IT Policy Removal

Similar Messages

• Portal password policy -- remove required numerics?

  We are running OracleAS 10g (10.1.2) -- how can I change the password policy for Portal users? By default, the passwords require a numeric character, but we would like to remove that requirement...

  The password policy for Portal users (or better : Single Signon Users) is stored in OiD. It can be changed through the Oracle Directory Administration Utility :
  1. Start the console and login as admin user (cn=orcladmin)
  2. Navigate to Password Policy Management entry
  3. Click on the Password Policy for Realm <your realm>
  4. Choose the Password Syntax tab
  5. Change the value for 'Number of Numeric Characters in Password' to the value of your choice.

• Mail for exchange and domain group policy removing...

  Hi,
  I currently administer 2 domains,  both server 2003 with exchange 2003.  On the one domain I can configure any of our e series ( e51/e71/e72/e6) via MFE and permanently accept the untrusted SSL certificate. When I configure MFE to our other domain the option to accept the untrusted certificate has vanished..!
  Anyone have any ideas?  I'm sure that it's a group policy setting but I cannot spot it!

  turbominor wrote:
  No certificates have been generated bar the ones that exchange installed by default
  Hmm, I don't recall ever realizing that.  Lol.  In that case, what are you using as a root certificate?  Nothing...which explains why the cert is untrusted?  (As connections to your first Exchange server work normally, apparently you don't need a root cert for a secure connection?)  I used to get mine from http://www.cacert.org/ and installed the root cert either manually or through a device management server.
  I wasn't completely sure where I was going with my question, but just did a few web searches.  Apparently Symbian phones don't like installing self-signed certificates. "Accepting a certificate permanently" does install the cert, although I'm not sure that's quite the same thing.  You might skim http://discussions.nokia.com/t5/Eseries-and-Communicators/E72-Email-Accept-Certificate-Permanently/m... in case any of that is relevant.

• Group Policy won't apply, No mapping between account names and security IDs was done.

  I am using Group Policy Preferences to remove users from the local admin group and add a local admin account.  This GPO is working on 90% of the Win7 machines on the network, but three laptops are not accepting the GPO.  I get the following error:
  Log Name:      Application
  Source:        Group Policy Local Users and Groups
  Date:          6/24/2014 8:49:28 AM
  Event ID:      4098
  Task Category: (2)
  Level:         Warning
  Keywords:      Classic
  User:          SYSTEM
  Computer:      laptop1.internal.com
  Description:
  The user 'Administrators' preference item in the 'Local Admin Policy - Remove Permissions {593ACD77-3663-4023-BEB8-938D83F7862E}' Group Policy object did not apply because it failed with error code '0x80070534 No mapping between account names and security
  IDs was done.' This error was suppressed.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Group Policy Local Users and Groups" />
      <EventID Qualifiers="34305">4098</EventID>
      <Level>3</Level>
      <Task>2</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2014-06-24T13:49:28.000000000Z" />
      <EventRecordID>68771</EventRecordID>
      <Channel>Application</Channel>
      <Computer>laptop1.internal.com</Computer>
      <Security UserID="S-1-5-18" />
    </System>
    <EventData>
      <Data>user</Data>
      <Data>Administrators</Data>
      <Data>Local Admin Policy - Remove Permissions {593ACD77-3663-4023-BEB8-938D83F7862E}</Data>
      <Data>0x80070534 No mapping between account names and security IDs was done.</Data>
    </EventData>
  </Event>
  I've searched high and low for an answer and nothing I find on-line seems to apply.  I also notice that the option to 'Run as Administrator' does not work.  If I right-click on cmd.exe and select 'run as administrator', the command box opens but
  I am not prompted for credentials and the command box does not have admin rights.  Not sure if this is related or not.
  Any help on this would be greatly appreciated.
  Thanks,
  Joe

