Group Filtering

Similar Messages

• What is the SYNTAX for the user and group filters??? Is the HTML Ampersand token Amper A m p semicolon required in the filter

  There seems to be quite a bit of confusion over the actual syntax for the user and group filters on the Forms Based Authentication  Ldap Role and membership providers.. MSFT isn't really clear and there is a universal confusion in the blogsphere.
  I the filters should the prefix be the ACTUAL Ampersand or the HTML token for an AMPERSAND.. I realize the in many cases the blogger might have inadvertently specified the html token when the bare naked ampersand was intended..   The question
  therefore is : can a filter be taken directly from and ADSIEdit query and used as a filter or must the filter be made HTML safe by swapping out the AMERSAND with the HTML Token for AMERSAND before putting it into the configuration
  for the LDAPRole/membership provider...
  All science is either physics or stamp collecting

  Hi GUYO,
  I am not quite sure how we implement this on sharepoint side, as I did research and sharepoint may not have this feature to do this.
  most of the LDAP for sharepoint may need to follow these steps in this article:
  http://technet.microsoft.com/en-us/library/ee806890(v=office.15).aspx
  http://blogs.msdn.com/b/sridhara/archive/2010/01/07/setting-up-fba-claims-in-sharepoint-2010-with-active-directory-membership-provider.aspxhttp://blogs.msdn.com/b/kaevans/archive/2013/01/31/configuring-ldap-for-fba-in-sharepoint-2010-or-sharepoint-2013-with-powershell.aspx
  here is an example :
  http://blogs.msdn.com/b/sharepoint__cloud/archive/2011/12/20/achieving-fba-with-adlds-amp-sharepoint-2010.aspx
  if should this questions was at the ADSIEdit part, perhaps you can help us by opening a new thread at the AD foum
  https://social.technet.microsoft.com/Forums/en-US/home?category=windowsserver
  Regards,
  Aries
  Microsoft Online Community Support
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Regarding Dynamic distribution Group filtering! - URGENT HELP

  Hello Friends,
  We have some employess in our company having primary SMTP address as
  [email protected] as well as [email protected] as alias name.
  I want to create Dynamic distribution group using recipient filter option.. I have tried various option.. nothing is worked out. can you please someone help on how to do this?
  NOTE: I can able to filter using EMC filter : using "emailadresses" + "contains" @company2.com.......
  Karthick

  Your requirement is unclear. reply back with what you are actually looking for!
  if you want to use -RecipientFilter to Create/Manage Dynamic Distribution Groups then below are the few links which has the information about the values that you may use for -RecipientFilter
  Filterable properties for the -RecipientFilter parameter
  Filters
  in recipient Shell commands
  Using
  PowerShell to Manage Dynamic Distribution Groups and Recipient Filters in Exchange Server
  Create
  Dynamic Distribution Groups Using Customised Filters
  M.P.K ~ ( Exchange | 2003/2007/2010/E15(2013)) ~~ Please remember to click “Vote As Helpful" if it really helps and "Mark as Answer” if it answers your question, “Unmark as Answer” if a marked post does not actually answer your question. ~~ This
  Information is provided is "AS IS" and confers NO Rights!!

• OUD DPS alternative for DSEE Group Filters

  Hi,
  I would like to know what is an alternative for group dn filter within OUD DPS mode against DSEE DPS. How can we set up this functionality within OUD DPS mode, any pointers will be helpful. I would like to create a network group which will allow access to users having association to a particular group.
  Thanks.
  group-dn-filters                        :  cn= Access Group,ou=groups,o=example.com 
  group-search-bind-dn                    : uid=access-group-user,ou=People,o=example.com 

  Hi Sylvain,
  The use case is something like this :
  We've several LDAP Servers specially for reporting purpose, based on the functionality as listed below members of "cn= Access Group" group will have access to the LDAP Server only, any other users will be redirected to other connection handlers and a different ldap within dsee dps. The group bind dn user as listed below will verify the membership.
  Could you let me know how to accomplish this with Access Control as there will not be any re-routing among the Network Group if things are defined at the Access Level? Can we do this on OUD DPS level?
  group-dn-filters                        :  cn= Access Group,ou=groups,o=example.com
  group-search-bind-dn                    : uid=access-group-user,ou=People,o=example.com

