Group Membership Update Task -AD Connector 11g

OIM 11g R2:
When will Group Membership Update task be triggered for a user? Will this get triggered when a Entitlement associated to a user is updated (entitlement metadata) -How will OIM identify that it is an update to the existing Entitlement and that User is associated with?
This is my understanding on other group related OOTB tasks:
Insert Group Membership will be triggered when a new entitlement is added to the user
Delete Group Membership will be triggered when a Entitlement is removed
Thanks in advance.

If entitlement display name is updated in OIM then it also get updated in provisioned resource profile for all users who are associated with the entitlement but it does not insert 'Group Update' task.
If entitlement - group name is changed in target system them OIM treats this change as a completely new and does not update it for the existing associated users.
Thanks,
Pallavi

Similar Messages

OIM: What is the purpose of "Update" while editing group memberships

Hi,
This is when you lookup a user's Resource Profile and go to "Edit" link. The process form shows up along with a drop down to edit the group memberships. When we select one of the choices such as "Groups" another window pops up where we could add more entires into the child form. In this form there is an "Update" column with a radio button besides a "Remove" column. What is the purpose of this "Update" column? We can add or delete child entries but what does update do? Is there a way to remove this selection altogether?
Thanks in advance

Update I can see used for a cases where you have multiple columns on a child table entry and want to change one of them. Strictly speaking, you can update a single column child table rather than delete and insert also. Access policies always do insert and delete actions, but you will want to implement an update task as well if you expect anyone to be editing child tables on resources directly.

Group Membership under Settings/My Account is not updating

We use an External table for User permissions/Groups to get updated in Group Membership.
We use our custom tool to create/update new/existing users with the permissions. Then our ETL picks up the changes from the OLTP tables and update User Permission table in our DWH hourly. Now let me explain the present situation. User ABC is an existing user and never used our Report Portal before, we updated ABC user with all the necessary groups to use Report portal and with curiosity she didn't wait until Hourly ETL run and she didn't had the necessary permissions to run any reports in Report portal. But when she login after 1hr/10 hr/ 1 day/2 day, the user won't see the Permissions getting updated in Group Membership. If we check the User permission table in DWH, it is updated with all the new roles, but it is never being updated in 'My Account' Answers. I think this is some kind of Presentation Cache issue, but I did clicked "Reload Files and Metadata" under Settings and "Close All Cursors" under Settings/Manage Sessions. You may also say it may be with the Caching on Initialization Block for the User Permission table, but we did Un-check the 'Use Caching' right below the Row-wise initialization for the corresponding Initialization block. We has 3 users with the same issue now. But when the user waits for certain time (for at least 1hr), and when they login after the actual hourly ETL ran, they were able to get in and use Report Portal without any issue. So, I am kind of sure this is something with CACHING and I might be missing some thing on Clearing this type of Cache. Could someone please help me out on this? This is in PRD and we are not able to find a solution. Any help would be appreciated!
-Dinesh

Yes, we are using Initialization Blocks to update the User Groups. Our USER_PERMISSION table has Login, Company_ID, Roles, etc columns in it. The Initialization Block will query on this Table and the query has a where clause in it and the Where clause "where company_id=(select substr(':USER', 0, (instr(':USER', '.')) - 1) from dual) and upper(login)=upper((select substr(':USER', (instr(':USER', '.')) + 1) from dual))) and dw_delete_date is null" from which it will get the roles for each user. And YES, the Caching is turned off for this initialization block.
And I should try deleting the user folders, but my company has a very strict policy so I should do that in DEv, then QA and in PRD. Hope this works, but I am still not convinced why this is happening. We cannot keep on deleting the user folders in future if this happens again.

Group membership on AD-bound server is not updating correctly

I have a 10.6.4 server that is bound to AD with Win2008 domain controllers. I am seeing group membership not update properly on this OS X server. If I type "id -p username" I don't get a full list of groups the user is a member of. If I launch Workgroup Manager, all of the groups are listed. I am using the box as a Subversion server and need the group updates to propagate from AD for Apache authentication to work correctly. Any ideas as to why the propagation is not happening? Is there a way I can flush whatever cache might be causing an issue? Can the group membership list be "refreshed"?

Yes, we are using Initialization Blocks to update the User Groups. Our USER_PERMISSION table has Login, Company_ID, Roles, etc columns in it. The Initialization Block will query on this Table and the query has a where clause in it and the Where clause "where company_id=(select substr(':USER', 0, (instr(':USER', '.')) - 1) from dual) and upper(login)=upper((select substr(':USER', (instr(':USER', '.')) + 1) from dual))) and dw_delete_date is null" from which it will get the roles for each user. And YES, the Caching is turned off for this initialization block.
And I should try deleting the user folders, but my company has a very strict policy so I should do that in DEv, then QA and in PRD. Hope this works, but I am still not convinced why this is happening. We cannot keep on deleting the user folders in future if this happens again.

