HT4837 3rd Party LDAP users in local groups aren't recognized by wiki

Having followed the KB article on setting up wiki webauth to allow 3rd party LDAP users to authenticate (http://support.apple.com/kb/HT4837) I have found that while individual users can be given permissions to access certain wikis, but LDAP users placed into local groups cannot. Is this a bug?
To be more specific:
- Directory Access setup to allow authentication from LDAP server (this works fine for all other services like File Sharing)
- Directions followed in the KB article which basically enables plain text authentication and turns off inline login window (http://support.apple.com/kb/HT4837)
- Local groups created in Server.app -- Accounts -> Groups
- LDAP users placed into those local groups
- Services like file sharing recognize proper permissions based on the groups the LDAP users are in
- Configure a wiki to allow access from a single LDAP user (Gear Icon -> Wiki Settings...) ... this works fine
- Configure a wiki to allow access from the local groups containing LDAP users (again, Gear Icon -> Wiki Settings) ... this appears like it is going to work, but it in fact will fail to give permissions to LDAP users of the respective group upon that user's login. A local user (Server.app -> Accounts -> Users) added to one of these local groups with LDAP people in it works fine and receives proper access to the wiki as expected.
Any ideas before I submit this as a bug?

Similar Messages

Map security roles to group within LDAP using external 3rd Party LDAP

I'm haveing a problem mapping my logical role defined in my web.xml to a role within Active Directory. I'm currently authenticating using Active Directory succsfully, however after the user is authenticated I get a message from the OC4J container that my role can not be found. Can you map a logical role to group within Active Directory? Below are details about my configuration.
Any help would be greatly appreciated.
Log.xml log entry that confirms webtA is communicating successfully with AD.
SG_TEXT>JAAS-LDAPLoginModule: authenticating user wmgraham</MSG_TEXT>
</PAYLOAD>
</MESSAGE>
<MESSAGE>
<HEADER>
</CORRELATION_DATA>
<PAYLOAD>
<MSG_TEXT>JAAS-LDAPLoginModule: DN for user wmgraham is cn=wmgraham,ou=endusers,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi</MSG_TEXT>
</PAYLOAD>
</MESSAGE>
<MESSAGE>
<HEADER>
Error reported in the log
<MESSAGE>
<HEADER>
<TSTZ_ORIGINATING>2008-08-27T11:38:05.991-04:00</TSTZ_ORIGINATING>
<COMPONENT_ID>j2ee</COMPONENT_ID>
<MSG_TYPE TYPE="TRACE"></MSG_TYPE>
<MSG_LEVEL>16</MSG_LEVEL>
<HOST_ID>F2287032-W</HOST_ID>
<HOST_NWADDR>30.30.16.14</HOST_NWADDR>
<MODULE_ID>security</MODULE_ID>
<THREAD_ID>14</THREAD_ID>
<USER_ID>wmgraham</USER_ID>
</HEADER>
<CORRELATION_DATA>
<EXEC_CONTEXT_ID><UNIQUE_ID>30.30.16.14:59560:1219851485804:6</UNIQUE_ID><SEQ>0</SEQ></EXEC_CONTEXT_ID>
</CORRELATION_DATA>
<PAYLOAD>
<MSG_TEXT>for group=[JAZNGroupAdaptor: webta] there's no matching role found.</MSG_TEXT>
</PAYLOAD>
</MESSAGE>
Web.xml Logical Role definition
<security-constraint>
<web-resource-collection>
<web-resource-name>allpages</web-resource-name>
<url-pattern>/servlet/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>WEBTA_J2EE_USER</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>WEBTA_J2EE_USER</role-name>
</security-role>
Orion-web.xml This file maps the logical role defined in webxml to a group within Active Directory.
<security-role-mapping name="WEBTA_J2EE_USER">
<group name="webta"/> <-- Group defined in AD -->
</security-role-mapping>

What is the name of the group in AD (provide the DN) that you want to map the j2ee logical role WEBTA_J2EE_USER? What are the group search base and group mapping attribute?
When wmgraham logs into the app, the 3rd party ldap login module will attempt to query for the groups wmgraham is a member of - this is done using the group search base configuration for the provider.
In this example, the DN is "cn=wmgraham,ou=endusers,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi" and likely user search base is set to "ou=endusers,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi".
Assuming group search base is (say) "ou=groups,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi" and and group mapping attr is "cn", then the role mapping you mention should work for group DN "cn=webta,ou=groups,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi"

User can't see some OID entry from 3rd party ldap browser but OAM?

