Group Membership in User Record

Similar Messages

• AD Group Membership with User From Domain Outside of Forest

  Here's one to twist your brain around -
  I have kerberos authentication using Active Directory working between a client's web browser and my web-app hosted in JBoss. I also have limited authorization working by checking group memberships using LDAP. This currently only works if all users are in the same domain. The ever-helpful adler_steven has detailed in another thread (http://forum.java.sun.com/thread.jspa?threadID=603815&tstart=15) how to do a group membership check for all Users/Groups in a single forest using the Global Context.
  I need to go beyond the domain and even beyond the forest and try to authorize a user from a trusted domain by checking if the user is a member of a group in my domain. Authentication works fine using kerberos. It's the authorization by group check I am having trouble with. I believe there are two ways to approach this:
  Approach #1
  Access the MS-specific PAC in the kerberos token from the client to get the group SIDs. The structure of the PAC is nicely defined in this article: http://appliedcrypto.com/spnego/pac/ms_kerberos_pac.html. However, I have no idea how to access the decrypted token. I pass the encrypted token that I receive from the browser to myGssContext.acceptSecContext(...) to complete the authentication.
  Question: Does anyone know how to get the decrypted kerberos ticket from there, specifically the authorization-data field?
  Approach #2
  Try to walk through the Active Directory structures in both domains using LDAP. In the domain group that I am checking, I can see a member attribute that references a foreignSecurityPrincipal object. The CN of this object happens to be the objectSID of the user I am looking for in the remote domain. Unfortunately, I have to check the remote domain server directly to verify that. The foreignSecurityPrincipal object itself does not contain any hint about what user it refers to aside from the SID (no originalDomainName attribute or something similar). It is feasible that I could walk the chain of references back to the remote domain AD server. That would require that my configuration include a list of remote domain servers to check (since I could have users from multiple trusted domains) and that my JBoss server have access to those servers.
  Question: Does anyone know of some other LDAP-related way of finding information about a user from a remote, trusted domain without having to hit the server for that domain directly?
  adTHANKSvance
  Eric

  You should be able to work back from the foreignSecurityPrincipal object :-) He says with a wry smile..
  This post prompts me to think whether one day someone will draw the entity relationship diagram for AD. Oh well, I've been procrastinating for years, a few more won't hurt !
  If it was a user from within the same forest, you should just be able to perform a search against a GC using the objectSID as the search filter. I've forgotten, but I don't think they will be represented as foreign security principals.
  Have a look at the post titled JNDI, Active Directory and SID's (Security Identifiers) available at
  http://forum.java.sun.com/thread.jspa?threadID=585031&tstart=150 that describes how to search for an object based on their SID.
  Now if it is a user from another forest, with which you have a trust relationship, then we begin the navigation excercise.
  You'll need obtain the user's SID (either from the cn or from the objectSID attributes) from the foreignSecurityPrincipal object. For example CN=S-1-5-21-3771862615-1804478405-1612909269-2143,CN=ForeignSecurityPrincipals,DC=antipodes,DC=com
  objectSID=S-S-1-5-21-3771862615-1804478405-1612909269-2143Then obtain the domain RID, eg.S-1-5-21-3771862615-1804478405-1612909269Next you will have to recurse each of the crossRef objects in the Partitions container, in the configuration naming context (which you will find listed in the RootDSE). The crossref objects that represent trusted domains or forests will have values for their trustParent attributes. A sample query would be something like//specify the LDAP search filter
  String searchFilter = "(&(objectClass=crossRef)(trustParent=*))";
  //Specify the Base for the search
  String searchBase = "CN=Partitions,CN=Configuration,DC=antipodes,DC=com";For each crossRef object, you can then use the dnsRoot attribute to determine the dns domain name of the forest/domain (if you want to later use dns to search for the dns name,ip address of the domain controllers in the trusted domains/forests), and then use the nCName attribute to determine the distinguished name of the trusted forest/domain.dnsRoot = contoso.com
  ncName = dc=contoso,dc=comPerform another bind to the ncName for the trusted domain/forest and retrieve the objectSID attribute, which will be the domain's RID. You may want to cache this information as a lookup table to match domain RID's with domain distingusihed names and dns names.String ldapURL = "ldap://contoso.com:389";
  Attributes attrs = ctx.getAttributes("dc=contoso,dc=com");
  System.out.println("Domain SID: " + attrs.get("objectSID").get());Once you find out which domain matches the RID for the foreignSecurityPrincipal, you can then perform a search for the "real user" .And then finally you should have the user object that represents the foreign security principal !
  Just one thing to note. Assume that CONTOSO and ANTIPODES are two separate forests. If you bind as CONTOSO\cdarwin against the CONTOSO domain, the tokenGroups attribute (which represents teh process token) will contain all of the group memberships of Charles Darwin in the CONTOSO domain/forest. It will not contain his memberships if any, of groups in the ANTIPODES forest. If Charles Darwin accesses a resource in ANTIPODES, then his process token used by the ANTIPODES resource will be updated with his group memberships of the ANTIPODES forest. Also you can have "orphaned foreignn security principal", where the original user object has been deleted !
  BTW, If I was doing this purely on Windows, IIRC, you just use one API call DsCrackNames, to get the "real user", and then the appropriate ImpersonateUser calls to update the process token etc..
  Good luck.