OIM 11g R2 Group Membership

Hi All,
In OIM 11g R2, when i try to manually add a user to a group (custom or OOTB), i do not see the "Assign" button active and with the absence of the assign button, i could not assign a new user to the group. But, I can see that the Create Rule option is active.
Does this mean that the group membership in OIM 11g can only happen through Group membership rule satisfaction?
Please help.
Thanks,
Srini

You can manually add an user to a role in OIM 11gR2. Open identity console --> Click on Roles--> Search
You will get all the roles listed. Select the role to which you want to add a member. Assign tab will be visible under the Members panel layout in the bottom frame.
When you click on assign the request catalog opens with the selected target user and the role. You can change the target user or add another target user.
Then click on submit.
If this process is done through sysadmin login then directly the member is assigned to the role
Else it will create a request and after approval is completed the member will be assigned to the role.

Child form for Group Membership OID -OIM 11g

Hi,
Can we configure a custom child form to store OID group membership in OIM 11g? If Yes, what are the configuration changes to be considered.
Thanks in advance

Hi,
Can we configure a custom child form to store OID group membership in OIM 11g? If Yes, what are the configuration changes to be considered.
Thanks in advance

Problem in AD Group membership Insert Error "Response: CURRENT_ATTRIBUTES"

Hi all,
I am using Oracle Identity and Access Management 11g (11.1.1.5.0) with Weblogic 10.3.5 and apply patch -11.1.1.5.4. I have install AD Connector (activedirectory-11.1.1.5.0) and recon Group, OU and Users as a target source Successfully. When I tried to provision user in AD user is provisioned successfully but got following error message in Group membership Insert.
Task Name     -     Group membership Insert
Resource Name:     AD User
Description:
User:     Test User 10 [?TESTUSER10?]
Status:          Rejected
Response:     CURRENT_ATTRIBUTES
Response Description:     Unknown response received
Notes:
Assigned to     User     :     System Administrator[?XELSYSADM?]
Error Details
Setting task status... "CURRENT_ATTRIBUTES" does not correspond to a known Response Code. Using "UNKNOWN".
Schedule Detail
Projected Start:     November 7, 2012 6:14:47 PM     Projected End:     November 7, 2012 6:14:47 PM
Actual Start:     November 7, 2012 6:14:47 PM     Actual End:     November 7, 2012 6:14:48 PM
Last Update:     November 7, 2012 6:14:48 PM
Back to Resource Provisioning Details
OIM LOG
Running UPDATECHILDTABLEVALUES
Target Class = oracle.iam.connectors.icfcommon.prov.ICProvisioningManager
<ObjectClassInfos>
<ObjectClassInfo type='Group' container='false' embedded='false'>
</optionsByOperation>
</Schema>
java.lang.reflect.InvocationTargetException
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:597)
     at com.thortech.xl.adapterGlue.ScheduleItemEvents.adpADIDCUPDATECHILDTABLEVALUES.UPDATECHILDTABLEVALUES(adpADIDCUPDATECHILDTABLEVALUES.java:111)
     at com.thortech.xl.adapterGlue.ScheduleItemEvents.adpADIDCUPDATECHILDTABLEVALUES.implementation(adpADIDCUPDATECHILDTABLEVALUES.java:56)
     at com.thortech.xl.client.events.tcBaseEvent.run(tcBaseEvent.java:196)
     at com.thortech.xl.dataobj.tcDataObj.runEvent(tcDataObj.java:2492)
     at com.thortech.xl.dataobj.tcScheduleItem.runMilestoneEvent(tcScheduleItem.java:2917)
     at com.thortech.xl.dataobj.tcScheduleItem.eventPostInsert(tcScheduleItem.java:547)
     at com.thortech.xl.dataobj.tcDataObj.insert(tcDataObj.java:602)
     at com.thortech.xl.dataobj.tcDataObj.save(tcDataObj.java:474)
     at com.thortech.xl.ejb.beansimpl.tcProvisioningOperationsBean.retryTasks(tcProvisioningOperationsBean.java:4042)
     at Thor.API.Operations.tcProvisioningOperationsIntfEJB.retryTasksx(Unknown Source)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:597)
     at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
     at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
     at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
     at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
     at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
     at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
     at com.bea.core.repackaged.springframework.jee.spi.MethodInvocationVisitorImpl.visit(MethodInvocationVisitorImpl.java:37)
     at weblogic.ejb.container.injection.EnvironmentInterceptorCallbackImpl.callback(EnvironmentInterceptorCallbackImpl.java:54)
     at com.bea.core.repackaged.springframework.jee.spi.EnvironmentInterceptor.invoke(EnvironmentInterceptor.java:50)
     at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
     at com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
     at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
     at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
     at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
     at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
     at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
     at $Proxy348.retryTasksx(Unknown Source)
     at Thor.API.Operations.tcProvisioningOperationsIntfEJB_4xftoh_tcProvisioningOperationsIntfRemoteImpl.__WL_invoke(Unknown Source)
     at weblogic.ejb.container.internal.SessionRemoteMethodInvoker.invoke(SessionRemoteMethodInvoker.java:40)
     at Thor.API.Operations.tcProvisioningOperationsIntfEJB_4xftoh_tcProvisioningOperationsIntfRemoteImpl.retryTasksx(Unknown Source)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:597)
