IDM 6.0 - List users that have exclusions

Similar Messages

• I have a requirement where I have to give the list of users who can access a specific computer. I am new with PS. Do you have a script to list users that can access a computer object of AD ?

  I have a requirement where I have to give the list of users who can access a specific computer define in AD.
  I am new with PS.
  Do you have a script to list users that can access a computer object of AD ?
  I have executed the following script  but it does not give me the access rights of who can access the computer 'computername'
  How can i have this information. please help
  Import-Module activedirectory
  $computer=get-adcomputer "computername" -properties ntSecurityDescriptor
  $omputer.ntsecurityDescriptor.Access | select-object -expandproperty IdentityReference | sort-object -unique

  I would say that, since the OP has so little info, there are no policies in use.  It there were then this question would never be asked the way it is being asked.
  I had a client call with a letter from their insurance company; an accountant with malpractice insurance.  THey asked the same question inmuch the same way.  "What computer can you users access?"  The question should be more like
  "Do you have a policy that restricts access to computers and do you audit for compliance?"
  I have had other clients whose insurance asked the question in that way.  It produces a better view of what should be happening and how to show compliance.
  I recommend that companies being asked these questions by their legal departments or insurance companies should contract with a god computer security consultant to assist with answering these very tricky questions.  Of course if it is just you boss's
  curiosity  then you may need to discuss his requirements with him in more depth.
  ¯\_(ツ)_/¯

• PowerShell - List all users that have access to a particular SPLIstItem

  Hi there,
  In PowerShell - how to list all users that have access to a particular SPLIstItem?
  Thanks so much in advance.

  Hi frob,
  According to your description, my understanding is that you want to list all users who have access to a particular SharePoint list item via PowerShell.
  You can use the following PowerShell command:
  $web = Get-SPWeb http://sp/sites/First
  $list=$web.Lists["listV2"]
  $item=$list.Items | where {$_['ID'] -eq 1}
  $item | Select -ExpandProperty RoleAssignments |Select {$_.Member.DisplayName}, {$_.Member.LoginName}, RoleDefinitionBindings
  In the above command, you need to change the web URL to your site's URL, change “listV2” to the name of your list, and change the ‘1’ to the ID of the list item.
  The result looks like:
  Best Regards,
  Wendy
  Wendy Li
  TechNet Community Support

• We have two users that have been using Creative Cloud for almost a year. Recently, sometime in the last 4ish weeks, the users can no longer run Creative Cloud apps. (Yes, our subscription is paid.) Error simply says administrator access is required

  We have two users that have been using Creative Cloud for almost a year. Recently, sometime in the last 4ish weeks, the users can no longer run Creative Cloud apps. (Yes, our subscription is paid.) Error simply says administrator access is required to install. The apps have already been installed. The users cannot run them unless they are in the local admin group.Using "Run as admin" does not work. It gives the same error.
  I have opened a case with adobe support and was basically told to suck it up and put the users in the admin group. Actually, what was said was that it is "mandated that the users have administrative rights". 
  There are a couple of things wrong with this. It was working for both users until recently - a recent required creative cloud update. The users have never been local admins yet the apps were working (poorly, but working).
  We are in an enterprise environment and users simply do not have administrative rights on the computers.
  I have changed permissions on all adobe folders, granting users or authenticated users modify or full control rights, did the same in whatever Adobe registry HKLM keys I could find. Nothing has allowed the users to run the apps - unless they are put in the local admin group.
  Someone has to have a fix for this. Adobe apps have proved to have far too many vunerabilities to even entertain the idea of elevating user rights. I can't imagine that enterprise environments are allowing this.
  Any help or suggestions are greatly appreciated.

  Jeff,
  Thank you for your response. The users in question are "standard" domain users. We do not reduce users permissions below the standard level.
  The apps do not load with their current standard user permissions.
  The thing that makes this odd, is that up until recently they did this issue with cloud apps. The only way I can make it work for them now is to put them in the local administrator group on their pc's - which is not going to happen.
  This is what they now see. As I said before, this was not a problem up until recently they would see all their available apps. If I put them in the local admin group the apps are listed without having to install. Everything is there, just not accessible to the user.

