Impersonation based on security groupe dosent work Exchanfge 2013 sp1 ru 5

Similar Messages

• How to change the values in custom profiles based on security group ??

  Hi,
  i am facing problem for my requirement, can anybody help me for below scenario...
  i have custom check in profiles , there are content types and sub types. sub type nothing but a categories on for particular content type. For example i have News content type , same in the below subtypes drop down list are press release, events, articles etc.
  what i want to do is, when i open custom checkin profile, subtype values need to be changed( some values in subtype should hide) based on security group changes .
  In the Sub type listed values, some values need to hide only when i choose different security groups.. sub types values should display based on the particular security group only. when ever i change the security group, drop down Values in subtypes needs to change.
  hope understand my requirement.
  How to achieve this task. Any help would be greatly appreciated.
  Thanks,
  yt

  Hi,
  Thanks alot. its working fine
  Can we configure DCL Relation two times in one information filed ??? i should not create not more than fields to this requirement.
  Type -> subtype = DCL already existed
  Now, i want to Create DCL to
  Subtype ---> Security group
  As per my requirement, if i change the security group in checkin form, values should be change in the SubType drop down list.
  Created checkin profile there was DCL relation to " Type and "Sub Type" . now i want to map Relation ( DCL ) for subtype to security group.
  i was trying do for DCL for subtype and security group. but there was already existing DCL created for subtype information field (Relation configuration done for content type). even though i was trying to do for DCL in Security group information field. but, i could not find security group information field in configuration manager.
  Now what should i do ?? how to create DCL to subtype and security group ??
  Help would be appreciated.
  yt

• Shared Calendars / Room Lists and automatically forcing them to users based on Security Group Membership

  Good morning all,
  I need some help achieving the following in our Exchange 2013 Environment.  First off, we have Exchange 2013, but all our clients have Outlook 2010.
  Here's what I would like to be able to do:
  1) create/manage public calendars / rooms in exchange 2013
  2) force these shared public calendars / rooms to users' calendars who are members of particular security groups
  3) give edit permissions / "booking" permissions for the shared calendars so select users are able to make changes to the shared calendars, as well as accept/deny requests to "book" shared room calendars
  Any one got any resources they can give to point me in the right direction?
  I have already created two mailbox room resources, and have them set up in a room list in AD.  But need to know the above as far as creating a shared calendar for events, and forcing these calendars / room lists out to users based on security group
  membership.
  I don't want my users to have to know how to add a shared calendar...that would be a nightmare explaining.  I just want it to show up.
  Any help on this is greatly appreciated, thank you!

  1) I recommend using Room Mailboxes for resource calendars because it just works better.
  2) This is a standard feature of a Room Mailbox.
  3) You're pretty specific here, but I think this is also more or less available with a Room Mailbox combined with folder rights.
  I don't know any way to just make them "show up".  You'll have to teach them.  Well written instructions can work wonders.
  Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

• Filter list items based on security groups o365

  How to filter list items based on security groups in o365.

  Hi,
  According to your description, my understanding is that you want to filter list items based on the Office 365 security groups.
  If that is the case, I suggest you can create a data view to filter the list items with CAML Query like below:
  <Where>
  <Membership Type="CurrentUserGroups">
  <FieldRef Name="VisibleToGroup"/>
  </Membership>
  </Where>
  For more information, please refer the detailed article below:
  SharePoint - Filtering a View by Group Membership
  Thanks
  Best Regards
  TechNet Community Support
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
  [email protected]

• AD security group issues in SharePoint 2013 Integrated Mode

  Hello,
  Sorry if this is the wrong forum, I'm not sure if this is a SharePoint issue or a Reporting Services configuration issue (or if it should be in a SharePoint forum regardless).
  I have SSRS2012 on SharePoint 2013 in integrated mode. We are doing item level permissions, which means we have an AD security group Reports-All with
  Read to the Reports document library, then each actual report has unique permissions. We have a report with the ProjectManagers AD
  security group on it with Read (plus some other stuff to let them manage subscriptions), and another AD security group ProjectUsers with
  just Read access so they can open the reports. The data source used by this report has the AD security group I mentioned before, Reports-All,
  with Read.
  At a SharePoint level, things appear to work. When a user in ProjectManagers or ProjectUsers browses
  to the library, they see only the 3 reports that those two security groups have permission to see (out of a lot more in the library). That means SharePoint is reading those security group memberships correctly as far as I can tell.
  The issue is when a user in ProjectManagers or ProjectUsers clicks
  on a report, they get a reporting server based error message, and the ULS logs have an error specific to the user trying to run the report.
  Microsoft.ReportingServices.Diagnostics.Utilities.AccessDeniedException: The permissions granted to user 'MyDomain\MyUser' are insufficient for performing this operation. (Fault Detail is equal to Microsoft.ReportingServices.ServiceContract.RsExceptionInfo)
  If I add that specific user with Read permissions to the report and the data source, they are then able to run the report without errors. It seems like some Report Server component is not liking the fact that I'm using security groups. 
  Has anyone seen this behavior with AD security groups? Any ideas on why my environment does not want to work properly with those even though AD security groups are working fine for other non-Reporting Services files?
  Thanks,
  Aaron