  Hi,
  Delete your  remove action from the GPP and push it again, does this issue still occur?
  If it still exists, let’s collect the GPP log for analysis:
  Group policy Preference debug logging policy settings are located under:
  Computer Configuration\Administrative Templates\System\Group Policy
  Click Logging and tracing, select local users and group preference logging and trace.
  Meanwhile, just a similar issue, but it is worth trying:
  A user is added to the wrong group on a client computer that is running Windows 7 or Windows Server 2008 R2
  http://support.microsoft.com/kb/2280515
  If you have any feedback on our support, please click
  here
  Alex Zhao
  TechNet Community Support

• REMOVING IPSEC VPN CONFIG FROM PIX 6.3 FIREWALL

  Hey,
  we have pix 6.3 serving as internet firewall and we are int process of replacing it with new ASA Device. currently there are several site to site and remote vpn are configured for access purposes. 
  i tried to remove one site2site ipsec vpn from pix and it starts acting like a loop generating the same error with qty that processor got 100% CPU, couldn't logged in through normal ssh so i connected via console and place back the isakmp and crypto map commands back in and the error stops.
  My purpose of this question is that how can i remove vpn config from pix without generating any error is there any formal process or order of removing rules from pix or we can do it one by one no order is required.
  MY PROCESS OF REMOVING CONFIG:
  REMOVE THE ACCESS-LIST INSIDEOUT AND OUTSIDE IN COMMANDS 
  REMOVE THE OBJECTS AND OBJECTS GROUPS
  REMOVE THE VPN DEFINED ACCESS-LIST FOR INTERESTING TRAFFIC
  REMOVE CRYPTO MAP TRANSFORM-SET
  REMOVE ISAKMP-POLICY
  REMOVE CRYPTO MAP 
  WE DO USE ISAKMP SHARED KAY MECHANISM "I DID NOT REMOVE THAT "
  BUT AS SOON AS I REMOVE THE CRYPTO MAP FROM THE PIX I GOT THIS ERROR
  IPSEC(crypto_map_check): crypto map XYZ 20 incomplete.  No peer or access-list specified.
  20 IS THE ISAKMP POLICY NUMBER & Peer and Access-list was removed from pix
  any help would great
  regards

  Hi
  You could do either of 2 things.
  1) Enable NAT-Traversal on your ASA
  2) Add the following on your pix :
  fixup protocol esp-ike
  This allows one IPSEC connection to run through PAT.
  HTH
  Jon

• Need to Remove a postiing

  can you please email me at [email protected] and let me know who to remove a posting - thank you

  Hi,
  Also I would like to suggest you to consider the following two workarounds:
  1. There is a policy option “Remove Common Program groups from the start  menu”, this policy removes Games as well as other folders in the All Users profile from the programs menu on the Start menu.
  2. Create a Group Policy Preference to delete the folder "%systemdrive%:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Games"
  Karen Hu
  TechNet Community Support

• Step by step to disable Folder Redirection for a single user - Windows 7 and SBS 2011 Essentials

  OK...I got chewed (by someone I have a lot of respect for) for pounding on an old thread, so I'm starting a new one. I've got the Windows 7 Value Pack Plugin for SBS 2011 Essentials and Folder Redirection is working for everybody. What I'm looking for is
  exactly how to go into Group Policy and disable the FD for a single user. I'm not looking for quick, incomplete answers. If you don't have time to give me the 'For Dummies' version, don't bother. Sorry, but I've done all the Googling I can stand for one day
  and I'm over it! (and a little grumpy)
  Thanks in advance!
  Wayne S. CompTIA A+ CompTIA Network+ Microsoft MCP

