign the ability to reset pwd and reset change on next logon. It seems to work for some users but not others in same ou. effective permissions shows I have write access to the attribute for
the user; see imgur link below. the box for change pwd at next logon is gray. attribute editor tab doesn't allow me to edit it either. domain admins can change it. I'm wondering what else I should check out cus everything I know says
I have the right to change it.
forest / domain level 2003
http://imgur.com/1VHuh7h
mydomain\Allow Reset Win Pwd was used for delegation and the user trying to change the password is a part of that group. they are also a member of account operators
Owner: mydomain\Domain Admins
Group: mydomain\Domain Admins
Access list:
Allow BUILTIN\Pre-Windows 2000 Compatible Access
SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow BUILTIN\Pre-Windows 2000 Compatible Access
SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow mydomain\Domain Admins SPECIAL ACCESS
READ PERMISSONS
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
DELETE CHILD
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
LIST OBJECT
CONTROL ACCESS
Allow mydomain\Enterprise Admins SPECIAL ACCESS
READ PERMISSONS
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
DELETE CHILD
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
LIST OBJECT
CONTROL ACCESS
Allow BUILTIN\Administrators SPECIAL ACCESS
DELETE
READ PERMISSONS
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
DELETE CHILD
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
LIST OBJECT
CONTROL ACCESS
Allow NT AUTHORITY\Authenticated Users
SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow NT AUTHORITY\SYSTEM FULL CONTROL
Allow mydomain\Allow Reset Win Pwd SPECIAL ACCESS <Inherited from parent>
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access
SPECIAL ACCESS <Inherited
from parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow BUILTIN\Terminal Server License Servers
SPECIAL ACCESS <Inherited
from parent>
READ PERMISSONS
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
Allow mydomain\Enterprise Admins FULL CONTROL <Inherited from parent>
Allow BUILTIN\Pre-Windows 2000 Compatible Access
SPECIAL ACCESS <Inherited
from parent>
LIST CONTENTS
Allow BUILTIN\Administrators SPECIAL ACCESS <Inherited from parent>
DELETE
READ PERMISSONS
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
LIST OBJECT
CONTROL ACCESS
Allow mydomain\Delegate-Join-Domain-Rights
SPECIAL ACCESS for computer
<Inherited from parent>
CREATE CHILD
Allow Everyone SPECIAL ACCESS for computer <Inherited from parent>
CREATE CHILD
Allow BUILTIN\Pre-Windows 2000 Compatible Access
SPECIAL ACCESS for Account Restrictions
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access
SPECIAL ACCESS for Account Restrictions
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access
SPECIAL ACCESS for Logon Information
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access
SPECIAL ACCESS for Logon Information
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access
SPECIAL ACCESS for Group Membership
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access
SPECIAL ACCESS for General Information
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access
SPECIAL ACCESS for General Information
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access
SPECIAL ACCESS for Remote Access Information
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access
SPECIAL ACCESS for Remote Access Information
READ PROPERTY
Allow mydomain\Cert Publishers SPECIAL ACCESS for userCertificate
WRITE PROPERTY
READ PROPERTY
Allow BUILTIN\Windows Authorization Access Group
SPECIAL ACCESS for tokenGroupsGlobalAndUniversal
READ PROPERTY
Allow BUILTIN\Terminal Server License Servers
SPECIAL ACCESS for terminalServer
WRITE PROPERTY
READ PROPERTY
Allow mydomain\Allow Reset Win Pwd SPECIAL ACCESS for pwdLastSet <Inherited from parent>
WRITE PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access
SPECIAL ACCESS for Account Restrictions
<Inherited from parent>
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access
SPECIAL ACCESS for Logon Information
<Inherited from parent>
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access
SPECIAL ACCESS for Group Membership
<Inherited from parent>
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access
SPECIAL ACCESS for General Information
<Inherited from parent>
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access
SPECIAL ACCESS for Remote Access Information
<Inherited from parent>
READ PROPERTY
Allow BUILTIN\Terminal Server License Servers
SPECIAL ACCESS for accountExpires
<Inherited from parent>
WRITE PROPERTY
Allow BUILTIN\Terminal Server License Servers
SPECIAL ACCESS for Terminal Server
License Server <Inherited from parent>
WRITE PROPERTY
READ PROPERTY
Allow NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
SPECIAL ACCESS for tokenGroups
<Inherited from parent>
READ PROPERTY
Allow NT AUTHORITY\SELF SPECIAL ACCESS for Private Information <Inherited from parent>
WRITE PROPERTY
READ PROPERTY
CONTROL ACCESS
Allow Everyone Change Password
Allow NT AUTHORITY\SELF Change Password
Allow mydomain\Allow Reset Win Pwd Reset Password <Inherited from parent>
Permissions inherited to subobjects are:
Inherited to all subobjects
Allow mydomain\Enterprise Admins FULL CONTROL <Inherited from parent>
Allow BUILTIN\Pre-Windows 2000 Compatible Access
SPECIAL ACCESS <Inherited
from parent>
LIST CONTENTS
Allow BUILTIN\Administrators SPECIAL ACCESS <Inherited from parent>
DELETE
READ PERMISSONS