• Group membership for users is not reflected at the client until full reboot

  Ok, so I am new to this:
  So I created two groups on the server g1 and g2. Created two server users u1 and u1. I have one client with three accounts: System Admin, u1 and u1.
  On the server:
  g1 has one member u1
  g2 has one member u2
  When I swap the membership on the server using Server pref. or Workgroup manager, the users on the client still have access to their original group.
  I tried logging everyone out of the client. I does not work.
  The only way is to reboot the client completely. However, sometimes when I change the membership it does get reflected on the client. Any ideas?
  Equipment:
  One (1) Mac Mini Server 10.6.3, clean install. (defaults to OD)
  One (1) MacBook Pro 17" , 10.6.4
  Is there a way to push?

  Answer!
  UAC (User Account Control) must be set to OFF to disable this message.
  Another error message that really has nothing to do with what's really happening!
  Ugh.

• New Group Membership for users

  Hello All,
  Is there a way to add members based on their employee type to a new group without writing a program??
  For ex: if employee type is Part-Time, then add to a Part-time group in OIM.
  We need to do this for new users and also for existing users.
  We have the code to do this task, but I want to make sure if we can do it via configuration in OIM admin console or design console.
  Thanks u ll in advance.
  Regards,
  ~VSN

  If this is just OIM Groups we are talking about then why reach up to the Access Policies
  - Create membership rules via Design Console -> Rule Designer as follows:
  - Name=Sample Membership, Type=General, Description=Sample
  Role == Part-Time
  - Go to your group in OIM and add this to Membership Rules drop-down
  For existing users, do it though a scheduler and use the same Java code which you have currently in place

• Not inheriting group membership / users not showing in workgroup "Everyone"

  Hi,
  In the new OS X Lion Server Profile Manager, there is a default group called Everyone, that should contain all users.
  However, it only shows the first user I created (UID 1025).
  Users created after that are not automatically added to the group Everyone
  I can assign these newer users to a Workgroup I created myself, but since they are absent in the Everyone group, I cannot assign devices to these users, and thus not properly manage these users and their devices.
  Using Workgroup Manager to check on the membership of the users with UID>1025 I see that the inherited workgroup membership of Users (GID 403) is missing.
  How can fix a problem with the inherited group membership of users?
  Thanks in advance.
    Patrick

  did you configure the people picker
  http://technet.microsoft.com/en-us/library/gg602075(d=lightweight,v=office.14).aspx#section4
  http://jaredmatfess.wordpress.com/2013/02/26/sharepoint-2010-people-picker-is-having-a-hard-time-finding-people/
  Please remember to mark your question as answered &Vote helpful,if this solves/helps your problem. ****************************************************************************************** Thanks -WS MCITP(SharePoint 2010, 2013) Blog: http://wscheema.com/blog
  No need to configure the People Picker in a full trust between domains of the same forest.
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Is it possible to copy security Groups from other user in CMC

  Hi,
  Usually in SAP security we can create user ids with the option of copy the roles from other user. means we can create user id Y same as like X. then Y will get all roles and security same as X.
  it is possible the same in BO also, is there any way for this.
  Regards,
  Sri

  Not that easily - I agree. However, normally permissions are granted to groups - not users. So as long as User Y has the same group memberships as User X it should be the same.
  There are also 3rd party tools available that can make this work and of course if you like coding - using the SDK you can build a tool yourself .