• Enumerate the users that have access to a particular directory

  Hi, my name is Jennifer and I have been searching for an answer to my problem through several blogs. The problem is that I have a Directory of which I want to not only retrieve the users\groups that have access to it but also enumerate through the groups
  to list actual users. The groups part is the main issue here. If I use get-acl, I can return any number of particular Active Directory groups that have access, however, I need to list the users inside this group and get-acl will not output an object I can
  work with. I thought I could do something like this (which I may have seen on this forum before):
  get-acl "C:\NestedGroupTest" | %{$_.access} \ ft -property identityreference
  This will return the groups\users that have access. Example:
  Domain\OU
  NT Authority\system
  Builtin\users
  ETC...
  I have tried exporting this output to a file and then trying to use get-adgroupmember (which obviously will not work on the non-AD groups) but the objects are of the wrong type so basically nothing in the Active Directory module will work...
  This seems like such a simple issue but it is causing me grief to no end...please help

  I can't guarantee that this will work in all cases, but it seems to work on my test domain. Warning: it's very slow and inefficient. It requires
  this module (get the 3.0 test version), but you can modify the foreach block's code somewhat to get it to work with Get-Acl. 
  Get-Item C:\NestedGroupTest | Get-AccessControlEntry | ForEach-Object { $PropertyNames = $null }{
  if (-not $PropertyNames) {
  # We need to copy the property. This will get a list
  # of the properties on each ACE when it encounters
  # the first ACE (since the rest of this is so ineffecient,
  # we can feel good that we saved some work by doing this)
  $PropertyNames = $_ | Get-Member -MemberType Properties | select -exp Name
  # Create a new hashtable that will be used to create a PSObject
  $NewObjectProps = @{}
  foreach ($CurrentProperty in $PropertyNames) {
  $NewObjectProps.$CurrentProperty = $_.$CurrentProperty
  # Check to see if this SID belongs to an AD group
  Write-Verbose ("Current principal: {0}" -f $_.Principal)
  try {
  $Group = Get-ADGroup -Filter { SID -eq $_.SecurityIdentifier } -ErrorAction Stop
  catch {
  # Write a warning or something?
  if ($Group) {
  Write-Verbose " -> Group, so looking up members"
  $Users = $Group | Get-ADGroupMember -Recursive | select @{N="Principal"; E={$_.SID.Translate([System.Security.Principal.NTAccount])}}, @{N="SecurityIdentifier"; E={$_.SID}}
  else {
  Write-Verbose " -> Not an AD group"
  $Users = $_ | select Principal, SecurityIdentifier
  # Go through each user/non-translated group, modify two
  # hashtable properties, and create the new PSObject
  $Users | ForEach-Object {
  $NewObjectProps.SecurityIdentifier = $_.SecurityIdentifier
  $NewObjectProps.Principal = $_.Principal
  $NewObject = New-Object PSObject -Property $NewObjectProps
  # This will make the new object show the module's custom formatting:
  $NewObject.pstypenames.Insert(0, "PowerShellAccessControl.Types.AdaptedAce")
  $NewObject
  That should resemble the output that Get-AccessControlEntry would give you, but AD groups have been translated to users. If you pipe that to Export-CSV, you'd have plenty of information for each ACE, including the path, principal, security identifier, access
  mask, etc. You could also pipe that to Select-Object and just ask for certain properties (try it with these properties: Path, Principal, AccessMask, AccessMaskDisplay, AppliesTo).
  You can also use the Get-AccessControlEntry function's parameters to do some filtering on the ACEs that are returned (maybe you only want ACEs with FullControl, or ACEs that were not inherited...)
  Give it a shot and let me know if it works for you. If you need more explanation of what's going on in the foreach-object process block, let me know and I'll try to help. It can be modified to work with version 2.1 of my module, and with Get-Acl.