Hi All,
after tried to applied access control to some OID entry, user then can't see that entry from 3rd party ldap browster, and this is a expected behavior, but why the same user can see that entry from user management interface of OAM?
Regards,
Makson

Hi Makson,
OAM's Identity Server binds to OID as a single user* (typically an OID admin, even orcladmin) and applies only those acl's that have been defined within OAM. So when you login to OAM as end-user X, the Identity Server (eg orcladmin) checks to see what rights within OAM have been defined for User X - but in this scenario any rights defined within OID are not applied to user X. By default, OAM end-users have no access to information in ldap (although the OAM Admins have full access by default).
Regards,
Colin
*Depending on how you are accessing OAM, you may see extra binds in the OID logs when the end-users actually login to OAM.

3rd party LDAP security provider problem

I'm having an issue that when I've deployed my j2ee application to Oracle AS 10g rel3 app server, the security-constraint I've configured in my web.xml file isn't being obeyed, or at least it doesn't appear to be.
As part of the deployment process I've configured a 3rd party LDAP server as the security provider. As for mapping groups to roles, I've set it such that all users and groups should be mapped to the role AuthorisedUser - my intention is that for any protected url's defined in the web.xml, the user should be redirected to a login page as defined in the web.xml file as well (I'm using FORM based authentication in the login-config) - but after they are logged in they will be assigned the role of AuthorisedUser.
The following is being written to the orion-application.xml file
<security-role-mapping name="AuthorisedUser" impliesAll="true" />
What I'm observing is that users aren't being challenged when they hit a secured url-pattern. Is this as a result of the impliesAll="true" attribute ?

I found that the <security-role-mapping> element is not functioning correctly for 10.1.3.4 OC4J LDAP authentication. I saw in the log.xml that I was getting authenticated but it wasn't finding the role-group map.
I changed the role-name in the web.xml to be the exact same thing as the group in LDAP and that fixed that problem.
I know the original poster has gone past this problem, but for people in the future, I hope this helps.
Now my problem is the j_security_check... once I'm authenticated, the browser ends up at http://hostname:port/OrderManagement/j_security_check instead of the application page. Any ideas?
Thanks,
David

Migration of EmbeddedLDAP to 3rd Party LDAP

Hi,
Is it possible to migrate the complete authentication process of EmbeddedLDAP
used by Weblogic 8.1 to any 3rd Party LDAP system ? Even the system user (default
user : weblogic created during the domain setup) authentication should happen
on a 3rd Party LDAP system. EmbeddedLDAP can at the most act as a bridge between
Weblogic 8.1 and 3rd Party LDAP system. Is there any solution to this problem?
Thanks in advance.
Mandar

I do not believe there are any restrictions on removing the default authenticator.
When you boot the server make sure the user/pass is valid in the 3rd party LDAP
and they have the proper admin/oper privileges to boot the server.
You might want to configure the server with two authenticators first to verify
you can successfully authenticate to the 3rd party LDAP before removing the default
authenticator.
-Craig
"Mandar Jadhav" <[email protected]> wrote:
>
Hi,
Is it possible to migrate the complete authentication process of EmbeddedLDAP
used by Weblogic 8.1 to any 3rd Party LDAP system ? Even the system user
(default
user : weblogic created during the domain setup) authentication should
happen
on a 3rd Party LDAP system. EmbeddedLDAP can at the most act as a bridge
between
Weblogic 8.1 and 3rd Party LDAP system. Is there any solution to this
problem?
Thanks in advance.
Mandar