• Bhold attestation setup if FIM POrtal is already used for Group Membership

  Background - We had a FIM 2010 deployment in production deployment. Few
  months ago, we upgraded it to FIM R2. There are already about 4000 Criteria based Groups and Request Based Groups at FIM portal. FIM portal is used as an authoritative source for group membership.
  Problem Statement -  The requirement is to attest the existing and
  ongoing Request Based group membership of users using BHold User Attestation module. We want to continue FIM portal (not Bhold UI) as the end user interface for requesting the group membership.
  Hence, for metaverse' group object's member attribute, FIM Portal should have higher precedence than Bhold MA.
  From available documentation of Bhold, I understand that BHold is more suitable in cases where FIM Portal is not already the Group Membership deciding system. However, in our already existing
  deployment, both group membership is given by FIM portal. In fact this should be the case with all the FIM deployments before Bhold’ s release.
  Please suggest on how to attest the group memberships.
  Mayank Vaish

  I would not expect to have to attest group membership where that membership is controlled programmatically. The idea of Attestation is for a responsible person to attest and confirm that the membership of a given group/role/permission is correct (and remove
  users who don't need that permission). As long as someone responsible has attested that the rules that govern the automatic group membership are appropriate for the permission controlled by that group, then another round of attestation via BHOLD would seem
  like overkill.
  However, in the case where membership of FIM groups is managed via FIM's approval mechanism then there may well be a case for BHOLD attestation. It will depend on the business's audit requirements and how well the FIM logs are being maintained, and
  also the sensitivity/importance of the permission being managed by the group. If it is not possible to prove who approved membership of what group - and to confirm that that membership is still appropriate - then regular attestation may still be required,
  in which case BHOLD is an easier way of doing it than trying to build your own or do it manually.
  Cheers,
  Dave

• OBIEE only getting limited number of group membership records

  Hey everyone,
  I'm seeing some strange behavior with the group membership functionality of OBIEE. Right now we're on version 10.1.3.2 and we've implemented SSO and we setup a query against LDAP (AD) to get user group information similar to the way Venkat's blog demonstrates:
  http://oraclebizint.wordpress.com/2007/10/12/oracle-bi-ee-101332-and-oid-user-and-group-phase-2/
  At first glance, everything was working smoothly, however, on second glance, I noticed that on users who were part of lots of groups (i.e. 80 groups), not all of their membership information was getting into OBIEE. On my test user, who was part of only 10 groups, I ran a test in which I only gave access to the Answers module to a person from the 10th group. When I logged into OBIEE as my test user, I was able to access answers.
  On my second test user, who had 80 groups, I set access to answers for the 75th and 80th groups (both different tests). Neither test allowed this user to access answers. However, when I choose the 5th group returned, the user was quickly able to see and access answers.
  When I test out the call to the Oracle function in the Admin tool, I see all the groups returned there.
  These strange results lead me to believe that there is only so many group membership records that OBIEE can receive. Is that true? Has anyone seen this before? Did I forget to set something appropriately?
  Thanks everyone for your help!
  -Joe