• Portlet to display all users that have manager defined as currently displayed user profile

  I need to create a portlet such that when a user finds a user's profile they see all of the users defined with manager set to the value of the profile user's employeeNumber.
  Example:
  (Think a directory of employees)
  John searches and finds user named Jack. He sees Jack's name, phone number, address, etc in the General Information section. Then he also sees a section (Portlet) that lists all of Jack's direct reports. John clicks on one of Jack's direct reports (Sam), to find this person's phone number.
  The Direct Reports portlet would be a search portlet that finds all of the users that have a mangerID property set to the value of Jack's employeeNumber property and displays them sorted by LastName.
  I need some direction on where to start for this.
  It seems like I need to use the Plumtree Server API in order to search for all of the user objects and sort them on a particular property, .e.g IPTObjectManager.Query Method (Int32, Int32, Int32, Int32, Int32, Object[][])
  A crawler seems out because, I guess that would require creating a folder for every user in the system? If I create a single folder I would need a binary tree structure to the folder. (Has anybody done this?)
  I am concerned about the performance related to performing this search each time a user examines a user's profile.
  Can somebody direct me to an example of a search "Portlet"? All of the examples I see are of searching external information like Google, or use PRC (do not see how that would be implemented in a portlet), or use EDK (external and does not seem to be able to do this).

  You don't need one workflow per user when a filtered view can do this for you.  If the manager's list is the parent calendar, I'm assuming that he'll be at least using the person look-up column.
  Whether this feeds through the MyCalendar or stays where it is, you can use the [Me] parameter within the filter on a new view.  This will then return the assigned holiday filtering against the account that is logged in.
  Steven Andrews
  SharePoint Business Analyst: LiveNation Entertainment
  Blog: baron72.wordpress.com
  Twitter: Follow @backpackerd00d
  My Wiki Articles:
  CodePlex Corner Series
  Please remember to mark your question as "answered" if this solves (or helps) your problem.

• Users that have hit their Throttling limit

  Need to be able to get a list of users that have hit their RecipientRateLimit set in the default Throttling Policy.

  Hi,
  I have some tests in my environment. If the recipients are more than the number of recipients in a day you have set, then this message can't be sent actually, an error (such as "The message can't be sent right now" or "This message can't be
  sent") will occur when you click Send. So the send action can't be finished. Based on my knowledge, Exchange has no built-in function to get the list of users who hit their RecipientRateLimit.
  Here is a blog for your reference.
  Some mysteries of Throttling Policy: Recipient Rate Limit
  http://blogs.technet.com/b/fun_with_powershell/archive/2013/10/04/some-mysteries-of-throttling-policy-recipient-rate-limit.aspx
  Hope my clarification can be helpful to you.
  Best regards,
  Amy Wang
  TechNet Community Support

• Listing users that are member of special role

  hello
  if i have a role that called role1 then how i can list users that are member of this role?
  thanks

  Try Pete Finnigans who_has_role.sql
  http://www.petefinnigan.com/tools.htm

• Assigning View permission to all the users that have been selected in contact selector - SP 2010, InfoPath 2010

  I have a SharePoint InfoPath 2010 browser form with item level security. Only submitter
  and approvers has access to the form.  This form contains a people picker that is populated with the names of attendees
  for the meeting they attended (which
  I am able to store in Field2 below). I want to allow attendees to be able to view (grant view permission) the InfoPath form. Field 2 has the users in form of domain\user1;domain\user2; etc. Following the below step, I am getting error when I ADD or REPLACE
  permission on current item. How do I go about assigning view permission to all the users that have been selected in contact selector?
  Jitu

  Hi ,
  i understand that the text box and the people picker hold multiple user names and you want to grant user permission based on the user in the text box.
  I have a test based on your description,the results are: When there are multiple users in the text box, the workflow will throw an error'Error Occurred'.It is the same with the people picker column.
  You need to limit the peopel picker to only allow to select one user,in this way the text box will only hold one user.Then you can use the people picker or the text box to grant user permission.
  Thanks,
  Entan Ming
  Entan Ming
  TechNet Community Support