3rd party LDAP JAZN configuration

Hey,
I've been struggling with the jazn configuration of a 3rd party LDAP (Sun One) server. I've followed the Oracle 10AS documentation on creating the <jazn-loginconfig> element and there is an example template for sun one in the Oracle 10 AS. What about the <jazn-policy> and <jazn-realm> elements? Are these necessary or are these just required when you are using just the XML file itself and not LDAP? What other files besides jazn-data.xml need to be modified?
Thanks

Ok, a bit of progress...
I turned on jazn logging and got the following exception:
05/09/19 16:05:02 JAAS: LoginConfigProvider: JAZNConfig=[JAZNConfig file:[bpel home]
BPELPM_2/integration/orabpel/system/appserver/oc4j/j2ee/home/config/jazn.xml]
05/09/19 16:05:02 JAAS: LoginConfigProvider=oracle.security.jazn.spi.xml.XMLLoginModuleManager@de5cd9
05/09/19 16:05:02 No Login Module configured for application [deployed app name].
Using default Login Module, RealmLoginModule.05/09/19 16:05:02 javax.security.auth.login.LoginException: No LoginModules conf
igured for oracle.security.jazn.oc4j.JAZNUserManager
05/09/19 16:05:02 at javax.security.auth.login.LoginContext.init(LoginCont
ext.java:189)
05/09/19 16:05:02 at javax.security.auth.login.LoginContext.<init>(LoginCo
ntext.java:404)
05/09/19 16:05:02 at oracle.security.jazn.oc4j.OC4JUtil.getLoginContext(Un
known Source)
05/09/19 16:05:02 at oracle.security.jazn.oc4j.GenericUser$1.run(Unknown S
ource)
05/09/19 16:05:02 at oracle.security.jazn.oc4j.OC4JUtil.doWithJAZNClsLdr(U
nknown Source)
05/09/19 16:05:02 at oracle.security.jazn.oc4j.GenericUser.authenticate(Un
known Source)
05/09/19 16:05:02 at oracle.security.jazn.oc4j.FilterUser.authenticate(Unk
nown Source)
05/09/19 16:05:02 at com.evermind.server.http.HttpRequestHandler.processRe
quest(HttpRequestHandler.java:614)
05/09/19 16:05:02 at com.evermind.server.http.HttpRequestHandler.run(HttpR
equestHandler.java:270)
05/09/19 16:05:02 at com.evermind.server.http.HttpRequestHandler.run(HttpR
equestHandler.java:112)
05/09/19 16:05:02 at com.evermind.util.ReleasableResourcePooledExecutor$My
Worker.run(ReleasableResourcePooledExecutor.java:192)
05/09/19 16:05:02 at java.lang.Thread.run(Thread.java:534)
05/09/19 16:05:02 Authentication: FAILED.
05/09/19 16:05:02 JAAS-OC4J: Authentication failure for user: [username]05/09/19 16:05:02 No Login Module configured for application [app name] Using default Login Module, RealmLoginModule.
05/09/19 16:05:02 javax.security.auth.login.LoginException: No LoginModules configured for oracle.security.jazn.oc4j.JAZNUserManager

Remotely add Domain User to local group

I've been playing with this for some time, and I seem to be missing something. I am trying to develop a script that reads and XML file containing a list of computers, local groups, and names of domain users (and computers) to be added to the local
groups. I would like to be able to run this from a management workstation.
I've been working from these two posts.
http://blogs.technet.com/b/heyscriptingguy/archive/2010/08/19/use-powershell-to-add-domain-users-to-a-local-group.aspx
http://blogs.technet.com/b/heyscriptingguy/archive/2008/03/11/how-can-i-use-windows-powershell-to-add-a-domain-user-to-a-local-group.aspx
It appears that the command $objGroup = [ADSI]("WinNT://atl-fs-001/Administrators") only works locally. I have not been able to figure out any format that allows me to get the information remotely. So I figured I would use Invoke-Command
to execute the two lines of code remotely.
Invoke-Command -ComputerName RemoteServer {
$de = [ADSI]"WinNT://RemoteServer/Administrators,Group"
$de.psbase.invoke("Add",([ADSI]"WinNT://Domain/User").path)
(I am trying it first with fixed, valid values - change to variables when I get things figured out.) That gave me the error:
Exception calling "Invoke" with "2" argument(s): "Number of parameters specified does not match the expected number."
+CategoryInfo :NotSpecified: (:) [], MethodInvocationException
+FullyQualifiedErrorID :DotNetMethodTargetInvocation
+PSComputerName :RemoteServer
I need help on what to try next.
Thanks.
. : | : . : | : . tim