• ADFS Group Filtering not working

  Hello guys
  I have deployed ADFS on our company. It's working good. When I define ADFS claim it looks like this:
  c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
   => issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
  "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
  "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/claims/Group"),
  query = ";sAMAccountName,givenName,sn,mail,tokenGroups;{0}", param = c.Value);
  This works fine. I want to filter groups that are included in outgoing claim to just groups which start with string "SG". So I wrote custom ADFS rule:
  c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~
  "(?i) ^SG*"]
  => issue(claim = c);
  But shit doesn't work for me. I still see all the groups in the outgoing claim (for example group Domain Users).
  Please, help me to find out what I'm doing wrong.
  Thank you,
  ---------- Ondrej Zilinec - Cievo ----------

  Thank you.
  I just found solution. It should be "add" and not "issue" in first claim rule:
  c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
   => add(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
  "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
  "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/claims/Group"),
  query = ";sAMAccountName,givenName,sn,mail,tokenGroups;{0}", param = c.Value);
  ---------- Ondrej Zilinec - Cievo ----------

• GPO Security Group filtering not working

  Hello all,
  DC: 2008R2 w SP1
  Client: W7 SP1
  Objective: Disable Removable Storage
  I can filter by individual user but not a security group (global). (linked to both users and computers OU). I check and make sure the user (me) belong to the group using the command whoami /groups. I check the Delegation setting and make sure that the security
  group has the read and "apply" gpo checked. Also the Authenticated Users group has "read" allow.
  Any clues?
  Thanks

  Glad to hear this.
  Best regards,
  Frank Shen
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Ciscoworks Group Filtering issue

  Hi
  We currently have an issue on LMS 3.1 whereby we have created a new group from within Common Services -> Group Admin.  We have given the group the following attributes:
  * Group Name: xyz
  * Membership Update:  Automatic
  * Visibility Scope: Public
  Within the rule expression we are trying to filter using:
  * Variable: ManagementIPAddress
  * Operator: range
  * Value: x.y.z.[0-255]
  This is accepted and moves onto the Membership screen.  At this point it lists under "objects from parent group:" all the devices stored in the DCR and not the devices that match the filter rule specified above.
  Is there something else we need to consider in order to get the filter to work as we would expect ?
  Many Thanks

  Nope, that rule looks okay.  Just make sure these devices have the correct management IP filled in within DCR.  If you are only using hostnames in DCR, then this rule will not match anything.

• Windows Deployment Services 2012 - Driver Group Filters, does "Model" filter work?

  I have been trying to get the "model driver filter" working in Windows Deployment Services 2012 however so far haven't had any luck. I am trying to build a HP Elitebook 840 G1.
  To get the exact model name I'm running msinfo32.exe or wmic computersystem get model which return the same output.
  Looking at other forum posts this seems to be a common problem, has anyone found a solution as none of the posts give any solution?

  Hi ClaytonSJ,
  Please first confirm you have choose the corresponding 
  winpe and you can refer the following same scenario driver pack settings and compare your setting.
  The related information:
  Managing and Deploying Driver Packages
  https://technet.microsoft.com/en-us/library/dd348456(v=ws.10).aspx
  Geek of All Trades: Get to that Single Image
  https://technet.microsoft.com/en-us/magazine/hh241327.aspx
  I’m glad to be of help to you!
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Grouping of Filters

  Hello All,
  We have a requirement to group of multiple filters should be applied in report. For instance we have a report with one customer and Amount Sales, Net Sales, Target, Sales;
  Our requirement is if all the measure columns are zero or null then the row should be filtered out. But when any one of the measures is having value and others are null the row should appear. Means we need to group filters for three measures where the measures are o or null,  when this condition satisfies only then the row need to be filtered.
  Example:
  Customer   Amount Sales  Net Sales    Target Sales
     x                         10                       20               30
     y                         12                        0         
     z                          0                         0                 0
     k                          0                                            0
  In the above records I need to filter out 3rd and 4th rows which contains all zero or null. But second row should not be filtered out.
  I have tried grouping of filters but it's filtering out the rows with any of the measue having zero, i.e, in above example it;s filtering out second row also. That should happen.
  Help/Suggestion would be highly appreciable. Thanks

  Hi,
  Try to create a filter with one column and then check the option convert this filter to SQL and click OK. Then you can input your SQL code to do what you want.
  Hope that help!