• NEED TO DETERMINE USERS THAT HAVE LOGGED IN WITH A SPECIFIC ROLE

  I have a requirement to determine which users have logged in with a specific
  role or accessing a specific application. I know I can use the
  ORASSO.WWSSO_AUDIT_LOG_TABLE_T table to see the users that have logged in, but
  need to know which table to join with in order to determine which group that a
  user belongs to. It would also be nice to figure out which users are accessing
  a given application.
  We are running AS 9.0.4.2 with ORASSO database 9.0.1.5.
  Can you identify which tables I will need to use to satisfy my requirement?
  Thanks, Mike

  Thanks! I modified this slightly to get what I needed but I didn't think that I could get this from dba_tab_privs. You were a huge help!
  select table_name, grantee
  from dba_tab_privs
  where
  table_name in ('UTL_FILE', 'UTL_TCP', 'UTL_HTTP', 'UTL_SMTP', 'DBMS_LOB', 'DBMS_SYS_SQL', 'DBMS_JOB', 'DBMS_BACKUP_RESTORE')
  and privilege='EXECUTE'
  order by table_name;

• How to Use PowerShell to Delete FIM Users That Have a Null attribute name

  FIM Community Information Center Article
  Wiki Page:
  How to Use PowerShell to Delete FIM Users That Have a Null <attribute name>
  Go to the FIM Community Information Center
  Mike Crowley | MVP
  My Blog --
  Planet Technologies

  Have you run side-by-side metrics on this?
  I've run the Delete Object method and your script against similar data sets and yours appears to take a fair bit longer. I'd have to re-run in identical circumstances, a few times, to really say for sure, but my initial impression is that it will take hours
  longer.
  I guess the point is somewhat moot anyway, as for me the bit that generally takes longest is the actual query, rather than the deletions.
  Boy how I wish I could just enter something into the FIM Portal directly that would blast out a bunch of users matching a query. One day...
  FIMSpecialist.com | MCTS: FIM 2010 | Now Offering
  ECMA1->ECMA2 Upgrade Services

• I am considering installing the latest version of OS X Mountain Lion but am concerned by the number of users that have had severe problems. Has Apple sorted this out?

  I am considering installing the latest version of OSX Mountain Lion but am concerned by the number of users that have had severe problems. Has Apple sorted this out?

  As I told you, you have to do some steps before upgrading to OS X Mountain Lion.
  First of all, make a backup of your files using Time Machine and/or Carbon Copy Cloner. If you make both, good, but if you only make one, it's OK, too.
  OS X Lion and OS X Mountain Lion aren't compatible with PowerPC applications, so you have to check if your applications are compatible > http://www.roaringapps.com If you have to update an application, do it before upgrading, because the Mountain Lion installer moves unsupported applications to a separate folder.
  After doing that, open Disk Utility, select "Macintosh HD" in the sidebar and repair permissions. Then, verify the disk to check if it's OK. If everything is right, just open the App Store and purchase OS X Mountain Lion

• Query: to view all users that have been created for access to a database

  Hi,
  Is there a command syntax that we could give to see all the users who have been created for access to a particular database. I want to view all the users that have been created using sql* plus.
  can anyone help or is it impossible?
  Thanks

  This is for begging:
  [email protected]> select grantee, privilege from dba_sys_privs where privilege like '%CREATE%SESSION%
  2 /
  GRANTEE PRIVILEGE
  A CREATE SESSION
  AA CREATE SESSION
  U1 CREATE SESSION
  U2 CREATE SESSION
  BD1 CREATE SESSION
  DBA CREATE SESSION
  EMI CREATE SESSION
  MOB CREATE SESSION
  ODM CREATE SESSION
  OHP CREATE SESSION
  SEC CREATE SESSION
  SYS CREATE SESSION
  TU1 CREATE SESSION
  TU2 CREATE SESSION
  U01 CREATE SESSION
  XDB CREATE SESSION
  MOBI CREATE SESSION
  OHP4 CREATE SESSION
  PFAY CREATE SESSION
  UD01 CREATE SESSION
  UR01 CREATE SESSION
  ADHOC CREATE SESSION
  BATCH CREATE SESSION
  DEBUG CREATE SESSION
  DEV01 CREATE SESSION
  HRAPP CREATE SESSION
  MDSYS CREATE SESSION
  MOBI2 CREATE SESSION
  SKING CREATE SESSION
  SPACE CREATE SESSION
  UPASS CREATE SESSION
  WKSYS CREATE SESSION
  CTXSYS CREATE SESSION
  ORDSYS CREATE SESSION
  PRAC01 CREATE SESSION
  RTABLE CREATE SESSION
  CONNECT CREATE SESSION
  Than you have to select also all the users that have granted roles with this privilege
  this will give you the full set of users who can connect
  Best Regards
  Krystian Zieja / mob

