Group membership from AD

Similar Messages

• Getting list of all users and their group memberships from Active Directory

  Hi,
  I want to retrieve a list of all the users and their group memberships through JNDI from Active Directory. I am using the following code to achieve this:
  ==================
  import javax.naming.*;
  import java.util.Hashtable;
  import javax.naming.directory.*;
  public class GetUsersGroups{
       public static void main(String[] args){
            String[] attributeNames = {"memberOf"};
            //create an initial directory context
            Hashtable env = new Hashtable();
            env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
            env.put(Context.PROVIDER_URL, "ldap://172.19.1.32:389/");
            env.put(Context.SECURITY_AUTHENTICATION, "simple");
            env.put(Context.SECURITY_PRINCIPAL, "[email protected]");
            env.put(Context.SECURITY_CREDENTIALS, "p8admin");
            try {
                 // Create the initial directory context
                 DirContext ctx = new InitialDirContext(env);     
                 //get all the users list and their group memberships
                 NamingEnumeration contentsEnum = ctx.list("CN=Users,DC=filenetp8,DC=com");
                 while (contentsEnum.hasMore()){
                      NameClassPair ncp = (NameClassPair) contentsEnum.next();
                      String userName = ncp.getName();
                      System.out.println("User: "+userName);
                      try{
                           System.out.println("am here....1");
                           Attributes attrs = ctx.getAttributes(userName, attributeNames); // only asked for one attribute so only one should be returned
                           System.out.println("am here....2");
                           Attribute groupsAttribute = attrs.get(attributeNames[0]); // memberOf
                           System.out.println("-----"+groupsAttribute.size());
                           if (groupsAttribute != null){
                                // memberOf is a multi valued attribute
                                for (int i=0; i<groupsAttribute.size(); i++){
                                // print out each group that user belongs to
                                System.out.println("MemberOf: "+groupsAttribute.get(i));
                      }catch(NamingException ne){
                      // ignore for now
                 System.err.println("Problem encountered....0000:" + ne);
                 //get all the groups list
            } catch (NamingException e) {
            System.err.println("Problem encountered 1111:" + e);
  =================
  The following exception gets thrown at every user entry:
  User: CN=Administrator
  am here....1
  Problem encountered....0000:javax.naming.NamingException: [LDAP: error code 1 -
  000020D6: SvcErr: DSID-03100690, problem 5012 (DIR_ERROR), data 0
  ]; remaining name 'CN=Administrator'
  I think it gets thrown at this line in the code:
  Attributes attrs = ctx.getAttributes(userName, attributeNames);
  Any idea how to overcome this and where am I wrong?
  Thanks in advance,
  Regards.

  In this sentence:
  Attributes attrs = ctx.getAttributes(userName, attributeNames); // only asked for one attribute so only one should
  It seems Ok when I add "CN=Users,DC=filenetp8,DC=com" after userName, just as
  userName + ",CN=Users,DC=filenetp8,DC=com"
  But I still have some problem with it.
  Hope it will be useful for you.

• Group membership redirect with AD LDS

  I have my LDS instance synchronized with my AD environment. I am only synchronizing objectClass=user. I am creating userProxyFull objects on the LDS side. Authentication is working as I have tested authenticating with an AD user to LDS.
  My application person would like to query group membership, that is the group membership that exists in AD. Is it possible to redirect group membership queries so that the group membership information from AD is provided to the application that is using
  the userProxyFull object in LDS?
  Thanks,
  Paul

  Hi,
  why do you need userProxy and AD LDS, is it that the application can only support LDAP simple bind or that you need a form of distinguishedName other than that in your AD or that the application cannot reach your DCs?
  To do Authorization, if you have ruled out having the application query AD DCs, your options are:
  [1] have the application maintain an Authorization database and sync that from your AD or provisioning system if you really need it to follow AD group membership
  [2] use adamsync to sync the groups as well as doing the userProxy transform, something like:
          <object-filter>(&#124;(objectClass=user)(objectClass=group))</object-filter>
          <attributes>
          <include>objectSID</include>
          <include>member</include>
          <exclude></exclude>
          </attributes>
  it would be best to spin up another AD LDS instance to try this against. You then need to test adding and removing users from the AD groups and check that those changes sync. This might work but unfortunately the more creative you get with object-filter
  in adamsync, the more surprising the results tend to be.
  [3] a variation on [1], ldif export your group memberships from AD and import into AD LDS (distinguishedName re-writing may be required)
  [4] have the application bind with the userProxy credentials to the rootDSE of the AD LDS instance and read tokenGroups to get a list of SIDs that you then need to resolve into groups (I mention this for completeness but it's possibly more complex application
  development than you would want to do...)
  Other options are:
  use a virtual directory tool
  use a different sync tool e.g. FIM or
   Quest One Connect
   disclaimer: I  have never used the latter.
  review the application to see if direct AD DC access is possible.
  Lee Flight