  Hey,
  Sorry about the delay in getting back to you, I was slammed with some work right before the Holiday. Anyway, below is the sample code and an example of it's usage. be sure to replace the <BASE DN>, <LDAP HOST>. <LDAP USER>, and <LDAP PASSWORD> with the appropriate values for your situation.
  Also, you'll need to create the "ARRAY" datatype like in Venkat's blog.
  Best of luck!
  -Joe
  select * from table(getusergroup(‘Jbertram’));
  create or replace FUNCTION GETUSERGROUP(Username in Varchar2) RETURN ARRAY PIPELINED AS
  -- Adjust as necessary.
  l_retval pls_integer;
  l_session dbms_ldap.session;
  l_attrs dbms_ldap.string_collection;
  l_message dbms_ldap.message;
  l_entry dbms_ldap.message;
  l_attr_name varchar2(256);
  l_ber_element dbms_ldap.ber_element;
  l_vals dbms_ldap.string_collection;
  l_raw dbms_ldap.binval_collection;
  l_ldap_base varchar2(256) := '<BASE DN>';
  l_filter varchar2(100) := '(&(cn='||Username||'))';
  l_ldap_host varchar2(100) := '<LDAP HOST>';
  l_ldap_port number := 389;
  l_ldap_user varchar2(100) := '<LDAP USER>';
  l_ldap_passwd varchar2(100):= '<LDAP PASSWORD>';
  l_result varchar2(100);
  begin
  -- Choose to raise exceptions.
  dbms_ldap.use_exception := true;
  dbms_ldap.utf8_conversion := false;
  -- Connect to the LDAP server.
  l_session := dbms_ldap.init(hostname => l_ldap_host, portnum => l_ldap_port);
  l_retval := dbms_ldap.simple_bind_s(ld => l_session, dn => l_ldap_user, passwd => l_ldap_passwd);
  -- Get all attributes
  l_attrs(1) := 'memberOf'; -- retrieve all attributes
  --l_attrs(2) := 'cn';
  l_retval := dbms_ldap.search_s(ld => l_session
  ,base => l_ldap_base
  ,scope => dbms_ldap.scope_subtree
  ,filter => l_filter
  ,attrs => l_attrs
  ,attronly => 0
  ,res => l_message);
  if dbms_ldap.count_entries(ld => l_session, msg => l_message) > 0
  then
  -- Get all the entries returned by our search.
  l_entry := dbms_ldap.first_entry(ld => l_session, msg => l_message);
  <<entry_loop>>
  while l_entry is not null
  loop
  -- Get all the attributes for this entry.
  dbms_output.put_line('---------------------------------------');
  l_attr_name := dbms_ldap.first_attribute(ld => l_session
  ,ldapentry => l_entry
  ,ber_elem => l_ber_element);
  <<attributes_loop>>
  while l_attr_name is not null
  loop
  -- Get all the values for this attribute.
  l_vals := dbms_ldap.get_values(ld => l_session, ldapentry => l_entry, attr => l_attr_name);
  <<values_loop>>
  for i in l_vals.first .. l_vals.last
  loop
  dbms_output.put_line(substr(l_vals(i),4,instr(l_vals(i),',')-4));
  PIPE ROW(substr(l_vals(i),4,instr(l_vals(i),',')-4));
  end loop values_loop;
  l_attr_name := dbms_ldap.next_attribute(ld => l_session
  ,ldapentry => l_entry
  ,ber_elem => l_ber_element);
  end loop attibutes_loop;
  l_entry := dbms_ldap.next_entry(ld => l_session, msg => l_entry);
  end loop entry_loop;
  end if;
  -- Disconnect from the LDAP server.
  l_retval := dbms_ldap.unbind_s(ld => l_session);
  --dbms_output.put_line('L_RETVAL: ' || l_retval);
  end;

• OIM 9.1.0.2 Group Membership Removal for Disabled Users

  Hello
  In OIM 9.1.0.2, when a user is disabled, they are removed from the groups they are a member of within 24 hours. i was wondering if this is a set time and if so, can this be extended to a specified time so membership can be left for a week before it is removed from the user. If you can let me know on this I would appreciate it.
  Thanks
  Nick

  Today, when accounts are disabled, within 24 hours all the group memberships are removed on the OIM side. I would like to change the interval for the cleanup so that when an account is disabled, all the existing group (role) memberships stay assinged to the account then after 30 days of the account being disabled, the group (role) memberships are removed. Not sure if this would be an ORM thing or OIM, but I think it would be OIM since ORM still has the role mappings for users when they are disabled.
  Thanks
  Nick

• "Domain Users" group in Active Directory does not belong to any Group Membership in LC

  Active Directory user belonging to "Domain Users" group does not belong to any Group Membership in LC, why does it not belong to "Domain Users" group?
  Any way to correct this issue, without changing group membership on AD side?
  If Active Directory user is member of "Domain Admins" or "Users" then these show same group membership in LC.
  Thanks.