     at weblogic.ejb.container.internal.RemoteBusinessIntfProxy.invoke(RemoteBusinessIntfProxy.java:85)
     at $Proxy172.retryTasksx(Unknown Source)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:597)
     at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
     at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:198)
     at $Proxy347.retryTasksx(Unknown Source)
     at Thor.API.Operations.tcProvisioningOperationsIntfDelegate.retryTasks(Unknown Source)
     at com.thortech.xl.webclient.actions.ResourceProfileProvisioningTasksAction.retryTasks(ResourceProfileProvisioningTasksAction.java:702)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:597)
     at org.apache.struts.actions.DispatchAction.dispatchMethod(DispatchAction.java:269)
     at com.thortech.xl.webclient.actions.tcLookupDispatchAction.execute(tcLookupDispatchAction.java:133)
     at com.thortech.xl.webclient.actions.tcActionBase.execute(tcActionBase.java:894)
     at com.thortech.xl.webclient.actions.tcAction.execute(tcAction.java:213)
     at org.apache.struts.chain.commands.servlet.ExecuteAction.execute(ExecuteAction.java:58)
     at org.apache.struts.chain.commands.AbstractExecuteAction.execute(AbstractExecuteAction.java:67)
     at org.apache.struts.chain.commands.ActionCommandBase.execute(ActionCommandBase.java:51)
     at org.apache.commons.chain.impl.ChainBase.execute(ChainBase.java:191)
     at org.apache.commons.chain.generic.LookupCommand.execute(LookupCommand.java:305)
     at org.apache.commons.chain.impl.ChainBase.execute(ChainBase.java:191)
     at org.apache.struts.chain.ComposableRequestProcessor.process(ComposableRequestProcessor.java:283)
     at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1913)
     at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:462)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
     at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
     at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
     at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
     at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
     at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
     at com.thortech.xl.webclient.security.CSRFFilter.doFilter(CSRFFilter.java:76)
     at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
     at oracle.iam.platform.auth.web.PwdMgmtNavigationFilter.doFilter(PwdMgmtNavigationFilter.java:121)
     at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
     at oracle.iam.platform.auth.web.OIMAuthContextFilter.doFilter(OIMAuthContextFilter.java:107)
     at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
     at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:111)
     at java.security.AccessController.doPrivileged(Native Method)
     at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:313)
     at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:413)
     at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:94)
     at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:161)
     at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
     at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
     at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:136)
     at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
     at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
     at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
     at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3715)
     at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681)
     at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
     at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
     at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277)
     at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183)
     at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454)
     at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
     at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
Caused by: java.lang.NoSuchFieldError: CURRENT_ATTRIBUTES
     at oracle.iam.connectors.icfcommon.prov.ICProvisioningManager.getCurrentAttributes(ICProvisioningManager.java:408)
     at oracle.iam.connectors.icfcommon.prov.ICProvisioningManager.updateChildTableValues(ICProvisioningManager.java:485)
     ... 104 more
com.thortech.xl.dataobj.util.tcAdapterTaskException: CURRENT_ATTRIBUTES
     at com.thortech.xl.adapterGlue.ScheduleItemEvents.adpADIDCUPDATECHILDTABLEVALUES.UPDATECHILDTABLEVALUES(adpADIDCUPDATECHILDTABLEVALUES.java:117)
     at com.thortech.xl.adapterGlue.ScheduleItemEvents.adpADIDCUPDATECHILDTABLEVALUES.implementation(adpADIDCUPDATECHILDTABLEVALUES.java:56)
     at com.thortech.xl.client.events.tcBaseEvent.run(tcBaseEvent.java:196)
     at com.thortech.xl.dataobj.tcDataObj.runEvent(tcDataObj.java:2492)
     at com.thortech.xl.dataobj.tcScheduleItem.runMilestoneEvent(tcScheduleItem.java:2917)
     at com.thortech.xl.dataobj.tcScheduleItem.eventPostInsert(tcScheduleItem.java:547)
     at com.thortech.xl.dataobj.tcDataObj.insert(tcDataObj.java:602)
     at com.thortech.xl.dataobj.tcDataObj.save(tcDataObj.java:474)
     at com.thortech.xl.ejb.beansimpl.tcProvisioningOperationsBean.retryTasks(tcProvisioningOperationsBean.java:4042)
     at Thor.API.Operations.tcProvisioningOperationsIntfEJB.retryTasksx(Unknown Source)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:597)
     at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