• Delete a user that have versioned file

  I have tryed to delete a user from iFS repository that have versioned a file. I have changed a owner to another user but still received an error on trying delete a user. Does exist any way to delete this user without deleting a versions of the files ?

  moving to top again

• Plsql query to list cases that have failed to create listing records

  i would like to create a query as follows
  Give me all docket_num (whose batch_id's are =11051) from Import_case table
  which do not have listing records on Listing_Table (either they don't exist at all
  or if the do; the create_date in the Listing table is null OR cretae_date on Lsting table not = record_process_date on Import_case table.
  -------- x ---------------
  Import_case Table
  ==============
  1. import_case_id number(38) primary key
  2. batch_id number
  3. record_processed_date date
  4. docket_num varchar2(17)
  case_master Table
  =================
  1. case_master_id number(38) primary key
  2. docket_num varchar2(17)
  Listing Table
  ==========
  1. Listing_id number(38) primary key
  2. case_master_id number(38)
  3. created_date timestamp(6)
  note: case_master table is a link between Import_case Table and Listing table
  where docket_num on import_case table = docket_num on case_master
  and case_master_id on case_master = case_master_id on Listing Table
  Please reply at your earliest. Thanking you. Arvind Modi.

  I have used following query, which gives me list of docket numbers on Import case Table; which don't have Listing records on Listing Table.
  ========================================================
  select
  ic.import_case_id as "IMP_CASE_ID",
  ic.batch_id as "B_ID",
  ic.docket_num as "DOCKET#",
  ic.insert_timestamp as "INS_DT",
  ic.record_processed_timestamp as "REC_PROCESS_DT",
  ic.next_date as "NEXT DT"
  from daoimp.import_case ic
  -- ** insert Batch id ** >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
  where ic.batch_id=11051
  -- ** insert Batch id ** <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
  minus
  select
  t.import_case_id as "IMP_CASE_ID",
  t.batch_id as "B_ID",
  t.docket_num as "DOCKET#",
  t.insert_timestamp as "INS_DT",
  t.record_processed_timestamp as "REC_PROCESS_DT",
  t.next_date as "NEXT DT"
  from daoimp.import_case t,
  case_master cm,
  listing l
  -- ** insert Batch id ** >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
  where t.batch_id=11051
  -- ** insert Batch id ** <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
  and
  t.docket_num = cm.docket_num
  and
  cm.case_master_id = l.case_master_id
  ==================================================
  The above query gives correct docket_numbers on Import_case table, but it also needs to include Docket numbers on Import_case Table
  whose Listing records in Listing table contain NULL value in created_date
  OR create_date on Listing table not equal record_process_date on Import_case Table.
  ---- x ----
  Here is the actual request and above is my interpretation of it.
  The goal of the task here is to create a tool. The tool can be run to check for missing listing records that were not created during the import process. When run, the tools returns a result set of records (docket_numbers) from the import case table that although processed on a particular date i.e., (record_process_date) do not have a matching listing record i.e., ( a listing record with a create_date equal to the record_process_date).
  The ONLY VARIABLE PARAMETER NEEDED in this tool is the Batch ID for the import case table.
  ---- x ---
  I am working on some other queries using inner join or outer join or not exists, but no success so far.
  Please call me at my phone number or reply on my e-mail, if you like; so that I can clarify any issues.