• Get AD group membership doesn't work for global groups

  I want to pull the group membership for OBIEE directly from AD.
  This has been covered in many blogs and forums, no problem, I've found some user created functions - basically all of it uses
  DBMS_LDAP package methods
  with one exception that additionally to it also uses
  DBMS_LDAP_UTL.get_group_membership
  ALL THOSE functions work BUT I've verified it with the actual group membership from AD or adfind tool (http://www.joeware.net/freetools/tools/adfind/index.htm)
  The list returned by Oracle packages doesn't match, or to be exact only partially matches the factual AD list.
  I've done some research and found there are three types used for defining group's scope by AD:
  Domain Local, Global, or Universal
  (http://technet.microsoft.com/en-us/library/cc755692(WS.10).aspx)
  leaving the first one out of the scope as we don't use it
  - I've verified and found ALL missing ONES are defined as GLOBAL
  All the Oracle funcitons I've found correctly pulls only UNIVERSAL group memberships and none of GLOBAL
  Microsoft documentation says that both of them (Universal and Global) have forest-wide visibility....
  and so AdFind can list both..
  so why Oracle limits the search to UNIVERSAL ones only?
  Maybe it's a matter of initialize those DBMS_LDAP packages differently or passing slightly different parameters??
  I've really tried a lot of this code in different combinations but no joy
  Has anyone got some ideas?

  ...I try to block the usage of the command prompt only on this server.
  I have the same question as jrv: Why? It doesn't increase security. The command prompt is a program, not a security boundary.
  Disabling the command prompt does NOT increase security
  -- Bill Stewart [Bill_Stewart]

• AD Group Membership revoked on adding new group through role and acespolicy

  Hi all,
  when a user is created in OIM, it is provisioned with Default Role say CONTRACTS which will provision AD Account and a default AD group membership.
  when I assign a new role membership say BILLING, to assign additional AD group memberships through access policies, it is removing the default AD group membership from the user. But still the user is having both the roles CONTRACTS and BILLING.
  The ootb AD task, remove user from group is triggered.
  The problem is happening only in Testing environment.
  In development envi it is working fine.
  it is not removing the default group memberships.
  any ideas? thoughts? which I need to check.
  my oim server is 11.1.1.3.0, with weblogic setup.
  Edited by: Venu on Dec 2, 2011 1:06 PM

  Do one thing:
  Take New User
  Assign First BILLING
  Assign Second Group
  And then ASSIGN CONTRACT
  Update the results.
  It is happening in one env so you might have done some configuration or it could be env issue as well.

• Scripting Group membership

  I have a ODM that has jut been added to AD. I have OD groups that I now need to add AD members to push MCX down to my clients, the problem is if I do it from WGM I'm only able to do one member at a time. This is not so bad when I have to do it to groups with about ten members, but it gets REALLY boring when I have groups with a large number of users. Seems this would be a great task to do from a script, has anyone done this or could lead me to some info on how to do it?

  Thanks for the reply.
  Will dseditgroup work with AD? After reading the man page for it I tried,
  dseditgroup -o read -n /Active\ Directory/All\ Domains/ testgroup
  *testgroup= Group we created in AD with about five users in it.
  After I hit enter the shell returns with nothing, not even a error. Do I have the syntax wrong or can I not use dseditgroup to read group membership from a AD group?