     at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
     at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
     at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
     at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
     at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
     at com.bea.core.repackaged.springframework.jee.spi.MethodInvocationVisitorImpl.visit(MethodInvocationVisitorImpl.java:37)
     at weblogic.ejb.container.injection.EnvironmentInterceptorCallbackImpl.callback(EnvironmentInterceptorCallbackImpl.java:54)
     at com.bea.core.repackaged.springframework.jee.spi.EnvironmentInterceptor.invoke(EnvironmentInterceptor.java:50)
     at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
     at com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
     at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
     at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
     at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
     at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
     at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
     at $Proxy348.retryTasksx(Unknown Source)
     at Thor.API.Operations.tcProvisioningOperationsIntfEJB_4xftoh_tcProvisioningOperationsIntfRemoteImpl.__WL_invoke(Unknown Source)
     at weblogic.ejb.container.internal.SessionRemoteMethodInvoker.invoke(SessionRemoteMethodInvoker.java:40)
     at Thor.API.Operations.tcProvisioningOperationsIntfEJB_4xftoh_tcProvisioningOperationsIntfRemoteImpl.retryTasksx(Unknown Source)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:597)
     at weblogic.ejb.container.internal.RemoteBusinessIntfProxy.invoke(RemoteBusinessIntfProxy.java:85)
     at $Proxy172.retryTasksx(Unknown Source)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:597)
     at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
     at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:198)
     at $Proxy347.retryTasksx(Unknown Source)
     at Thor.API.Operations.tcProvisioningOperationsIntfDelegate.retryTasks(Unknown Source)
     at com.thortech.xl.webclient.actions.ResourceProfileProvisioningTasksAction.retryTasks(ResourceProfileProvisioningTasksAction.java:702)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:597)
     at org.apache.struts.actions.DispatchAction.dispatchMethod(DispatchAction.java:269)
     at com.thortech.xl.webclient.actions.tcLookupDispatchAction.execute(tcLookupDispatchAction.java:133)
     at com.thortech.xl.webclient.actions.tcActionBase.execute(tcActionBase.java:894)
     at com.thortech.xl.webclient.actions.tcAction.execute(tcAction.java:213)
     at org.apache.struts.chain.commands.servlet.ExecuteAction.execute(ExecuteAction.java:58)
     at org.apache.struts.chain.commands.AbstractExecuteAction.execute(AbstractExecuteAction.java:67)
     at org.apache.struts.chain.commands.ActionCommandBase.execute(ActionCommandBase.java:51)
     at org.apache.commons.chain.impl.ChainBase.execute(ChainBase.java:191)
     at org.apache.commons.chain.generic.LookupCommand.execute(LookupCommand.java:305)
     at org.apache.commons.chain.impl.ChainBase.execute(ChainBase.java:191)
     at org.apache.struts.chain.ComposableRequestProcessor.process(ComposableRequestProcessor.java:283)
     at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1913)
     at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:462)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
     at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
     at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
     at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
     at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
     at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
     at com.thortech.xl.webclient.security.CSRFFilter.doFilter(CSRFFilter.java:76)
     at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
     at oracle.iam.platform.auth.web.PwdMgmtNavigationFilter.doFilter(PwdMgmtNavigationFilter.java:121)
     at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
     at oracle.iam.platform.auth.web.OIMAuthContextFilter.doFilter(OIMAuthContextFilter.java:107)
     at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
     at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:111)
     at java.security.AccessController.doPrivileged(Native Method)
     at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:313)
     at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:413)
     at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:94)
     at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:161)
     at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
     at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
     at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:136)
     at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
     at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
     at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
     at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3715)
     at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681)
     at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
     at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
     at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277)
     at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183)
     at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454)
     at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
     at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)