• Windows Deployment Services 2012 - Driver Group filter by Model value not working - Drivers are not installed!

  Hi,
  I'm using Windows Deployment Services 2012 to deploy Windows 7 Pro x64 driverless images to different hardware models (drivers are injected using WDS). I already have organized the drivers in driver groups per
  hardware model. I'm experiencing driver conflicts so I decided to start using driver group filters to make sure that the driver groups are available only available for the corresponding hardware model.
  To get the correct values for the filters i have used the following method: (as described in this article: http:// technet.microsoft.com/en-us/library/dd759191.aspx)
  so I checked msinfo32.exe
  (System Manufacturer: Dell Inc.     System Model: OptiPlex 790)
  and set these values in the driver group filter:
  Then fired up WDS using PXE booting on my OptiPlex but when finished: No drivers are installed! I investigated further and found on forums to use the following commands (which return the same values btw):
  wmic bios get manufacturer      
  (returns: Dell Inc.)
  wmic computersystem get manufacturer
  (returns: Dell Inc.)
  wmic computersystem get model
  (returns: OptiPlex 790)
  Values are the same so no problem there.
  Then I checked the output of the following commands: 
  wmic bios get model (returned: error, invalid query)
  wmic bios get /all (returned: all kind of information but no model value)
  When I remove the value "OptiPlex 790" from the filter list the drivers are installed correctly. So this has to be some problem with the Model value.
  Could someone please help me?
  As a workaround I now disable all the driver groups exept the one that I need for the hardware. But as more new hardware models are added this is a lot of work to do everytime.
  Extra info:
  I'm using a WINPE 4.0 image (windows 7 media boot.wim file). 6.1.7.601
  Windows Server version: Windows Server 2012 - version 6.2 (Build 9200) - All Windows updates are installed
  Windows Deployment Services version 6.2.9200.16384
  Having this problem on multiple systems
  Questions:
  - Does WDS/WinPE uses only the Bios values for determining system info? (then this problem could be with Dell in this example, because no model value is available)
  - Is this the correct way to set up driver group filters? (then this is a problem with MS. Does anyone have solution??)
  Thank you for your answers & help!

  Hi Microsoft,
  I still have no answer to my Questions.
  Thank you for your answers & help!

• Wallpaper GPO + Loop-back Merge mode+ security filtering. issue

  I have deployed a loopback Merge Mode GPO to set wallpaper for all users who logon to specified workstations. And you have set security filtering just allow workstations in specified group can apply this GPO. Then you doubt whether user can apply user configuration
  in the loopback GPO because they don’t in your security filtering allow list.
  So I think why not add “Domain Users” group to security filtering. Then all domain users have both Read and AGP (Apply Group Policy) permission for user configuration in the loopback GPO.
  Loopback GPO only takes effect on computer objects in your specified OU, and your workstation group security filtering control apply scope, then “Domain Users” security filtering grant permissions for all users.
  ========================issue is below================
  Now GPO is applying to other workstations which are not part of group filtered in GPO.
  its randomly but not for all workstations..
  Workstations are XP operating systems..

  I have deployed a loopback Merge Mode GPO to set wallpaper for all users who logon to specified workstations. And you have set security filtering just allow workstations in specified group can apply this GPO. Then you doubt whether user can apply user configuration
  in the loopback GPO because they don’t in your security filtering allow list.
  So I think why not add “Domain Users” group to security filtering. Then all domain users have both Read and AGP (Apply Group Policy) permission for user configuration in the loopback GPO.
  Loopback GPO only takes effect on computer objects in your specified OU, and your workstation group security filtering control apply scope, then “Domain Users” security filtering grant permissions for all users.
  ========================issue is below================
  Now GPO is applying to other workstations which are not part of group filtered in GPO.
  its randomly but not for all workstations..
  Workstations are XP operating systems..
  "Domain Users" or I would prefer "Authenticated Users" should only have Read, Not Apply Policy. 
  Enfo Zipper
  Christoffer Andersson – Principal Advisor
  http://blogs.chrisse.se - Directory Services Blog

• NO 11g "Manage Filters" Online Layout "OR" filter operator!?