• AD account used for running SIA locked during group membership querying

  Hello,
  I have code that is querying user / group membership from the BOE repository using the Java Enterprise SDK.  When running against an environment using an AD service account to run the SIA, an error is thrown and the AD account is subsequently locked when I execute my code.  The error is as follows:
  com.crystaldecisions.sdk.exception.SDKServerException: The Active Directory Authentication plugin failed to verify the currently specified administration credentials required to connect to Active Directory. Please contact your system administrator. 
  cause:com.crystaldecisions.enterprise.ocaframework.idl.OCA.oca_abuse: IDL:img.seagatesoftware.com/OCA/oca_abuse:3.2
  detail:The Active Directory Authentication plugin failed to verify the currently specified administration credentials required to connect to Active Directory. Please contact your system administrator. 
  The server supplied the following details: OCA_Abuse exception 10505 at [.\exceptionmapper.cpp : 79]  50068 { ,  , secWinAD}
       ...The Active Directory Authentication plugin failed to verify the currently specified administration credentials required to connect to Active Directory. Please contact your system administrator.   Plugin error: SecWinAD Error: an error occurred in CADCredentialManager::SwitchSecurityContexts().
  If the account is successfully running the SIA, I'm not understanding why this message is being thrown.  Also - I'm assuming some internal login is happening with this AD account when I query for group membership (?), as I am able to query for other types of metadata without error / locking the account.  Based on the error thrown, the authentication with this ID is failing, and is probably being attempted multiple times, resulting in the account being locked?  Can anyone provide insight here?
  Thanks...

  Ted is right on the mark with this one.
  The cause is outlined in the exception indicating a problem with the SwitchSecurityContexts() function.  The Active Directory plugin requires a set of credentials with which to connect to Active Directory and perform any necessary lookups.  Therefore, the issue is not with the account running your SIA (and by extension your CMS), but the Active Directory administration credentials you've set on the plugin (either via the CMC or through code).  When the CMS tries to impersonate, or switch security context to the other account, it fails to authenticate against Active Directory.
  Check to make sure this property is set identically to the account running the SIA, and like Ted said, that you can successfully update the plugin via the CMC.
  Thanks,
  Jim

• Com.apple.alf.plist file keeps changing group membership

  Hey All, I've read several discussions about this issue.  The com.apple.alf.plist file keeps changing group membership from admin to wheel.  Disk Utility repair changes the group membership to admin but it will change back to wheel during normal use of the computer, it seems that accessing systempreferences.app and security preferences will change the group to wheel. 
  I don't really want to get into a discussion about the wheel account, unless necessary, but since this is a very important system settings file I'd like it to work correctly.  I have noticed several issues with the firewall not responding as expected such as turning off by itself, and app settings changing or disappearing from the security preference pane.  So, I have deleted the plist file and restarted as recommended on other discussions but the issue always returns during normal use.  I think it might be the application owning the plist file causing the issue, but I am not sure which one owns the plist file.  I assume it would be systempreference.app since I think it is a firewall plist file. The permissions for systempreferences.app is strange also; 
  - everyone - custom
  - system    - read/write
  - wheel      - read/write
  - everyone  -read
  This may be the culprit but I tried to make a minor change, so as not to mess up the operating system, and disk utility repair permissions just puts it back the way it was.   Any ideas about this would be very appreciated.
  Note:  I have done a complete system reinstall and the issue still returns.

  OK, Since I haven't gotten any responses about this it must be a complicated issue.  Just as a quick check could some of you good people out there look at the "Get Info" window for the systempreferences.app and see if your permissions look like mine?  I'm still having trouble with the firewall settings not acting as expected such as apps and processes that I have approved/denid connection access not showing up in the firewall pane of system preferences and having to reapprove each startup.  Thank you in advance for any help on this.