Hello
1. Download the latest version of Connector Server.
2. Stop OIM
3. Take from Connector Server Distr:
connector-framework.jar
connector-framework-internal.jar
to
$XEL_HOME\apps\oim.ear\APP-INF\lib
$XEL_HOME\ext\internal
4. Delete temporary cached libs from:
$DOMAIN_HOME\servers\$WEBLOGIC_NAME\tmp\_WL_user\oim_11.1.2.0.0\*
5. Start OIM-server
Записки на полях внедрения: java.lang.NoSuchFieldError: CURRENT_ATTRIBUTES

OIM Design Console Internal error while updating task attributes

Hi All,
I have installed OIM9101 on jboss, the set up is running fine. I am in the process of integrating a OID connector following steps given OID connector guide. In design console(Administration-->Task Scheduler) while modifying "OID Group Lookup Reconciliation Task" attributes, attribute value is not getting saved. When i click on save option it shows a pop up windows saying "problem in updating task attributes. update failed."
Any solution for this??.. Please help.
Thanks in Advance.
Edited by: VAYANAKA on Nov 26, 2010 10:48 PM

Thank you for the reply..I have tried to create a new scheduled task. But while saving it again an Internal error pop up window comes saying " Description:Could not execute database read.The database encountered a problem with the specified SQL Query.Remedy: Check the database query.Contact your system administrator."..
Is it any problem with my database.? I have checked database, its up and running??
Thanks In advance.

AD Group Membership revoked on adding new group through role and acespolicy

Hi all,
when a user is created in OIM, it is provisioned with Default Role say CONTRACTS which will provision AD Account and a default AD group membership.
when I assign a new role membership say BILLING, to assign additional AD group memberships through access policies, it is removing the default AD group membership from the user. But still the user is having both the roles CONTRACTS and BILLING.
The ootb AD task, remove user from group is triggered.
The problem is happening only in Testing environment.
In development envi it is working fine.
it is not removing the default group memberships.
any ideas? thoughts? which I need to check.
my oim server is 11.1.1.3.0, with weblogic setup.
Edited by: Venu on Dec 2, 2011 1:06 PM

Do one thing:
Take New User
Assign First BILLING
Assign Second Group
And then ASSIGN CONTRACT
Update the results.
It is happening in one env so you might have done some configuration or it could be env issue as well.

OIM 10G OID user account / group membership reconciliation

Hello
I have an OID environment that is used for OAM access to applications within the environment. I need to be able to reconcile users from OID into OIM along with their group membership so that roles for users are maintained and updated. I have ORM integrated within the environment so entitlements would need to flow to orm to document that users are members of a role / OIM group. Not sure if this is possible through the trusted reconciliation or if there is a user / group target reconciliation that can be used for this. Any help you can give for this would be appreciated.
Thanks

When i use ADCS timestamp as 0 (to capture changes from the beginning and not necessarily after the group change event occured on the AD side) and run AD user target recon this is getting updated. Is this correct and if so how can i always default ADCS timestamp as 0 in the scheduled task and are there any side effects for this sort of approach.
Prasad.
Edited by: Prasad on Nov 7, 2011 12:31 PM

Pre-Populate group membership details while provision

Hi,
We are using AD Connector 9.1.0.1 to provision OIM user to ADAM.
While provision I need to pre-populate group membership details of user like other user attributes.
Is it possible to do this using pre-populate adapter; if so then please provide us details to do this or is there any other approach to achieve this?
-Hardew

Can you explain the FormInstanceOpsIntf piece in a little more detail? I'm having a similar issue as the other two posters above, except mine is with OID.
1) So focusing first on just creating the adapter...
a. Create a new adapter of type Entity.
b. Create the adapter variables here???
-> Three variables of type long, and one of type object???
c. Add an adapter task
-> Type: Utility Task -> Oracle Identity Manager Api
-> New Object Instance
-> Task Name: <not important>
??? (is this correct) -> Application API - Thor.API.Operations.tcFormInstanceOperationsIntf
??? (is this correct) -> Methods - 17. public abstract long Thor.API.Operations.tcFormInstanceOperationsIntf.addProcessFormChildData(long,long,java.util.Map)
d. Complete the Parameter Data Mapping
-> Input: long - ??? (what to map here?)
-> Output: long - ??? (what to map here?)
-> Input: long - ??? (what to map here?)
-> Input: java.util.Map - ??? (what to map here?)
2) After the adapter is created, I will look up the "OID User" form in the Data Object Manager, and add the adapter I created under "Post-Insert".
Thanks!