  ... I've got the Windows 7 Value Pack Plugin for SBS 2011 Essentials and Folder Redirection is working for everybody. What I'm looking for is exactly how to go into Group Policy and disable the FD for a single user. I'm not looking for quick, incomplete
  answers....
  Hi Wayne,
  Here's what I'd do. 
  1) create a Security Group in your AD environment. Call it 'Folder Redirection Members' or something like that. Put all the user accounts in your AD environment who you want to have their folders continue to be redirected to the server, do not include the
  one user who you wish to exclude.  in other words, you're going to use a specific security group to target the Folder Redirection policy (right now, it's Domain Users, which is everyone).
  2) Edit the Group Policy that the W7PP created in your AD environment. It's likely called "W7PVP Folder Redirection".  Start with verification under the Settings tab, expand Folder Redirection beneath User Configuration states that
  Policy Removal Behaviouris set to Restore Contents.  Then proceed using the Editor, to make adjustments under the Scope tab; verify membership in Security Filtering.  Remove Domain Users,
  add in Folder Redirection Members (or whatever you named your group in step 1).
  3) on your workstation that your user you are applying the change to disable folder redirection, Log on to the domain account while connected to your network, elevate a command prompt, and perform a 'gpupdate /force' command and then reboot your computer. 
  Folder redirection configuration should be removed from the system and redirected contents should be restored back to your local path. Verify with inspection of the My Documents or other folders.
  Hope this helps. Keep in mind, no warranty implied or expressed in this advice.
  Try not to be so darn grumpy. :-/
  Jason Miller B.Comm (Hons), MCSA:Win7, MCITP, Microsoft MVP

• I need a script to invert the page order of selected pages for cs5.

  Hello,
  I am a graphic designer and i am trying to create a easier way to make multiple page folders, By using the multiple page size feature in inDesign CS5. But my problem is that i can create the front side of the folder easier than before, the backside is my problem I need to inverse the page order manual, this creates a lot of mistakes and errors along the way. Thats why I need a script to invert the page order of the pages I select. I hope to hear from someone soon.
  My best regards,
  Gijs van Roij

  In /gateprd/ARCHIVE/*.arc
  This is the script to remove the archives after it has been backup by the netbackup policy named Archive. This policy removes the archives that have been backed up.
  /home/oracle/dba/scripts> more rmovarch.sh
  #!/bin/ksh
  # compress /gateprd/ARCHIVE/*.arc
  find /gateprd/ARCHIVE/*.arc -type f ! -exec echo {} > /home/oracl
  e/dba/lists/ARCHIVElist \;
  if test $(cat /home/oracle/dba/lists/ARCHIVElist|wc -l) -gt 0
  then
  echo "Hay archives. Se corre script de borrar"
  /home/oracle/dba/scripts/ARCHIVE_BACKUP.sh ARCHIVE
  else
  echo "No archives!!"
  fi

• I need a script to reduce the size of the Fra which has used 34 gb in space

  I need an rman script to reduce the size of the Fra:
  SQL> select * from v$flash_recovery_area_usage;
  FILE_TYPE PERCENT_SPACE_USED PERCENT_SPACE_RECLAIMABLE NUMBER_OF_FILES
  CONTROL FILE 0 0 0
  REDO LOG 0 0 0
  ARCHIVED LOG 0 0 0
  BACKUP PIECE 0 0 0
  IMAGE COPY 0 0 0
  FLASHBACK LOG 69.99 19.33 2357
  FOREIGN ARCHIVED LOG 0 0 0
  7 rows selected.
  SQL> SELECT
  2 ROUND((A.SPACE_LIMIT / 1024 / 1024 / 1024), 2) AS FLASH_IN_GB,
  3 ROUND((A.SPACE_USED / 1024 / 1024 / 1024), 2) AS FLASH_USED_IN_GB,
  4 ROUND((A.SPACE_RECLAIMABLE / 1024 / 1024 / 1024), 2) AS FLASH_RECLAIMABLE_GB,
  5 SUM(B.PERCENT_SPACE_USED) AS PERCENT_OF_SPACE_USED FROM
  6 V$RECOVERY_FILE_DEST A,
  7 V$FLASH_RECOVERY_AREA_USAGE B
  8 GROUP BY
  9 SPACE_LIMIT,
  10 SPACE_USED ,
  11 SPACE_RECLAIMABLE ;
  FLASH_IN_GB FLASH_USED_IN_GB FLASH_RECLAIMABLE_GB PERCENT_OF_SPACE_USED
  50 34.99 11.14 69.99