  If you want to use the Domain Users group for the purpose of representing all the users then you can use the "All principals in domain xxx" group which is created by UM.
  Coming back to Domain Users group. For determining group membership in AD UM uses "member" attribute of the group object. "Domain Users" group is treated differently by AD. It is the default primary group for all the users and normally members of the primary group are not specified using the member attribute.So when we sync the data from AD "Domain Users" membership does not get completed.

• Getting list of all users and their group memberships from Active Directory

  Hi,
  I want to retrieve a list of all the users and their group memberships through JNDI from Active Directory. I am using the following code to achieve this:
  ==================
  import javax.naming.*;
  import java.util.Hashtable;
  import javax.naming.directory.*;
  public class GetUsersGroups{
       public static void main(String[] args){
            String[] attributeNames = {"memberOf"};
            //create an initial directory context
            Hashtable env = new Hashtable();
            env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
            env.put(Context.PROVIDER_URL, "ldap://172.19.1.32:389/");
            env.put(Context.SECURITY_AUTHENTICATION, "simple");
            env.put(Context.SECURITY_PRINCIPAL, "[email protected]");
            env.put(Context.SECURITY_CREDENTIALS, "p8admin");
            try {
                 // Create the initial directory context
                 DirContext ctx = new InitialDirContext(env);     
                 //get all the users list and their group memberships
                 NamingEnumeration contentsEnum = ctx.list("CN=Users,DC=filenetp8,DC=com");
                 while (contentsEnum.hasMore()){
                      NameClassPair ncp = (NameClassPair) contentsEnum.next();
                      String userName = ncp.getName();
                      System.out.println("User: "+userName);
                      try{
                           System.out.println("am here....1");
                           Attributes attrs = ctx.getAttributes(userName, attributeNames); // only asked for one attribute so only one should be returned
                           System.out.println("am here....2");
                           Attribute groupsAttribute = attrs.get(attributeNames[0]); // memberOf
                           System.out.println("-----"+groupsAttribute.size());
                           if (groupsAttribute != null){
                                // memberOf is a multi valued attribute
                                for (int i=0; i<groupsAttribute.size(); i++){
                                // print out each group that user belongs to
                                System.out.println("MemberOf: "+groupsAttribute.get(i));
                      }catch(NamingException ne){
                      // ignore for now
                 System.err.println("Problem encountered....0000:" + ne);
                 //get all the groups list
            } catch (NamingException e) {
            System.err.println("Problem encountered 1111:" + e);
  =================
  The following exception gets thrown at every user entry:
  User: CN=Administrator
  am here....1
  Problem encountered....0000:javax.naming.NamingException: [LDAP: error code 1 -
  000020D6: SvcErr: DSID-03100690, problem 5012 (DIR_ERROR), data 0
  ]; remaining name 'CN=Administrator'
  I think it gets thrown at this line in the code:
  Attributes attrs = ctx.getAttributes(userName, attributeNames);
  Any idea how to overcome this and where am I wrong?
  Thanks in advance,
  Regards.

  In this sentence:
  Attributes attrs = ctx.getAttributes(userName, attributeNames); // only asked for one attribute so only one should
  It seems Ok when I add "CN=Users,DC=filenetp8,DC=com" after userName, just as
  userName + ",CN=Users,DC=filenetp8,DC=com"
  But I still have some problem with it.
  Hope it will be useful for you.

• Shared Calendars / Room Lists and automatically forcing them to users based on Security Group Membership

  Good morning all,
  I need some help achieving the following in our Exchange 2013 Environment.  First off, we have Exchange 2013, but all our clients have Outlook 2010.
  Here's what I would like to be able to do:
  1) create/manage public calendars / rooms in exchange 2013
  2) force these shared public calendars / rooms to users' calendars who are members of particular security groups
  3) give edit permissions / "booking" permissions for the shared calendars so select users are able to make changes to the shared calendars, as well as accept/deny requests to "book" shared room calendars
  Any one got any resources they can give to point me in the right direction?
  I have already created two mailbox room resources, and have them set up in a room list in AD.  But need to know the above as far as creating a shared calendar for events, and forcing these calendars / room lists out to users based on security group
  membership.
  I don't want my users to have to know how to add a shared calendar...that would be a nightmare explaining.  I just want it to show up.
  Any help on this is greatly appreciated, thank you!