• AD Group Membership with User From Domain Outside of Forest

  Here's one to twist your brain around -
  I have kerberos authentication using Active Directory working between a client's web browser and my web-app hosted in JBoss. I also have limited authorization working by checking group memberships using LDAP. This currently only works if all users are in the same domain. The ever-helpful adler_steven has detailed in another thread (http://forum.java.sun.com/thread.jspa?threadID=603815&tstart=15) how to do a group membership check for all Users/Groups in a single forest using the Global Context.
  I need to go beyond the domain and even beyond the forest and try to authorize a user from a trusted domain by checking if the user is a member of a group in my domain. Authentication works fine using kerberos. It's the authorization by group check I am having trouble with. I believe there are two ways to approach this:
  Approach #1
  Access the MS-specific PAC in the kerberos token from the client to get the group SIDs. The structure of the PAC is nicely defined in this article: http://appliedcrypto.com/spnego/pac/ms_kerberos_pac.html. However, I have no idea how to access the decrypted token. I pass the encrypted token that I receive from the browser to myGssContext.acceptSecContext(...) to complete the authentication.
  Question: Does anyone know how to get the decrypted kerberos ticket from there, specifically the authorization-data field?
  Approach #2
  Try to walk through the Active Directory structures in both domains using LDAP. In the domain group that I am checking, I can see a member attribute that references a foreignSecurityPrincipal object. The CN of this object happens to be the objectSID of the user I am looking for in the remote domain. Unfortunately, I have to check the remote domain server directly to verify that. The foreignSecurityPrincipal object itself does not contain any hint about what user it refers to aside from the SID (no originalDomainName attribute or something similar). It is feasible that I could walk the chain of references back to the remote domain AD server. That would require that my configuration include a list of remote domain servers to check (since I could have users from multiple trusted domains) and that my JBoss server have access to those servers.
  Question: Does anyone know of some other LDAP-related way of finding information about a user from a remote, trusted domain without having to hit the server for that domain directly?
  adTHANKSvance
  Eric

  You should be able to work back from the foreignSecurityPrincipal object :-) He says with a wry smile..
  This post prompts me to think whether one day someone will draw the entity relationship diagram for AD. Oh well, I've been procrastinating for years, a few more won't hurt !
  If it was a user from within the same forest, you should just be able to perform a search against a GC using the objectSID as the search filter. I've forgotten, but I don't think they will be represented as foreign security principals.
  Have a look at the post titled JNDI, Active Directory and SID's (Security Identifiers) available at
  http://forum.java.sun.com/thread.jspa?threadID=585031&tstart=150 that describes how to search for an object based on their SID.
  Now if it is a user from another forest, with which you have a trust relationship, then we begin the navigation excercise.
  You'll need obtain the user's SID (either from the cn or from the objectSID attributes) from the foreignSecurityPrincipal object. For example CN=S-1-5-21-3771862615-1804478405-1612909269-2143,CN=ForeignSecurityPrincipals,DC=antipodes,DC=com
  objectSID=S-S-1-5-21-3771862615-1804478405-1612909269-2143Then obtain the domain RID, eg.S-1-5-21-3771862615-1804478405-1612909269Next you will have to recurse each of the crossRef objects in the Partitions container, in the configuration naming context (which you will find listed in the RootDSE). The crossref objects that represent trusted domains or forests will have values for their trustParent attributes. A sample query would be something like//specify the LDAP search filter
  String searchFilter = "(&(objectClass=crossRef)(trustParent=*))";
  //Specify the Base for the search
  String searchBase = "CN=Partitions,CN=Configuration,DC=antipodes,DC=com";For each crossRef object, you can then use the dnsRoot attribute to determine the dns domain name of the forest/domain (if you want to later use dns to search for the dns name,ip address of the domain controllers in the trusted domains/forests), and then use the nCName attribute to determine the distinguished name of the trusted forest/domain.dnsRoot = contoso.com
  ncName = dc=contoso,dc=comPerform another bind to the ncName for the trusted domain/forest and retrieve the objectSID attribute, which will be the domain's RID. You may want to cache this information as a lookup table to match domain RID's with domain distingusihed names and dns names.String ldapURL = "ldap://contoso.com:389";
  Attributes attrs = ctx.getAttributes("dc=contoso,dc=com");
  System.out.println("Domain SID: " + attrs.get("objectSID").get());Once you find out which domain matches the RID for the foreignSecurityPrincipal, you can then perform a search for the "real user" .And then finally you should have the user object that represents the foreign security principal !
  Just one thing to note. Assume that CONTOSO and ANTIPODES are two separate forests. If you bind as CONTOSO\cdarwin against the CONTOSO domain, the tokenGroups attribute (which represents teh process token) will contain all of the group memberships of Charles Darwin in the CONTOSO domain/forest. It will not contain his memberships if any, of groups in the ANTIPODES forest. If Charles Darwin accesses a resource in ANTIPODES, then his process token used by the ANTIPODES resource will be updated with his group memberships of the ANTIPODES forest. Also you can have "orphaned foreignn security principal", where the original user object has been deleted !
  BTW, If I was doing this purely on Windows, IIRC, you just use one API call DsCrackNames, to get the "real user", and then the appropriate ImpersonateUser calls to update the process token etc..
  Good luck.