  In /gateprd/ARCHIVE/*.arc
  This is the script to remove the archives after it has been backup by the netbackup policy named Archive. This policy removes the archives that have been backed up.
  /home/oracle/dba/scripts> more rmovarch.sh
  #!/bin/ksh
  # compress /gateprd/ARCHIVE/*.arc
  find /gateprd/ARCHIVE/*.arc -type f ! -exec echo {} > /home/oracl
  e/dba/lists/ARCHIVElist \;
  if test $(cat /home/oracle/dba/lists/ARCHIVElist|wc -l) -gt 0
  then
  echo "Hay archives. Se corre script de borrar"
  /home/oracle/dba/scripts/ARCHIVE_BACKUP.sh ARCHIVE
  else
  echo "No archives!!"
  fi

• HELP! Emails in Mail are suddenly gone. How do I change this?

  Hello -- Using Leopard 10.5.5 and Mail 3.5. Can I change it so that Mail does not automatically delete emails? In the Mail app on my iBook, the emails never go away (unless I delete them..) Yet on my G5 and my MacPro the emails get deleted after awhile. Thanks for any input.

  What type of account is this -- is this your AOL IMAP account?
  In Mail, there is no option to ever delete messages in the Inbox, so what you report does not fit any setting you would be able to change. However, AOL, by policy, removes messages from your Inbox folder after 27 days. To avoid this, the messages must be moved the Saved folder. This would not be different from earlier versions of Mail on other Macs, but perhaps the passage time has made a difference?
  More Info, please.
  Ernie

• Start Menu Folder Redirection In Windows Server 2008 R2 (Via GPO) For Windows 7 Professional

  Hi,
  I'm having the problem where a redirected start menu appears empty. Using
  server 2008 R2 and the clients are Windows 7 Professional; i am getting empty start menu.
  Note:- Same is working perfectly fine with Windows
  XP machines.
  I believe the policy is set up correctly.
  Setting: Basic (Redirect everyone's
  folder to the same location)
  Path: \\10.x.x.x\redirection\StartMenu
  Options:
  Grant user exclusive rights to Start Menu - Disabled 
  Move the contents of Start Menu to the new location - Disabled 
  Also apply redirection policy to Windows 2000, Windows 2000 server, Windows XP, and Windows Server 2003 operating systems  - Enabled 
  Policy Removal Behavior - Leave contents
  Start Menu and Taskbar
  Policy
  Setting
  Comment
  Clear history   of recently opened documents on exit
  Enabled
  Clear the   recent programs list for new users
  Enabled
  Do not keep   history of recently opened documents
  Enabled
  Do not search   for files
  Enabled
  Lock all   taskbar settings
  Enabled
  Lock the   Taskbar
  Enabled
  Prevent   changes to Taskbar and Start Menu Settings
  Enabled
  Remove access   to the context menus for the taskbar
  Enabled
  Remove All   Programs list from the Start menu
  Enabled
  Remove common   program groups from Start Menu
  Enabled
  Remove Default   Programs link from the Start menu.
  Enabled
  Remove   Documents icon from Start Menu
  Enabled
  Remove   Downloads link from Start Menu
  Enabled
  Remove   Favorites menu from Start Menu
  Enabled
  Remove   frequent programs list from the Start Menu
  Enabled
  Remove Games   link from Start Menu
  Enabled
  Remove Help   menu from Start Menu
  Enabled
  Remove   Homegroup link from Start Menu
  Enabled
  Remove links   and access to Windows Update
  Enabled
  Remove Music   icon from Start Menu
  Enabled
  Remove Network   Connections from Start Menu
  Enabled
  Remove Network   icon from Start Menu
  Enabled
  Remove   Pictures icon from Start Menu
  Enabled
  Remove   programs on Settings menu
  Enabled
  Remove Recent   Items menu from Start Menu
  Enabled
  Remove Run   menu from Start Menu
  Enabled
  Remove Search   Computer link
  Enabled
  Remove Search   link from Start Menu
  Enabled
  Remove See   More Results / Search Everywhere link
  Enabled
  Remove the   Action Center icon
  Enabled
  Remove user   folder link from Start Menu
  Enabled
  Remove user's   folders from the Start Menu
  Enabled
  Remove Videos   link from Start Menu
  Enabled
  Please help !
  Regards Zargar Muneer