  Hey guys,
  I realize this is a totally n00b question about the BIP 11.1.1.5 Online Layout editor (for Interactive layout mode). I've created a complex P&L financial statement report in BIP using a Word RTF template, and I'd like to try to retool it into the online layout editor for possibly easier maintainability.
  But I'm coming up against what looks like a fundamental limitation and problem to me in the online layout editor. I'd like to create either a Repeating Section object or a Data Table object that will display values if a few certain values are found in the data. So, I want my filter to do something like this (to display the section or table):
  If Group = 'ABC'
  If Group = 'XYZ'
  Problem is, in my "Manage Filters" window, I need to be able to supply an "OR" filter operator between those two lines! It's an implicit "AND" operator between them apparently.
  I would gladly use an "IN" operator instead of "=" if it existed, but alas, I don't see that option either in my Manage Filters controls.
  Has anyone else come up against this in the 11g online layout editor for interactive mode output? Am I missing something totally obvious here that's right under my nose and I just can't seem to see it or find it?
  Thanks,
  Jeremy

  Hi BIPuser,
  Thanks so much for the reply; sorry for the delay in getting back to you. I believe you are referring to the group filter functionality on the data model itself, correct? If so, that's a good thought and maybe I can use that approach, but it means I would have to potentially break up my "master" data set into many, many copies to get this "OR" like functionality.
  For example, suppose I had 26 groups, groups A-Z that I wanted to show together in different report sections in my final layout. So I want A&B, C&D, E&F, etc. Instead of having one master data set with report-level grouping that way, I guess I'd have to break my data model into 13 different data sets, each one group filtered for A&B, C&D, E&F, etc, right?
  That approach seems to involve a lot more setup and data set maintenance, when all I really want is just an "OR" ability in the report layout designer itself. Something exactly like OBIEE provides in the filter section in the Criteria tab of a BI Analysis (when developing a query there).
  Now that I say that, maybe I can extend my OBIEE BI Analysis (I'm using that as the basis for my source), and perhaps I could create a new A&B, C&D, etc grouping column there to "bucket" my data together into a single data group to work around the online layout limitation of not having an "OR" filter operator available. Or, like you mentioned, I could even use the "Add Element by Expression" option in the data model itself if I wanted to manage it from there instead of OBIEE.
  I still say it would be easier if they would just give us a filter "OR" ability in the "Manage Filters" dialog in the layout editor. :)
  Thanks again BIPuser!
  Jeremy

• Pulling groups from MSAD in WebLogic

  The security structure I am pulling from uses OU. I have the following:
  GroupBaseDN: OU=SecurityGroups,DC=lab,DC=com
  All Group Filters: ou
  Group from name filter: ou
  Static Group Name Attribute: ou
  Dynamic Group Name Attribute: ou
  I am not able to pull groups in from MSAD, so obviously something is incorrect.

  Duplicate question
  Pulling groups from MSAD in WebLogic
  J.A.M... Please close this one to prevent people replying to it.

• Help with dynamic distribution group exclusion

  Hi all,
  Having a strange trouble with a dynamic distribution group filtering on the user being a member of a particular group
  Recipient Filter  is:
  ((((((((RecipientType -eq 'UserMailbox') -and (-not(Title -like '[]*')))) -and (MemberOfGroup -ne 'CN =ExcludeFromMoitorigList,OU=Mail Redirect,OU=System Accounts,OU=New Objects,DC=test,DC=local'))) -and (-not(UserAccountControl -eq 'AccountDisabled, NormalAccount, DoNotExpirePassword')))) -and (-not(Name -like 'SystemMailbox{*')) -and (-not(Name -like 'CAS_{*')) -and (-not(RecipientTypeDetailsValue -eq 'MailboxPlan')) -and (-not(RecipientTypeDetailsValue -eq 'DiscoveryMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'ArbitrationMailbox')))
  If I make a preview of this distribution list I get expected result. Users included in ExcludeFromMoitorigList group don't appear. But they continue receive emails sent to dynamic distribution group.
  Any help is much appreciated