• Changed group membership in WGM 10.6.3 from the 10.6 server. The change takes overnight to work. Formerly ran WGM from my 10.6.8 mac (worked perfectly)  but now I am at 10.7.5 and must use WGM on the server. Has anyone else seen this behavior?

  Changed group membership in WGM 10.6.3 from the 10.6 server. The change takes overnight to work. Formerly ran WGM from my 10.6.8 mac (worked perfectly)  but now I am at 10.7.5 and must use WGM on the server. Has anyone else seen this behavior?

  Hi
  "Changed group membership in WGM 10.6.3 from the 10.6 server. The change takes overnight to work"
  If I've understood you correctly I've never known this or anything else to take that long? What were you trying to do exactly?
  "Formerly ran WGM from my 10.6.8 mac (worked perfectly)  but now I am at 10.7.5 and must use WGM on the server. Has anyone else seen this behaviour?"
  http://support.apple.com/kb/HT1822
  HTH?
  Tony

• Read group membership for a user object and populate every group with matching user from another domain

  I have LON\JSmith in LON domain and DEL\JimSmith in DEL domain
  I would like to extract group memberships of LON\JSmith in LON domain and append matching by email (i.e. DEL\JimSmith) user object in every group in LON domain.
  for instance
  LON\JSmith and DEL\JimSmith is the same person and has same email address [email protected]
  LON\JSmith belongs to 3 groups - LON\localadmingroup;LON\univdesktop;LON\globalsurvey
  The outcome of the script should be
  LON\JSmith; DEL\JimSmith    should be in 3 groups - LON\localadmingroup;LON\univdesktop;LON\globalsurvey.
  How can i do it?
  Navgup

  Hi Navgup,
  Please refer to the script below, to query users in other domain by specifying the parameter "-Server" in the cmdlet "get-aduser", and also note I haven't tested the script below:
  import-module activedirectory
  get-adgroupmember "group"|foreach{
  $email=(get-aduser $_.samaccountname -properties *).EmailAddress#get the user email
  Get-ADUser -filter {EmailAddress -eq $email} -properties * -server DomainB.company.com|select samaccountname, memberof}#filter user name and group with the email in other domain
  To get users across domain, please also refer this blog:
  Adding/removing members from another forest or domain to groups in Active Directory:
  http://blogs.msdn.com/b/adpowershell/archive/2010/01/20/adding-removing-members-from-another-forest-or-domain-to-groups-in-active-directory.aspx?Redirected=true
  I hope this helps.

• ACS 5.3 Group Mapping based on AD group membership

  Hi,
  I am configuring a new ACS 5.3 system. Part of the rules is that I want to match the users specific AD group membership, and match appropriatly to an identity group.
  What i'm trying to do is say that if the user is a member of the AD Group (G-CRP-SEC-ENG) then associate them with the Identity Group SEC-ENG. The under the access service, authorization portion, i assign shell profiles and command sets based on Identity Group.
  It seems that the ACS server will not match the AD Group for the user, and it will match the Default of teh Group Mapping portion of the policy every time.
  I tried several configuration choices from : AD1:ExternalGroups contains any <string showing in AD>, AD1:memberOf <group>.
  Is there something special i need to do in the Group Mapping Policy to get it to match and active directory group and result in assigning the host to an Identity Group?
  Thank you,
  Sami

  Ok, my case is like this.
  I use ACS 5.3 for VPN authentication, using AD and an external RSA for token authentication (2 factor authentication)
  I didn't add all the VPN users in the ACS, because it will be troublesome, the users authentication will be managed by AD and RSA server.
  In some cases where we need to restrict a group of user to only access certain resources, downloadable ACL is used.
  Following the Cisco docs, i manage to get downloadable ACL works when the authorization profile matching criteria is username, but when i change the matching criteria to Identity group, the downloadable ACL won't work.
  I have a case with Cisco engineer now and still in the middle to sort things out.
  The advice from the Cisco engineer is to have the Access Service set to Internal User instead of RSA server, but that will require us(the admin) to import all the VPN users into the ACS database.
  Wondering whether there is a fix for this.
  Thanks.