  Hi Zargar,
  >>Using server 2008 R2 and the clients are Windows 7 Professional; i am getting empty start menu.
  This is normal, for we disabled the option
  Move the contents of Start Menu to the new location. This option is enabled by default and it will automatically move the existing content to the new location.
  At this moment, we can manually copy the files we want from the local locations.
  Best regards,
  Frank Shen

• Security manager & mention "Java Applet Window"

  A simple program that displays a frame with one button in it.
  The frame displays, no problem.
  When a security manager is added "System.setSecurityManager(new SecurityManager());"
  and the program is run again a "status bar" is added at the bottom of the frame
  mentioning "Java Applet Window".
  Why is that, and can it be suppressed ? (I am working in JDK 1.4)
  Any tip greatly appreciated

  I was dealing with this myself and just discovered that the adding the following line to my security policy removed the message:
  permission java.awt.AWTPermission "showWindowWithoutWarningBanner";

• Carrier sign still showing after wiping and reloading OS?

  Hello dear users, In my thread of "application installation issues", it seems to be determined that my carrier who I got the phone from, is blocking the install of applications as I get a 910 error, application authorization failure, when i try to install an application from: www.blackberry.com/screenreader/ After some searching, I've come across BBSAK, which I use to wipe the phone and reload the oS. I've also come across the tool "vendelete" which deletes the vendor.xml files. So I do the following: 1. uninstall the original carrier OS from pc. 2. Install OS from different carrier to pc. 3. Use vendelete to get rid of the xml files which it says no xml files were found. 4. Use bbsak to wipe the oS. 5. reload the OS. But when the phone boots up, it still shows the sign of the carrier which I don't want, so i presume nothing has been updated? since when I try to install the application again, I still get the 910 error. What am i doing wrong here? Help would be much appreciated. Regards,
  Solved!
  Go to Solution.

  Pith wrote:
  Hello,
  Ok, is there anything else that is not being wiped apart from the splash screen?
  I mean anything else that would be the cause for not being able to get passed the 910 error? apart from the IT policy which was mentioned.
  Actually, the IT Policy is another thing that is not removed by other Wipe methods, nor is it removed when you install a different carriers OS to the BB. See this for the proper IT Policy removal process:
  KB18998 How to reset the BlackBerry smartphone to factory defaults
  If, when you do this, you take a backup first, then you MUST NOT do a wholesale restore afterwards...if you do, the IT Policy will dutifully be put back on. You must do a selective restore of only those specific databases that you require, being 100% certain to EXCLUDE from the restore any that deal with the IT Policy:
  KB03974 BlackBerry smartphone database list
  Also, see this for the official document from RIM regarding the 910 error.
  KB12230 "Download Failed: 910 Application authorization failure" appears on the BlackBerry smartphone when installing an application
  From all of your symptoms, a latent IT Policy on board the BB could be the root cause of everything, so I recommend you use the above methods and truly cleanse your BB of the IT Policy. I think I'd suggest the following steps, just to be sure that things are truly clean...also insert plenty of reboots of your PC...not just restarts, but full power down reboots. Also, it is advised that you be logged into the PC on an account with full admin rights. Further, under Vista/Win7, use the "Run As Administrator" option for everything.
  1) Remove all device OS update packages from your PC (add/remove programs)
  2) Cleanly uninstall the RIM Desktop Software:
  KB02206 How to perform a clean uninstall of BlackBerry Desktop Software
  Some have reported that manually cleansing the registry of all keys related to RIM, BB, and Puma to also be helpful
  Others have reported the use of a registry cleansing tool to also be helpful
  Still others have reported the use of your original PIM (e.g., Outlook, NOTES, etc.) installation CD, running the "repair" process, to be helpful in some situations
  3) Get a fresh download of the RIM Desktop Software:
  http://us.blackberry.com/apps-software/desktop/
  4) Download (to your PC) a fresh copy of your currently installed (on your BB) device OS package from your carrier (if it's not the original carrier, then you know already to delete all copies of VENDOR.XML after installing to the PC):
  http://na.blackberry.com/eng/support/downloads/dow​nload_sites.jsp
  5) Install the Desktop Software to your PC
  6) Install (also to your PC), the device OS package
  7) If you need a backup from the BB, take a full one now:
  KB23680 Backup BlackBerry smartphone data using BlackBerry Desktop Software 6.0 to 7.0
  8) Perform the ResetToFactory
  KB18998 How to reset the BlackBerry smartphone to factory defaults
  9) If you want a different OS on the BB, then remove the OS Package from your PC and install the one you desire onto your PC (but not yet to your BB)...again, remove VENDOR.XML files if the package is not from the BB's original carrier.
  10) Use BBSAK to wipe the BB and then load the OS to the BB
  11) If you took the backup in step 7, use that as source for a selective restore, including only the databases you require and excluding all databases that have anything to do with the IT Policy:
  KB10339 How to use BlackBerry Desktop Software to restore data to a BlackBerry smartphone from a backup
  12) Now see if you can proceed with installing apps
  Good luck and let us know!
  Occam's Razor nearly always applies when troubleshooting technology issues!
  If anyone has been helpful to you, please show your appreciation by clicking the button inside of their post. Please click here and read, along with the threads to which it links, for helpful information to guide you as you proceed. I always recommend that you treat your BlackBerry like any other computing device, including using a regular backup schedule...click here for an article with instructions.
  Join our BBM Channels
  BSCF General Channel
  PIN: C0001B7B4   Display/Scan Bar Code
  Knowledge Base Updates
  PIN: C0005A9AA   Display/Scan Bar Code