  Hi aaronzott,
  According to your description, you configured SSRS 2012 of SharePoint integrated mode. You added read permission to reports and data source to AD security group Reports-All, then added just read permission to ProjectManagers and ProjectUsers groups. When
  users in ProjectManagers or ProjectUsers groups click report, the error message occurred. After you added Read permissions to the report and the data source to the groups, they can preview the report without errors.
  Report definition permissions are defined through List permissions on the library that contains the report, but we can set permissions on individual reports if we want to restrict access. Set properties on a report including data source connection information,
  processing options, and parameter properties. Edit Items on the library that contains the report or on the individual report. We also need to have view permissions on a shared data source (.rsds) to select it for use with the report.
  For more information about Set Permissions for Report Server Operations in a SharePoint Web Application, please refer to the following document:
  http://msdn.microsoft.com/en-us/library/bb326286(v=sql.110).aspx
  If you have any more questions, please feel free to ask.
  Thanks,
  Wendy Fu
  If you have any feedback on our support, please click
  here.

• Restrict printers based on security groups

  We have set up all of our printers on a server and deployed them via group policy.  I am looking for a way to restrict printing based on which security group the user is in.  We have got it working by setting permissions in the printer security tab
  in the server.  But I would like a more elegant solution, since the printers that the user can't print to are greyed out with an X over the icon.  I would like to have the printer not even show up in the printer list if that user isn't allowed to
  print there.
  Is this possible?
  We are running Windows Server 2008 R2 and our clients are all Windows 7.
  Thank you.

  Hi,
  Based on your description, we can use Security Filtering to apply the printer deployment GPO polices to the specific groups.
  Regarding this point, the following articles can be referred to for more information.
  Security filtering using GPMC
  http://technet.microsoft.com/en-us/library/cc781988(v=WS.10).aspx
  Filter using security groups
  http://technet.microsoft.com/en-us/library/cc779291(v=WS.10).aspx
  Besides, we can choose to deploy printers via GPP and use Item-level Targeting to filter out users who don’t need the printers.
  Regarding this point, the following blog can be referred to for more information.
  Deploying Printers with Group Policy Preferences (Complete Guide)
  http://deployhappiness.com/deploying-printers-with-group-policy-preferences/
  Regarding Item-level Targeting, the following articles can be referred to for more information.
  Preference Item-Level Targeting
  http://technet.microsoft.com/en-us/library/cc733022.aspx
  Security Group Targeting
  http://technet.microsoft.com/en-us/library/cc772471.aspx
  Best regards,
  Frank Shen

• Filter SharePoint 2010 Ent. content types based AD Security Group

  We are trying to use SharePoint as a records management system. I have several site collections (Team Site at the root of each site) and my plan is to setup one site collection as a content type hub. The content type hub would then distribute all of the
  content types to my other site collections. Since I may have 70 different content types I want to filter what each user can see based on AD Security Groups (the SG matches the department the employee is in). This way they can only choose the content type that
  applies to their department and it won't be so confusing. I'll then apply retention policies based on content type. I know that I can apply retention policies based on the document library but I want the users to be able to organize their records however they
  want to.
  Am I taking the wrong approach? Is this possible?

   
  Hi,
  As far as I know, we can define the Permission Set on a content type. In this way, you can control which users or group can change or access which content types.
  For more information about SharePoint security and content type, see
  http://blog.contentmanagementconnection.com/Home/21510
  Thanks,
  Rock Wang
  Rock Wang TechNet Community Support

• TS desktop show shortcut's based on security group

  Hello,
  I'm looking to have users connect to a TS desktop and have applications shortcuts appear on the desktop based on their security group membership. So if a user is in an "Oracle" security group they would get
  an "Oracle" shortcut on their desktop. The tricky thing to this is that I only want these shortcut's to show up on the TS desktop, not their normal workstations.