• OIM 9.1.0.2 Group Membership Removal for Disabled Users

  Hello
  In OIM 9.1.0.2, when a user is disabled, they are removed from the groups they are a member of within 24 hours. i was wondering if this is a set time and if so, can this be extended to a specified time so membership can be left for a week before it is removed from the user. If you can let me know on this I would appreciate it.
  Thanks
  Nick

  Today, when accounts are disabled, within 24 hours all the group memberships are removed on the OIM side. I would like to change the interval for the cleanup so that when an account is disabled, all the existing group (role) memberships stay assinged to the account then after 30 days of the account being disabled, the group (role) memberships are removed. Not sure if this would be an ORM thing or OIM, but I think it would be OIM since ORM still has the role mappings for users when they are disabled.
  Thanks
  Nick

• How to get group key from a task assignment adapter

  Hi All,
  Senario:
  I have two groups, say G1 and G2.
  One Access policy, say P. (This access policy is associated with AD resource.)
  AD Resource Object R.
  I have defined an Approval process for Resource R.
  Access policy P is assigned to both Group G1 and G2.
  This Access Policy P is linked to Resource R
  According to above configuration,
  When I add User U1 to Group G1 ( or G2 ) through "Group Membership", Access Policy P is executed and the approval process which associate with the Resource R is executed.
  In my Approval process, I have a task assignment adapter.
  Within my adapter, I want to get the group key, which cause to fires this approval process. ( It may be G1's key or G2's key. )
  Could some one help me for this ?
  Regards,
  Thirlk
  Edited by: thirlk on Jun 28, 2009 10:55 PM

  See this thread
  Working on the same requirement.
  How to get the administrator group of a group from a approval process
  If you have any further question let me know.

• How to create LDAP filter-based rule to check Group membership in OAM

  Hi folks,
  I'm having hard time creating an authorization rule to verify ldap group membership. I've followed "Configure User Authorization" article from Oracle website (http://download.oracle.com/docs/cd/E10761_01/doc/oam.1014/b32420/v2authz.htm#BABHBFEJI) and created an Authorization scheme w ldap_attribute_name as User Parameter and ruleExpression as Required Parameter. Then, inside my policy I created an Authorization Rule based on my Authz scheme w Allow Access attrib filter-based Rule which looks like this:
  ldap://ldap_server:port/ou=People,o=Company,c=US??sub?(ldap_attribute_name=ldap_attribute_value)
  This works fine.
  Now, I've added another filter-based rule under the same Authz Rule/Allow Access:
  ldap://ldap_server:port/ou=Groups,o=Company,c=US?uniqueMember?sub?(&(objectClass=groupOfUniqueNames)(cn=ldap_group_name))
  While query looks somewhat correct and works as a command-line argument (slightly modified format), it does not work in OAM (meaning people w out req-d group membership can still login).
  Can someone steer me to the right direction as to what do I need to do:
  1. Change/fix the ldap query
  2. Create new Authz scheme with uniqueMember userParameter; create new Authz rule based on new authz scheme; create new Allow Access filter rule with the ldap query I have
  3. Do smth else
  Any help is greatly appreciated.
  Thank you, Roman

  You can create two authorization rules
  First for user with attribute
  and second for group
  and then in authorization expression you can have AND of these two.
  Regarding your query...
  First ... If your requirement is to give access to all the members of a particular group then you don't require any ldap filters
  All you have to do is in the authorization rule -> Allow access -> Select People (here you have to select group so click on the group tab, its little hard to see but its there in light blue color on dark blue tab) -> select the group you want to give access
  Second.. If your requirement is such that you want to give access to a member of a group which has certain attribute lets say group with status active ( In this case you are not aware of the name of the group because user can be a member of any group but you want to give access only to the group with specific attribute.) then you have to write custom authorization plugin.
  If the option is second let me know i can give you a solution which will work for a single domain without any effort of developing a major plugin.
  Hope this helps,
  Sagar