Invoke an adapter on change of User's Group Membership details

Hi
I need to invoke an adapter on change of User’s Group Membership details. I am not able to figure out from where I can invoke my adapter.
Does anyone have any idea about this?
-- Another Question: what is the purpose of having “tcUSRautoGroupMembership” in User’s Object Form on Post Update. It would be nice if you give some details about this task.
-Hardew

Thanks for quick response.
What you have mentioned, is applicable for a specific value of a user’s OIM Profile filed; that means it will triggered only if a user has specified value i.e. "blah blah" for that field i.e. fieldA.
However my scenario is slightly different. Let me explain my scenario by example:-
I have N numbers of OIM groups i.e. g1, g2, g3, g4……, gn and a user called myUser. This user is a member of two groups’ g1 and g2, now if I make myUser to member of one more group i.e. g3 or remove i.e. g1; then I want to perform a custom task using adapter on this Group Membership change.
Is there any “Data Object Form” where I can associate my adapter on post-update to detect change of User’s Group Membership?
_hardew

OIM: Error while updating Task Attributes

Hi All,
I am trying to use PeopleSoft User Management using OIM connector.
I am facing an error saying "problem in updating Task Attributes" while scheduling a task on OIM design Console. I am trying to update and save PSFT Base Non Trusted User Reconciliation. following is the log message displayed in server command prompt.
ERROR,11 Apr 2008 05:02:53,287,[XELLERATE.SERVER],Class/Method: tcTSA/eventPostU
pdate encounter some problems: problem in updating Task Attributes
com.thortech.xl.scheduler.exception.SchedulerGenericException: problem in updati
ng Task Attributes
at com.thortech.xl.scheduler.core.quartz.QuartzSchedulerImpl.updateTaskA
ttributes(Unknown Source)
at com.thortech.xl.scheduler.ejb.SchedulerControllerBean.updateTaskAttri
butes(Unknown Source)
at com.thortech.xl.scheduler.beans.SchedulerControllerSession.updateTask
Attributes(Unknown Source)
at com.thortech.xl.scheduler.beans.SchedulerController_z4f4d2_EOImpl.upd
ateTaskAttributes(SchedulerController_z4f4d2_EOImpl.java:478)
at com.thortech.xl.scheduler.beans.SchedulerController_z4f4d2_EOImpl_CBV
.updateTaskAttributes(Unknown Source)
at com.thortech.xl.dataobj.tcTSA.eventPostUpdate(Unknown Source)
at com.thortech.xl.dataobj.tcDataObj.update(Unknown Source)
at com.thortech.xl.dataobj.tcDataObj.save(Unknown Source)
at com.thortech.xl.dataobj.tcTableDataObj.save(Unknown Source)
at com.thortech.xl.ejb.databeansimpl.tcDataObjectBase.save(Unknown Sourc
e)
at com.thortech.xl.ejb.beans.tcTSA_u3xmy2_EOImpl.save(tcTSA_u3xmy2_EOImp
l.java:1437)
at com.thortech.xl.ejb.beans.tcTSA_u3xmy2_EOImpl_WLSkel.invoke(Unknown S
ource)
at weblogic.rmi.internal.activation.ActivatableServerRef.invoke(Activata
bleServerRef.java:90)
at weblogic.rmi.internal.BasicServerRef$1.run(BasicServerRef.java:434)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(Authenticate
dSubject.java:363)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:
147)
at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.jav
a:429)
at weblogic.rmi.internal.BasicExecuteRequest.execute(BasicExecuteRequest
.java:35)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:224)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:183)
Caused by [Nested Exception]:
java.lang.NullPointerException
at com.thortech.xl.scheduler.core.quartz.QuartzSchedulerImpl.updateTaskA
ttributes(Unknown Source)
at com.thortech.xl.scheduler.ejb.SchedulerControllerBean.updateTaskAttri
butes(Unknown Source)
at com.thortech.xl.scheduler.beans.SchedulerControllerSession.updateTask
Attributes(Unknown Source)
at com.thortech.xl.scheduler.beans.SchedulerController_z4f4d2_EOImpl.upd
ateTaskAttributes(SchedulerController_z4f4d2_EOImpl.java:478)
at com.thortech.xl.scheduler.beans.SchedulerController_z4f4d2_EOImpl_CBV
.updateTaskAttributes(Unknown Source)
at com.thortech.xl.dataobj.tcTSA.eventPostUpdate(Unknown Source)
at com.thortech.xl.dataobj.tcDataObj.update(Unknown Source)
at com.thortech.xl.dataobj.tcDataObj.save(Unknown Source)
at com.thortech.xl.dataobj.tcTableDataObj.save(Unknown Source)
at com.thortech.xl.ejb.databeansimpl.tcDataObjectBase.save(Unknown Sourc
e)
at com.thortech.xl.ejb.beans.tcTSA_u3xmy2_EOImpl.save(tcTSA_u3xmy2_EOImp
l.java:1437)
at com.thortech.xl.ejb.beans.tcTSA_u3xmy2_EOImpl_WLSkel.invoke(Unknown S
ource)
at weblogic.rmi.internal.activation.ActivatableServerRef.invoke(Activata
bleServerRef.java:90)
at weblogic.rmi.internal.BasicServerRef$1.run(BasicServerRef.java:434)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(Authenticate
dSubject.java:363)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:
147)
at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.jav
a:429)
at weblogic.rmi.internal.BasicExecuteRequest.execute(BasicExecuteRequest
.java:35)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:224)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:183)
ERROR,11 Apr 2008 05:02:53,287,[XELLERATE.SERVER],Class/Method: tcDataObj/save E
rror :Data Update Failed
ERROR,11 Apr 2008 05:02:53,302,[XELLERATE.DATABASE],Class/Method: tcDataBase/rol
lbackTransaction encounter some problems: Rollback Executed From
java.lang.Exception: Rollback Executed From
at com.thortech.xl.dataaccess.tcDataBase.rollbackTransaction(Unknown Sou
rce)
at com.thortech.xl.dataobj.tcDataObj.rollback(Unknown Source)
at com.thortech.xl.dataobj.tcDataObj.doRollback(Unknown Source)
at com.thortech.xl.dataobj.tcDataObj.save(Unknown Source)
at com.thortech.xl.dataobj.tcTableDataObj.save(Unknown Source)
at com.thortech.xl.ejb.databeansimpl.tcDataObjectBase.save(Unknown Sourc
e)
at com.thortech.xl.ejb.beans.tcTSA_u3xmy2_EOImpl.save(tcTSA_u3xmy2_EOImp
l.java:1437)
at com.thortech.xl.ejb.beans.tcTSA_u3xmy2_EOImpl_WLSkel.invoke(Unknown S
ource)
at weblogic.rmi.internal.activation.ActivatableServerRef.invoke(Activata
bleServerRef.java:90)
at weblogic.rmi.internal.BasicServerRef$1.run(BasicServerRef.java:434)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(Authenticate
dSubject.java:363)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:
147)
at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.jav
a:429)
at weblogic.rmi.internal.BasicExecuteRequest.execute(BasicExecuteRequest
.java:35)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:224)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:183)
I am facing above error when try to update any task in the task scheduler.
Can anyone please suggest me where i am going wrong?
Thanks,
Uma.