  1) I recommend using Room Mailboxes for resource calendars because it just works better.
  2) This is a standard feature of a Room Mailbox.
  3) You're pretty specific here, but I think this is also more or less available with a Room Mailbox combined with folder rights.
  I don't know any way to just make them "show up".  You'll have to teach them.  Well written instructions can work wonders.
  Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

• User Group Membership change Alert

  As a system administrator, I will like to be alerted when a user's group membership has changed on the domain. Can Spiceworks compare the imported memberships in its database with AD and alert me when they do not match? Below is an image of the information that SW imports which could be used for this comparison.
  This topic first appeared in the Spiceworks Community

  Assuming you know the dn of the groups to remove the person from and add them to, and the dn of the person to move, you should be able to do something similar to:
  Attributes attrs = new BasicAttributes(true);
  Attribute uniquemember = new BasicAttribute("uniquemember");
  uniquemember.add("uid=user,o=domain.com"); //add user to move to attribute
  attrs.put(uniquemember);
  DirContext ctx = //connect to your ldap dir
  try{
       ctx.modifyAttributes(groupToRemoveFromDN, ctx.REMOVE_ATTRIBUTE, attrs);
       ctx.modifyAttributes(groupToAddToDN, ctx.ADD_ATTRIBUTE,attrs);
  catch (NamingException ne) {
       //return error appropriately
  try{
       ctx.close();
  catch (NamingException ne) {
       //do what you want with error
  }You also might want to check out the JNDI tutorial at http://java.sun.com/products/jndi/tutorial/index.html
  --Nicole

• Read group membership for a user object and populate every group with matching user from another domain

  I have LON\JSmith in LON domain and DEL\JimSmith in DEL domain
  I would like to extract group memberships of LON\JSmith in LON domain and append matching by email (i.e. DEL\JimSmith) user object in every group in LON domain.
  for instance
  LON\JSmith and DEL\JimSmith is the same person and has same email address [email protected]
  LON\JSmith belongs to 3 groups - LON\localadmingroup;LON\univdesktop;LON\globalsurvey
  The outcome of the script should be
  LON\JSmith; DEL\JimSmith    should be in 3 groups - LON\localadmingroup;LON\univdesktop;LON\globalsurvey.
  How can i do it?
  Navgup

  Hi Navgup,
  Please refer to the script below, to query users in other domain by specifying the parameter "-Server" in the cmdlet "get-aduser", and also note I haven't tested the script below:
  import-module activedirectory
  get-adgroupmember "group"|foreach{
  $email=(get-aduser $_.samaccountname -properties *).EmailAddress#get the user email
  Get-ADUser -filter {EmailAddress -eq $email} -properties * -server DomainB.company.com|select samaccountname, memberof}#filter user name and group with the email in other domain
  To get users across domain, please also refer this blog:
  Adding/removing members from another forest or domain to groups in Active Directory:
  http://blogs.msdn.com/b/adpowershell/archive/2010/01/20/adding-removing-members-from-another-forest-or-domain-to-groups-in-active-directory.aspx?Redirected=true
  I hope this helps.

• OIM 10G OID user account / group membership reconciliation

  Hello
  I have an OID environment that is used for OAM access to applications within the environment. I need to be able to reconcile users from OID into OIM along with their group membership so that roles for users are maintained and updated. I have ORM integrated within the environment so entitlements would need to flow to orm to document that users are members of a role / OIM group. Not sure if this is possible through the trusted reconciliation or if there is a user / group target reconciliation that can be used for this. Any help you can give for this would be appreciated.
  Thanks

  When i use ADCS timestamp as 0 (to capture changes from the beginning and not necessarily after the group change event occured on the AD side) and run AD user target recon this is getting updated. Is this correct and if so how can i always default ADCS timestamp as 0 in the scheduled task and are there any side effects for this sort of approach.
  Prasad.
  Edited by: Prasad on Nov 7, 2011 12:31 PM