  Hi,
  >>The tricky thing to this is that I only want these shortcut's to show up on the TS desktop, not their normal workstations.
  Based on your description, we can use Group Policy Preferences Shortcuts extension to deploy the shortcuts and then utilize GPP
  Item-Level Targeting to apply the settings to the users who belong to a specific group when they log onto specific computers.
  Regarding GPP Shortcuts extension, the following article can be referred to for more information.
  Shortcuts Extension
  http://technet.microsoft.com/en-us/library/cc730592.aspx
  Configure a Shortcut Item
  http://technet.microsoft.com/en-us/library/cc753580.aspx
  Regarding GPP ILT, the following article can be referred to for more information.
  Preference Item-Level Targeting
  http://msdn.microsoft.com/en-us/library/cc733022.aspx
  Best regards,
  Frank Shen

• Security group not working

  Hi
  I have a few security groups which initially can be use in Sharepoint 2010 but after a few months it seems that this groups cant be used anymore. the users in the groups could not access Sharepoint.
  TIA

  For the users to access sharepoint site, it is required that they need to be present in any of the below groups.
  Owners Group -> Full control of the site
  Members group -> Contribute access to the site
  Visitors group -> Read access to the site
  Designers group -> contribute + design access to the site
  Also if you add the NT Authority\Authenticated users to any of the above groups then all the authenticated users of the active directory will have the rights to access the site as per the groups they are assigned to.
  Hope this helps.
  Amalaraja Fernando,
  SharePoint Architect - HP
  e-Mail: [email protected]
  [email protected]
  This post is provided "AS IS" with no warrenties and confers no rights.
  Hi,
  Will try this way out. Thanks
  Regards,
  Jarvis

• Questions in setting up Security group policies for Lync 2013 Users

  Hi Team,
  One of our customer looking for the below requirements:
  ü 
  B>>> Being able to split users in to groups. Would like to be able to split in to Departmental groups, the groups will be Service Delivery, Finance, Business Development, Clinical Services, Radiologists,
  SLA Team, Call Handlers.
  ü 
  B>>> Being able to control which users are able to contact or see other users. For example Limit Radiologists to only be able to see Service Delivery and Call Handlers
  We know that RBAC policies can be used by Administrator or Technicians who works remotely. However, a user sitting at a server running Lync Server is not restricted by RBAC.
  Question:
  Is there a way we can fulfill the above customer requirements in Lync 2013 environment?

  Hi,
  On Lync Server side, what you can do is to change the AD attribute msRTCSIP-GroupingID. You can set different value for different groups. Then each group will not able to search the users in other groups with user name. However, they can still search the
  users in other groups with the sip address.
  More details:
  http://blogs.msdn.com/b/jcalev/archive/2012/06/07/partitioning-lync-address-book-using-msrtcsip-groupingid.aspx
  Best Regards,
  Eason Huang
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Eason Huang
  TechNet Community Support

• In UCM, How to setup Security Group based conversion of PS files?

  Hello, everyone.
  Some of my PS Format files need converted to PDF format, some do not. So, I created group 1 and group 2 in the security group. And installed gs8.54 and PDFc components.
  The present result (situation) is all the PS format files are converted into PDF, but I would like that the ps format files in group 1 can be converted by selecting Distiller, the ps format files in group 2 can not be converted by selecting PassThru.
  Who can tell me how to create content server filters and configure the conversion based on security groups?
  Thank you very much!
  By the way, my mother tongue is not English. So please use simple English as possible as you can. Thanks!

  Hi
  The best possible way to get this requirement done is to use SelectivelyRefineandIndex component. With this component you can create conditions and put it in the resource file for the component such that we can have only contents that are checked in to Sec Grp 1 be sent to refinery and those not belonging to this will not be sent.
  The same way one can also create conditions to FullText index contents or not based on any condition that is put in the resource file for this component.
  I believe you should be able to get the requirement sufficed with this component .
  More details are at :
  http://www.oracle.com/technology/products/content-management/ucm/samples/selectivelyrefineandindex-20080515-5.zip
  Just go through the readme with the component and you will be able to get going with this component.
  Hope this helps
  Thanks
  Srinath

• Creating Dependent List on Security Group.

  Hi,
  I want to create dependent list on Security group, i have created custom table, Relation and view on Security group and on my custom table.
  I am not getting dependent list as it should be dependent on security group.
  Please help me.

  See my post Re: How to change the values in custom profiles based on security group ??