I've been playing with this for some time, and I seem to be missing something. I am trying to develop a script that reads and XML file containing a list of computers, local groups, and names of domain users (and computers) to be added to the local
groups. I would like to be able to run this from a management workstation.
I've been working from these two posts.
http://blogs.technet.com/b/heyscriptingguy/archive/2010/08/19/use-powershell-to-add-domain-users-to-a-local-group.aspx
http://blogs.technet.com/b/heyscriptingguy/archive/2008/03/11/how-can-i-use-windows-powershell-to-add-a-domain-user-to-a-local-group.aspx
It appears that the command $objGroup = [ADSI]("WinNT://atl-fs-001/Administrators") only works locally. I have not been able to figure out any format that allows me to get the information remotely. So I figured I would use Invoke-Command
to execute the two lines of code remotely.
Invoke-Command -ComputerName RemoteServer {
$de = [ADSI]"WinNT://RemoteServer/Administrators,Group"
$de.psbase.invoke("Add",([ADSI]"WinNT://Domain/User").path)
(I am trying it first with fixed, valid values - change to variables when I get things figured out.) That gave me the error:
Exception calling "Invoke" with "2" argument(s): "Number of parameters specified does not match the expected number."
+CategoryInfo :NotSpecified: (:) [], MethodInvocationException
+FullyQualifiedErrorID :DotNetMethodTargetInvocation
+PSComputerName :RemoteServer
I need help on what to try next.
Thanks.
. : | : . : | : . tim
The ADSI commands work remotely as long as you are an administrator on the domain.
Invoke-Command only works on systems set up for WinRM remoting and if you are an Administrator on the domain.
Normally we would use AD and GP to add users to local groups.
Your script is also incorrect. Thisis the correct template.
$remotepc='somepc'
$de=[ADSI]"WinNT://$remotepc/Administrators,Group"
$de.Add("WinNT://Domain/User")
You should never the user to the admin group. It is a formula for disaster.
¯\_(ツ)_/¯

Error using 10.1.3 Security Provider:3rd party LDAP or Custom Login Module

Hello all,
After deploying my JSF/ADF application using Jdeveloper 10.1.3 to Oracle Application Server 10.1.3, I used the Application Server control to change the 'Security Provider' configuration:
1. Using 3rd Party LDAP Provider (Novell eDirectory)
I get the following error when restarting the application with the new config.
06/06/21 16:42:32 Error while configuring security provider MBean for application AccessList
06/06/21 16:42:32 java.lang.ClassNotFoundException: oracle/security/jazn/jmx/CustomLDAPSecurityProvider
2. Using Custom Login Module (again programmatically talks to eDirectory and it works in UIX/10.1.2 application)
I get the following error when restarting the application with the new config.
06/06/21 14:31:19 Error while configuring security provider MBean for application AccessList
06/06/21 14:31:19 java.lang.ClassNotFoundException: oracle/security/jazn/jmx/LoginModuleSecurityProviderAlso, I get this error with both the settings..
06/06/21 14:31:19 WARNING: Application.setConfig Application: AccessList is in failed state as initialization failedjava.lang.
InstantiationException
Jun 21, 2006 2:31:19 PM com.evermind.server.Application setConfig
WARNING: Application: AccessList is in failed state as initialization failedjava.lang.InstantiationException
06/06/21 14:31:19 java.lang.InstantiationException
06/06/21 14:31:19 at com.evermind.server.ApplicationStateRunning.initDataSources(ApplicationStateRunning.java:1424)
06/06/21 14:31:19 at com.evermind.server.ApplicationStateRunning.initializeApplication(ApplicationStateRunning.java:195)
java.lang.ClassNotFoundException error leads me to believe, I am just missing to include some libraries..
I have included "bc4j.security" in my web project and I am not sure if that is what is needed!
Will appreciate your help..
Thanks,
Karthik