  I'm not sure what all of the settings you are adding are for, but operating under the assumption that they are necessary, try this:
  ((((RecipientType -eq 'UserMailbox') -and (-not(Title -like '[]*')) -and (-not(MemberOfGroup -eq 'CN =ExcludeFromMoitorigList,OU=Mail Redirect,OU=System Accounts,OU=New Objects,DC=test,DC=local')))) -and (-not(UserAccountControl -eq 'AccountDisabled, NormalAccount, DoNotExpirePassword')))
  If that doesn't work, try this:
  ((RecipientType -eq 'UserMailbox') -and (-not(Title -like '[]*')) -and (-not(MemberOfGroup -eq 'CN =ExcludeFromMoitorigList,OU=Mail Redirect,OU=System Accounts,OU=New Objects,DC=test,DC=local')) -and (-not(UserAccountControl -eq 'AccountDisabled, NormalAccount, DoNotExpirePassword')))
  FYI, the reason for those suggestions is because I got this working on Exchange 2013 running on Server 2012 Datacenter by taking the existing RecipientFilter and adding the -not MemberOfGroup section, but noticed that all of this was then duplicated:
  -and (-not(Name -like 'SystemMailbox{*')) -and (-not(Name -like 'CAS_{*')) -and (-not(RecipientTypeDetailsValue -eq 'MailboxPlan')) -and (-not(RecipientTypeDetailsValue -eq 'DiscoveryMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'PublicFolderMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'ArbitrationMailbox'))
  As such, I re-created it without that, and that's what I've done with your string.  I also changed the -ne to a -not(-eq) and in the second example, got rid of some extra parenthesis that I'm not sure you need.
  Also, note that in my working scenario, I used this command and put the filter I was setting where I have indicated <filter> (I left the double quotes in the command):
  Set-DynamicDistributionGroup -Identity <Group> -RecipientFilter "<filter>"

• Users and Group Owners are unable to see their groups

  Hello all,
       I have an issue where security group owners are unable see/read any groups that they own. I have enabled the following  MPR's but still nothing please help.
  Group management: Group administrators can create and delete group resources
  Group management: Group administrators can read attributes of group resources
  Group management: Group administrators can update group resources
  Security group management: Owners can read selected attributes of group resources
  Security group management: Owners can update and delete groups they own
  Security group management: Users can read selected attributes of group resources
  Also when a user logs into the portal they are unable to see any Security groups listed under MY SG Membership. However when we check the group membership they are indeed part of the group both in FIM portal
  and AD.

  Reason might be that user's don't have access to group objects at all or are not able to read some of attributes of a group. Also make sure that BasicUI keyword was added to the specific elements of UI used in group management - this includes navbars but
  also search scopes which are used for group filtering. 
  On the MPRs side:
  Make sure that your Security group users set was not modified - maybe people are filtered out from these MPRs.
  Use explore function in MPR  part of a portal to check what actual MPRs are being triggered when user tries to access group object. 
  Tomek Onyszko, memberOf Predica FIM Team (http://www.predica.pl), IdAM knowledge provider @ http://blog.predica.pl
  Hi Tomek,
  Which attributes must a user be able to read in order for this to work? If possible can you provide me with a full list so I can verify that they do have rights to read them.
  I have added the keywork BasicUI to the following sections 
  Under Home Page Resource
  Join a SG
  Manage my SGs
  Search Scopes
  Security Groups (SGs)
  See my SG memberships
  Under Navigation Bar Resource
  My SG Memberships
  My SGs
  Security Groups (SGs)
  As for the security group users set, I have modified it to allow all domain users to be part of this set. When I click View Members all users are listed. 
  "Use explore function in MPR  part of a portal to check what actual MPRs are being triggered when user tries to access group object. "  How would somebody go about doing this?