I would assume you are missing the jar file for your scheduled tasks. Try and create a new scheduled task with the same class name, if it won't let you save, this is your answer. You'll want to make sure you have the connector scheduled task file in the ScheduleTask folder in your OIM directory.
-Kevin

Install Updates task not working during Build and Capture in SCCM 2012

Working with a new SCCM 2012 installation.
We are trying to get a Build and Capture TS to install all updates for Win7SP1.
All packages are deployed to DP, build and cap machine is in a collection with all updates deployed to it. Agent installation parameters include "SMSMP" "SMSSLP" parameters. Machine is not being attached to the domain during OS install.
Updates can be pushed to existing domain machines, so obviously the updates themselves are working.
The task sequence works correctly to install the image, but "Install Updates" task just sits there and eventually times out. (No indication of updates being installed.) If this task is working, shouldn't I see a Downloading Updates progress bar, or was that
eliminated from 2012?

Same issue for me except I'm running 2012 R2 my B&C runs forever on Install Software Updates, eventually just rebooting and coming back to the login screen of Windows 7 without ever finishing the Install Updates.
Been working on it litteraly for weeks.
1- Tried adding .Net 4.52 as an application installation thinking maybe it would resolve the issue
2- Tried installing via Run Command Line + DISM all hotfixes that require 2 reboots as per (https://support.microsoft.com/en-us/kb/2894518)
3- Tried to simply REMOVE the same hotfixes from my Software Update Groups alltogether.
4- Injected all applicable software updates through Offline Servicing in the SCCM Console (Schedule Updates) on the Windows 7 DVD wim file. That way my logic was that once it would hit the Software Updates, there would be a lot less to install.
I'm at the point where I had to open a case with Microsoft Premier Support as of yesterday. So, nothing new to report yet. But yes, this is a true pain in the ***.
For the sake of comparison, I am running 4 Update Groups: one containing patches up to 2012. Another one for 2013, 2014 and 2015. I have patches for Windows 7 + Office of all categories except Service Packs.
If someone has any ideas, feel free to chime in.