The problem i had with my Custom login module was that JDeveloper includes the datasources listed in the connection tab.
When JDeveloper does that it writes the username and password in the jazn-data.xml. But with the Custom Login module the reference in de data-source declaration cannot find the password. that's why i got the InstantiationException at the initDataSources point.
In tools>preferences>deployment you can uncheck the option:
Bundle Default data-sources.xml During Deployment.
The problem with this is when i specify a datasource in the data-sources.xml i included myself, jdeveloper will also put de datasources under the Connections tab in the data-sources.xml.
Does anyone knows how to stop jdeveloper putting the datasources automatic in the file, or how to prevent jdeveloper storing the password in jazn-data.xml?

3rd Party End User Portal Offerings

Just wondering if anyone is aware of any 3rd party end user portal offerings.
The out of the box one does not provide the look & feel we are after (too "industrial" & IT-like) for our clients, so I was interested in any 3rd party off the shelf offerings that may available. We are a small, non-Sharepoint IT environment,
so customising the out-of-box version would not be the preferred option. We would be greatly interested in a more "client friendly" offering as delivered by many of the other service management tool vendors. We would also prefer to have a non-Sharepoint
version if one exists.
Another key feature that we would be after is for the incident/service logging to be integrated with the knowledgebase so suggestions are presented as the client enters the title of their issue. I've seen this in the client portal offering of a number of
other service management products and it is a great feature. Effectively can provide an answer to the client without them having to log a ticket.
Any advice or suggestions would be greatly appreciated.

The master pages of the SharePoint are locked by Microsoft, so I kind of doubt anyone has any custom portals for you.
However you can obviously easilly change the colours, title and image logo etc via Site Actions \ Site Settings. I'm not a SharePoint expert but this is very little effort and any IT person can manage that. But if you say wanted to move the menu
to a top frame menu, you cant.
To remove that Need Help bit and replace it, refer to this easy to follow blog post by the SCSM engineering team:
http://blogs.technet.com/b/servicemanager/archive/2012/02/06/customizing-the-scsm-2012-self-service-portal-how-do-i-change-the-need-help-or-description-text.aspx
I think your entering Title functionality with Help Article suggestions would be a great future, same as here on the Technet forums, but I cannot see that anyone would have been able to create that functionality in SCSM with the portal. Maybe in future versions,
but I wouldnt hold my breath.
SCSM 2012 is not a quick out of the box product that you just install and off you go in a day, it takes a fair bit of configuring for the portal, ROs, SLAs etc. If you are a small IT counsultancy with small to medium businesses as your market, I might go
so far as to say this is not the product for you. But that is just my personal opinion.

Trying to create a linked server to a remote 3rd party server using an AD group

I am the DBA at our organization so I have full authority to all of our local SQL Server databases but we have data in a remote 3rd party SQL Server database that is only read-only. The 3rd party has granted the read only privileges to one of our AD
groups - let's call it mydomain\adgroup1. I would like to create a linked server from one of our local SQL Servers to the remote database. I'm not sure how to do this.
I have set the AD group up as a login and a user in my local database. When I try to create the link, I used the mydomain\adgroup1 as the local login and, since the same credentials exist in the remote server, I checked the impersonate box and click
OK but I get "mydomain\adgroup1 is not a valid login or you do not have permission". Is it possible to create a linked server using an AD group? As of now, we only have the AD group permissions in the remote database. We could probably
request a single SQL Server account to be created on the remote side and we could create the same on our side, but we are trying to keep things as simple and transparent as possible (and we would really like to move more toward AD security and away
from individual users in the db).
Can anyone give me advice on how to get these two SQL Servers linked?