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
LIST OBJECT
CONTROL ACCESS
Allow mydomain\Delegate-Join-Domain-Rights
SPECIAL ACCESS for computer
<Inherited from parent>
CREATE CHILD
Allow Everyone SPECIAL ACCESS for computer <Inherited from parent>
CREATE CHILD
Allow NT AUTHORITY\SELF SPECIAL ACCESS for Private Information <Inherited from parent>
WRITE PROPERTY
READ PROPERTY
CONTROL ACCESS
Inherited to group
Allow NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
SPECIAL ACCESS for tokenGroups
<Inherited from parent>
READ PROPERTY
Inherited to computer
Allow NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
SPECIAL ACCESS for tokenGroups
<Inherited from parent>
READ PROPERTY
Inherited to group
Allow BUILTIN\Pre-Windows 2000 Compatible Access
SPECIAL ACCESS <Inherited
from parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Inherited to inetOrgPerson
Allow BUILTIN\Pre-Windows 2000 Compatible Access
SPECIAL ACCESS <Inherited
from parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow BUILTIN\Pre-Windows 2000 Compatible Access
SPECIAL ACCESS for Remote Access Information
<Inherited from parent>
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access
SPECIAL ACCESS for General Information
<Inherited from parent>
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access
SPECIAL ACCESS for Group Membership
<Inherited from parent>
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access
SPECIAL ACCESS for Logon Information
<Inherited from parent>
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access
SPECIAL ACCESS for Account Restrictions
<Inherited from parent>
READ PROPERTY
The command completed successfullyI think this is a problem with the user object rather than the ou. Reasoning is that I can reset a password for a user in the same OU but not for another user in the same OU. Two users, same ou. I can reset one but not the other.
Effective Permissions shows I am granted permisiion to do so.
I believe the error was access denied when we tried to change the password via vbscript.
@seansobey - I applied the delegation at a ou higher in the tree. I forget how I had it apply down the tree but I confirmed that the acl is correct
and applied to the user
@Travis Vogel - It looks like the user with this problem is a part of Domain Users. I think the ACL is applied to the user because it shows in
the security window and effective permissions shows I have permission to reset the password. However, I see this other user is a part iof the builtin user group and the problematic user account is not. I may try adding the problematic user account
to that group and testing. It'll have to wait until tomorrow though. -
Looking for LA area user group
Are there any user groups in the LA area, google was no help & what I did find were flakey groups that did not answer emails. I am looking for serious user groups in the LA area.
Thanks :)well, i was disappointed in the first one, as I received no response. The second lists the same groups, but I may contact the Orange County group. Thanks
-
Industry Standard for Adobe LiveCycle Users/Groups on AIX environments.
I wanted to know if there is an industry standard in creating users/groups for Adobe LiveCycle in *NIX environments.
What’s the usual set of users/groups created in most of the Installations.
wasadmin (Intended for WebSphere specifically),
adbadmin (Intended for adobe specifically),
cmadmin (Intended for correspondence management specifically)
etc.Adobe Acrobat X Pro build 10.0.1
Adobe Livecycle Designer ES2 build 9.0.0.2.20101008.1.734229
I also have this issue.
thanks
WoWRonin -
Generate trace file for a certain transaction
Experts,
I am trying to generate a trace file for a certain transaction for a period of time.
I used tx st03 > transaction profile > double click on transaction and am able to get a list for the day. How do I set the date to generate for the month for example?
Thanks,
IqbalSince you post the question in security forum, not peformance or platform forum, I guess are looking for system auditing function.
then SM19/SM20 might be the choice, you can read through
http://help.sap.com/saphelp_nw70/helpdata/EN/c7/69bcb7f36611d3a6510000e835363f/frameset.htm
Maybe you are looking for
-
Are the contents of USERS tablespase in the recyclebin?-----No.140
I have dropped tablespace USERS. Are the contents of USERS tablespase in the recyclebin?
-
What has been updated in each new software version...
I just updated my N95 8GB firmware to 30.0.0.18. My previous version was 20.0.016. It sounds like huge step when main number has increased from 20 to 30. However in the software update news page, which the main topic in this discussion area "TOP ques
-
I have CFMX7 application serber and it connected to Oracle 9i, there is 3 database links on this DB server. On my code, i have query to select union data from 3 database links. I define the timeout requests setting to be 15 seconds to terminate long
-
HT2905 Delete duplicate songs with exact same date
If all instances of given song have exact same date, will the procedure recommended in Support page "How to find and remove duplicate items in your iTunes library" (http://support.apple.com/kb/HT2905) delete all instances, or all but one instance? If
-
CS3 oddity (am innocuous bug?)
Hello Everyone, I just noticed something and was wondering if anyone else has experienced this. The easiest way to explain is an example. I inserted a favicon.ico into a site's root folder on my local hard drive. The favicon is a simple heart, and in