• Too many AD security groups for ACS 4.1

  We have an issue that when a user is a member of too many Windows AD (2003) security groups (roughly 65) they won't get authenticated by our ACS 4.1.
  The 1st thing we investigated was the Windows Kerberos authentication issue. Which basically says that if a user is a member of more than 70 security groups then Kerberos authentication might fail. However we've used the tokensz.exe tool to calculate that the affected users Kerberos Token size isn't above the problem 12,000 bytes. Link to that issue http://technet.microsoft.com/en-us/library/cc757478%28WS.10%29.aspx
  On the ACS, when a user is a member of too many security groups, the error message is "External user not found". When the user is brought down to the "magic" number of security groups authentication works no problem.
  At the same time on the DC errors can be found in the CSWinAgent.log file.
  CSWinAgent 01/18/2010 12:25:23 A 0063 5720 NTLIB: Insufficient space for all of user [email protected] certificates
  CSWinAgent 01/18/2010 12:25:23 A 0063 5720 NTLIB: Group list buffer is too small for getting full groups list.
  So we are starting to think that the DC and / or CSWinAgent is causing us issues. Has anyone experienced similar issues?
  Thanks
  Stuart

  Hi Stuart,
  We are hitting a bug here.
  CSCse49827            Bug Details
  ACS Remote Agent fails users with too many goups
  Symptom:
  Windows External Database authentication fails on the ACS 4.0 SE if a user is a member of
  too many Windows groups.
  Conditions:
  This is specific to the ACS SE running 4.0.1(42) or earlier using Windows Domain Authentication
  to the ACS Remote Agent.
  Workaround:
  Reduce the number of group memberships the user is part of or reduce the lenght of
  the group names the user is a part of.
  Further Problem Description:
  If a user ia a part of enough windows groups that the number of characters total of all the groups
  exceed 1024 bytes the authentication of that user will fail.  All other users should still authenticate
  without any trouble
  Please upgrade ACS to 4.1.4 and that should fix it.
  First you need to upgrade it to 4.1.1 and then 4.1.4
  Regards,
  ~JG
  Do rate helpful posts

• Populate the EmployeeID attribute of a user, based on their security group membership in Active Directory

  Hey guys, I need to create a script that assigns a value to the EmployeeID of every user that is a member of a particular AD security group.
  For example, there are the following groups - Accounting_01, Accounting_02, Accounting_03. The script has to read what members there are in these groups and assign to the people of Accounting_01 an EmployeeID of 01, to the people of Accounting_02 an EmployeeID
  of 02, and to the people of Accounting_03 an EmployeeID of 03.
  I have a script that adds a user to a security group, based on the value of a certain attribute, but not the other way around. Have you written such a script? Thanks in advance

  I haven't tried the code, because I don't have AD cmdlets.
  But I see some discrepancies between the documentation and your code.
  Looking at http://technet.microsoft.com/en-us/library/hh852287.aspx (Set-ADUser cmdlet) we can read for the
  -Replace<Hashtable> parameter: ... Use this parameter
  to replace one or more values of a property that cannot be modified using a cmdlet parameter ...
  But the OP referred to EmployeeID, which is a Set-ADUser cmdlet parameter (look for -EmployeeID),
  thus, cannot be used with -Replace<Hashtable> parameter (as per the documentation).
  Also, the documentation states for this same
  -Replace<Hashtable> parameter: ... To modify
  an object property, you must use the LDAP display name ...
  And the LDAP display name for EmployeeID is employeeID, and not employeeid as in your code (although I'm
  not sure if LDAP display name
  is case sensitive).
  As you say your code works correctly, I
  suspect that you created a new property named employeeid, which is not the same referenced by the parameter
  -EmployeeID.
  The documentation merely says that it can be used to modify attributes that do not have their own parameter. If they were to include a parameter for every AD attribute the list would be huge. It doesn't imply that -replace cannot be used instead of the defined
  parameters.
  I must admit that I didn't realise that -EmployeeID could be used as I didn't consult the documentation before I wrote the code but I can confirm that using the method I posted the employeeID attribute was modified. It didn't create a second attribute with
  different letter casing.

• Klist Purge is not working when trying to update a computer security group

  I cannot get Klist purge to work on any of our computers. After running the command "klist
  -lh 0 -li 0x3e7 purge"  I have tried internally and externally using VPN.  The computer does not see new security group settings.
   Windows 7 Clients.

  Try klist -li 0x3e7 purge and then "gpupdate /force" to update the security group membership.