From your description, you likely want to implement Windows authentication for linked server, which requires to implement Kerberos constrained delegation.
I would recommend the following link to get started:
How to Implement Kerberos Constrained Delegation with SQL Server 2008 (https://msdn.microsoft.com/en-us/library/ee191523%28SQL.100%29.aspx?f=255&MSPPError=-2147217396
-Raul Garcia
SQL Server Security
This posting is provided "AS IS" with no warranties, and confers no rights.

Fail to add domain user into local group - RPC server unavailable

Hi all,
I have a server-1 which is join to domain A. I need to add a domain user from domain B to my server-1 local group. I keep getting "The RPC server is unavailable" error message.
But i try to use another server-2 which also belong to domain A and same network segment as server-1, i do not encounter this error while adding domain B user onto it.
The problematic server-1 is a Windows 2008 R2 SP1 server. It is install with IIS and MS SQL database 2008.
Just one thing i am guessing whether is it the cause of the problem. Before server-1 join to domain A, i did not disable windows firewall. I disable it only recently. Could this has cause the problem on my server-1?

Let's recap to make sure I understand exactly what you have going on:
- Server 1 and Server 2 are both on Domain A and in the same site, behind the same firewalls
- Adding a user from Domain B works on Server 1 but not Server 2.
- You get an RPC error while adding Domain B's user on Server 2.
Is Domain B on the other end of some firewall?
- Can you do a portqry to a DC in Domain B from Server 2 (http://www.microsoft.com/en-us/download/details.aspx?id=17148)
- Run this command: portqry -n <DomainBFQDN> -p both -o 53,135,389,3268
- We are testing DNS, RPC, LDAP and GC. Do you see anything come back as filtered or not listening?
- Do the same thing from Server 1 and compare the results.
This sounds like a connectivity problem.
Chris Ream

How to apply Software Restriction policy for specific user in local group policy object ?

I am working on implementing user based software restriction policy programmatically for local group policy object.
If i create a policy through Domain Controller,i do have option for software restriction policy in user configuration but in local group policy editor i don't have option for that.
When i look for the changes made by policy applied from Domain Controller in registry, they modifies registry values for specific users on path HKEY_USERS\(SID of User)\Softwares\Policies\Microsoft\Windows\Safer\Codeidentifiers
They also have registry.pol stored in SYSvol folder in Domain Controller. When i make the same changes in registry to block any other application, application is getting blocked.
I achieved what i wanted but is it right to modify registry values ?
PS:- I am using Igrouppolicyobject API

I achieved what I wanted but is it right to modify registry values ?
You also can modify a registry programmatically based policy. Check this:
http://blogs.msdn.com/b/dsadsi/archive/2009/07/23/working-with-group-policy-objects-programmatically-simple-c-example-illustrating-how-to-modify-a-registry-based-policy.aspx
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey.

Urgent Help needed! ADSI can't add local user to local group when there are variables

Hi friends
it about 8 hours i am working on following simple code but no result. i feel i am loosing my eyes
i need to use a code within my PS script to add a Local user to the built-in "Users" Local Group in windows 7 , 8, 2012....
the following code which the username is not related with any variable works fine.
$computer = [ADSI]"WinNT://."
$user = $computer.Create("User","MyLocaluser")
$user.setinfo()
$user.SetPassword("P@ssw0rd")
$Group = [ADSI]"WinNT://./Users,Group"
$Group.Add("WinNT://MyLocaluser,user")
but in the 2 following scenarios (which Variables enter into codes), doesn't work: (for simplicity & be easier to read, i have bolded the only differences in my 3 scenarios for you
Scenario1:
$computer = [ADSI]"WinNT://."
$user = $computer.Create("User","MyLocaluser")
$user.setinfo()
$user.SetPassword("P@ssw0rd")
$Group = [ADSI]"WinNT://./Users,Group"
$Group.Add("WinNT://$user,user")
i checked, user is created but is doesn't become member of local "Users" group
Scenario2 (which is my Real Scenario):
$myVMnumber = read-host "enter your VMnumber"
$computer = [ADSI]"WinNT://."
$user = $computer.Create("User","MyLocalUser$MyVMnumber") ----># for example on VM2, will be created as "MyLocalUser2"
$user.setinfo()
$user.SetPassword("$MyVMnumber") # ---> so that the password of MyLocaluser be the digit 2
$Group = [ADSI]"WinNT://./Users,Group"
$Group.Add("WinNT://$user,user")
what change should make to the code?
Many thanks in advanced