• Custom Distribution Group management role (manager excpeiton)

  My organization is medium size with multiple support groups (15+) that each support a subset of users (350+). I want to create a management role that is scoped so each support group can manage the distribution groups in their respective OU space.
  By manage I mean edit the group membership. I realize I can achieve this with AD permissions but I’d like to achieve this in a way that leverages RBAC so the support groups can use OWA. I also want to leverage RBAC\OWA because not all my support groups are
  technical, some are office admins. Anyways, below is what I’ve tried in my lab scoped to one of my support groups.
  Using the cmdlets below I’ve created a custom management scope, role and group. However, this does not work. While it lets my sales support group view and edit some random attributes on the group, it fails when they try to edit the group membership. In other
  words, they can logon to OWA, click options\see all options\manage your organization\distribution groups\open the group\edit description etc. but when they select “Add…” under membership then select the user and hit ok\save they get the error “you don’t have
  sufficient permissions. this operation can only be performed by a manger of the group”.
  New-ManagementScope -Name “Sales Support DG MScope” -RecipientRestrictionFilter {RecipientType -eq "MailUniversalSecurityGroup"} -RecipientRoot “lab.com/sales”
  New-ManagementRole -name “Sales Support DG MRole” -Parent "Distribution Groups"
  New-RoleGroup -name “Sales “Sales Support DG MGroup” -Roles "Sales Support DG MRole" -CustomRecipientWriteScope "Sales Support DG MScope"
  When I do as the error asks (i.e. add my support user as a manager of the group via the EMC), then my support user is able to edit the group's membership in OWA. The problem with this solution is that it would require me to add my support users to my role
  group “Sales Support DG MGroup” AND as a manager of the DG and every DG that is created down the line. Not ideal. Any ideas, some RBAC magic I’m missing?
  Below confirms by scope.
  Get-Group -OrganizationalUnit “lab.com/sales” | ?{$_.RecipientType -eq "MailUniversalSecurityGroup"}
  Name DisplayName SamAccountName GroupType
  distro1 distro1 distro1 Universal, SecurityEnabled
  distro2 distro2 distro2 Universal, SecurityEnabled
  distro3 distro3 distro3 Universal, SecurityEnabled
  On a side note, I realize by sourcing my management role off of distribution groups gives me more cmdlets\access than my support group needs (see below). I’m first just trying to get it to work :).
  Get-ManagementRole “Sales Support DG MRole” | Get-ManagementRoleEntry | select name
  Name
  Add-DistributionGroupMember
  Disable-DistributionGroup
  Enable-DistributionGroup
  Get-ADServerSettings
  Get-AcceptedDomain
  Get-DistributionGroup
  Get-DistributionGroupMember
  Get-DomainController
  Get-DynamicDistributionGroup
  Get-Group
  Get-MailUser
  Get-Mailbox
  Get-OrganizationalUnit
  Get-Recipient
  Get-ResourceConfig
  Get-User
  New-DistributionGroup
  New-DynamicDistributionGroup
  Remove-DistributionGroup
  Remove-DistributionGroupMember
  Remove-DynamicDistributionGroup
  Set-ADServerSettings
  Set-DistributionGroup
  Set-DynamicDistributionGroup
  Set-Group
  Set-OrganizationConfig
  Update-DistributionGroupMember
  Write-AdminAuditLog