AD Group Membership with User From Domain Outside of Forest

Here's one to twist your brain around -
I have kerberos authentication using Active Directory working between a client's web browser and my web-app hosted in JBoss. I also have limited authorization working by checking group memberships using LDAP. This currently only works if all users are in the same domain. The ever-helpful adler_steven has detailed in another thread (http://forum.java.sun.com/thread.jspa?threadID=603815&tstart=15) how to do a group membership check for all Users/Groups in a single forest using the Global Context.
I need to go beyond the domain and even beyond the forest and try to authorize a user from a trusted domain by checking if the user is a member of a group in my domain. Authentication works fine using kerberos. It's the authorization by group check I am having trouble with. I believe there are two ways to approach this:
Approach #1
Access the MS-specific PAC in the kerberos token from the client to get the group SIDs. The structure of the PAC is nicely defined in this article: http://appliedcrypto.com/spnego/pac/ms_kerberos_pac.html. However, I have no idea how to access the decrypted token. I pass the encrypted token that I receive from the browser to myGssContext.acceptSecContext(...) to complete the authentication.
Question: Does anyone know how to get the decrypted kerberos ticket from there, specifically the authorization-data field?
Approach #2
Try to walk through the Active Directory structures in both domains using LDAP. In the domain group that I am checking, I can see a member attribute that references a foreignSecurityPrincipal object. The CN of this object happens to be the objectSID of the user I am looking for in the remote domain. Unfortunately, I have to check the remote domain server directly to verify that. The foreignSecurityPrincipal object itself does not contain any hint about what user it refers to aside from the SID (no originalDomainName attribute or something similar). It is feasible that I could walk the chain of references back to the remote domain AD server. That would require that my configuration include a list of remote domain servers to check (since I could have users from multiple trusted domains) and that my JBoss server have access to those servers.
Question: Does anyone know of some other LDAP-related way of finding information about a user from a remote, trusted domain without having to hit the server for that domain directly?
adTHANKSvance
Eric

You should be able to work back from the foreignSecurityPrincipal object :-) He says with a wry smile..
This post prompts me to think whether one day someone will draw the entity relationship diagram for AD. Oh well, I've been procrastinating for years, a few more won't hurt !
If it was a user from within the same forest, you should just be able to perform a search against a GC using the objectSID as the search filter. I've forgotten, but I don't think they will be represented as foreign security principals.
Have a look at the post titled JNDI, Active Directory and SID's (Security Identifiers) available at
http://forum.java.sun.com/thread.jspa?threadID=585031&tstart=150 that describes how to search for an object based on their SID.
Now if it is a user from another forest, with which you have a trust relationship, then we begin the navigation excercise.
You'll need obtain the user's SID (either from the cn or from the objectSID attributes) from the foreignSecurityPrincipal object. For example CN=S-1-5-21-3771862615-1804478405-1612909269-2143,CN=ForeignSecurityPrincipals,DC=antipodes,DC=com
objectSID=S-S-1-5-21-3771862615-1804478405-1612909269-2143Then obtain the domain RID, eg.S-1-5-21-3771862615-1804478405-1612909269Next you will have to recurse each of the crossRef objects in the Partitions container, in the configuration naming context (which you will find listed in the RootDSE). The crossref objects that represent trusted domains or forests will have values for their trustParent attributes. A sample query would be something like//specify the LDAP search filter
String searchFilter = "(&(objectClass=crossRef)(trustParent=*))";
//Specify the Base for the search
String searchBase = "CN=Partitions,CN=Configuration,DC=antipodes,DC=com";For each crossRef object, you can then use the dnsRoot attribute to determine the dns domain name of the forest/domain (if you want to later use dns to search for the dns name,ip address of the domain controllers in the trusted domains/forests), and then use the nCName attribute to determine the distinguished name of the trusted forest/domain.dnsRoot = contoso.com
ncName = dc=contoso,dc=comPerform another bind to the ncName for the trusted domain/forest and retrieve the objectSID attribute, which will be the domain's RID. You may want to cache this information as a lookup table to match domain RID's with domain distingusihed names and dns names.String ldapURL = "ldap://contoso.com:389";
Attributes attrs = ctx.getAttributes("dc=contoso,dc=com");
System.out.println("Domain SID: " + attrs.get("objectSID").get());Once you find out which domain matches the RID for the foreignSecurityPrincipal, you can then perform a search for the "real user" .And then finally you should have the user object that represents the foreign security principal !
Just one thing to note. Assume that CONTOSO and ANTIPODES are two separate forests. If you bind as CONTOSO\cdarwin against the CONTOSO domain, the tokenGroups attribute (which represents teh process token) will contain all of the group memberships of Charles Darwin in the CONTOSO domain/forest. It will not contain his memberships if any, of groups in the ANTIPODES forest. If Charles Darwin accesses a resource in ANTIPODES, then his process token used by the ANTIPODES resource will be updated with his group memberships of the ANTIPODES forest. Also you can have "orphaned foreignn security principal", where the original user object has been deleted !
BTW, If I was doing this purely on Windows, IIRC, you just use one API call DsCrackNames, to get the "real user", and then the appropriate ImpersonateUser calls to update the process token etc..
Good luck.

Group Membership Update Task -AD Connector 11g

Similar Messages

Maybe you are looking for