Is there some reason why you are posting the same question in multiple forums?
I gave you the exact answer and a copy of tested code.
Someone needs to merge these two threads:
https://social.technet.microsoft.com/Forums/en-US/98ab1abd-ef62-4b95-b70c-a6f0120a155e/unable-to-add-local-usr-to-local-group-via-adsi?forum=winserverpowershell
¯\_(ツ)_/¯
no it's the same powershell forum not multiple forums
i had posed my question in previous threat
https://social.technet.microsoft.com/Forums/en-US/98ab1abd-ef62-4b95-b70c-a6f0120a155e/unable-to-add-local-usr-to-local-group-via-adsi?forum=winserverpowershell
but at the middle of the scenario, no one continue to investigate on my problem, so i started new threat to investigate on the rest of the problem, but finally you answered it & now this threat can be closed up
many thanks for your helps.

Integrating standalone OC with existing 3rd party LDAP directory question

Hello everyone,
we have a standalone version 9 Oracle Calendar server with internal directory. We also have an existing enterprise wide LDAP directory. We would like to integrate them together, with as few changes to our existing LDAP schema as possible. Has anyone dealt with this issue before? Are there any documents out there describing how to deal with such situation? What if we upgrade to OC version 10 first?
Thanks

Migration might be tricky -
We've been running Calendar since the Netscape era with external LDAP. Basically user's preferences are stored in LDAP, though these can be 'regenerated' on the fly by the client using defaults.
You will need to modify the schema, but it's simply as loading the supplied schema file.
Data itself is still maintained in the internal DB. The link between the DB and LDAP is done via the calendar ID number which gets stored in the user's entry in ldap.
I don't think it would matter on upgrading OC to 10 or not, since the upgrade would not modify anything on the LDAP side (schema has not changed).
You should set up a test environment and test it out...

How can I use PowerShell 3.0 cmdlets or script to list all the local groups and local users of a server?

Using PowerShell 3.0 (And if possible the CIM, not WMI cmdlet), how can I script with | out-file C:\<filename>.txt or .csv option to list all local user accounts & local groups
on remote computers?
Thank You!

I don't recall PowerShell V3 introducing anything new to handle local users and groups. You need to use PowerShell V1 methods, using the [ADSI] accelerator and the WinNT: provider. The scripts linked above show this. No need to use WMI (which would probably
be slower).
Here is a script I've used to enumerate all local groups and their members:
$Computer
= "MyServer"
$Computer =
[ADSI]"WinNT://$Computer"
$Groups =
$Computer.psbase.Children | Where {$_.psbase.schemaClassName
-eq "group"}
ForEach ($Group
In $Groups)
    "Group: "
+ $Group.Name
    $Members
= @($Group.psbase.Invoke("Members"))
    ForEach ($Member
In $Members)
        $Class
= $Member.GetType().InvokeMember("Class",
'GetProperty', $Null,
$Member, $Null)
        $Name
= $Member.GetType().InvokeMember("Name",
'GetProperty', $Null,
$Member, $Null)
        "-- Member: $Name ($Class)"
A similar script to enumerate all local users would be:
$Computer
= "MyServer"
$Computer =
[ADSI]"WinNT://$Computer"
$Users =
$Computer.psbase.Children | Where {$_.psbase.schemaClassName
-eq "user"}
ForEach ($User
In $Users)
    "User: "
+ $User.Name
Richard Mueller - MVP Directory Services

HT4837 3rd Party LDAP users in local groups aren't recognized by wiki

Similar Messages

Maybe you are looking for