  Hello,
  I understand that you have create custom management scope for each group and assigned a custom role to it.
  But whenever user try to edit (add/remove membership ) ,it shows errors "you dont have sufficient permissions". I face similar problem when we move from 2007 to 2010, 2010 by default disabled editing options for Dl membership.
  You can enable it by Graphic mode or powershell. Would suggest that you have created custom role, you follow powershell mode. I had written a blog on that.
  Check below link. http://exchange2010cmd.blogspot.de/
  You have created new management role “Sales Support DG MRole”, but you need to assign this role to users/administrators in your case through role assignment policy.
  You can either use existing default policy or create new policy and assign this management role to it.
  Use below cmd: New-ManagementRoleAssignment -Role “Sales Support DG MRole” –Policy “Default Role Assignment Policy”
  NOTE: If you are creating new policy , place that name instead of default policy name".
  I recommend you continue with defalut policy. After this check with any admin, he should have rights to edit membership.
  Now, regarding your second concern, that your custon role has to many role entries.
  You can remove unwanted role entries.
  Use this cmd: Get-ManagemenRoleEntry “Sales Support DG MRole\*” | where{ $_.name –like “Set-distributionGroup” } | remove-managementroleentry
  Before linking management role to email policy, remove unwanted role entry from role.
  I tried to explain it in easy way, but still it is not understood, write back to me. I am new to technet forum, I started few days back replying to questions. If you get your answer,dont forget to propose it as answer.

• BW Hana Trial on AWS, not authorized

  An error from Amazon Web Services occurred: AMAZON : User: arn:aws:iam::767900948628:user/SRI1 is not authorized to perform: iam:GetUser on resource: arn:aws:iam::767900948628:user/SRI1
  Hi I'm getting this error when I tried to create the Instance on AWS, I have went through the FAQ's but not able to compelete this,
  appreciate your response on this.
  Thanks
  Sriaknth M

  Hello Dave,
  i have made a test in CAL. I created a new group in IAM and then added the following four roles:
  1 Groups Selected
  Group: new
  Users
  Permissions
  Summary
  This view shows all policies that apply to this group.
  Policy Name
  Actions
  AmazonEC2FullAccess-new-201404291610 Show
  Manage Policy | Remove Policy | Simulate Policy
  AmazonVPCFullAccess-new-201404291625 Show
  Manage Policy | Remove Policy | Simulate Policy
  AWSAccountUsageReportAccess-new-201404291625 Show
  Manage Policy | Remove Policy | Simulate Policy
  ReadOnlyAccess-new-201404291625 Show
  Manage Policy | Remove Policy | Simulate Policy
  Then created a new user inside this group and generated credentials for this user.
  Added a CAL account and successfully started an instance in our UI.
  The user has no polices attached to it. I did not get any errors in CAL.
  Could you please tell us where did you get this error, on which action in CAL?
  Is the process of creating IAM permissions the same, as mine?
  Best Regards,
  Aleksandar