LDAP ACL Rights

Similar Messages

• PowerShell ACL Rights on Extraction of Creator Owner

  Hello Guys.
  Any help would be appreciated.
  I've been assigned a task to extract the creator owner of shared folders on a window server 2003 platform.
  For days , i've been searching through the web cluelessly without any fruitful result.
  I've located some scripts that enables me to only extract only in the below format.
  I've managed to salvage this piece of script which lies somewhere around the net.
  However this script could only extract
  Folder Directory . System Rights . Control Type . IdentityReference . Inherited (T/F) . Inhertiance Flags . Propagation Flag.
  With the below script.
  ##ACL Rights Execution PowerShell Script##
  $OutFile = "C:\Users\All User\Desktop\logfile.csv" ##indicates where to input your logfile##
  $Header = "Folder Path,IdentityReference,AccessControlType,AccessRights,IsInherited,InheritanceFlags,PropagationFlags"
  Del $OutFile
  Add-Content -Value $Header -Path $OutFile
  $RootPath = "\\Servername\folder" ##which directory/folder you would like to extract the acl permissions##
  $Folders = dir $RootPath -recurse | where {$_.psiscontainer -eq $true}
  foreach ($Folder in $Folders){
  $ACLs = get-acl $Folder.fullname | ForEach-Object { $_.Access }
  Foreach ($ACL in $ACLs){
  $OutInfo = $Folder.Fullname + "," + $ACL.IdentityReference + "," + $ACL.AccessControlType + "," + $ACL.FileSystemRights + "," + $ACL.IsInherited + "," + $ACL.InheritanceFlags + "," + $ACL.PropagationFlags
  Add-Content -Value $OutInfo -Path $OutFile
  I've tried to change some of the values but it would not allow me to extract the value of the creator owner.
  *Due to my poor understanding to powershell scripting because i'm not a programmer*
  To define creator owner specifically as in the user who originally create the folder. Not users who are assigned full rights .

  Hi,
  As SenneVL said, we can get owner from the cmdlet "get-acl", please also try the script below, just a little modification:
  $OutFile = "C:\Users\All User\Desktop\logfile.csv" ##indicates where to input your logfile##
  $Header = "Folder Path,owner,IdentityReference,AccessControlType,AccessRights,IsInherited,InheritanceFlags,PropagationFlags"
  Del $OutFile
  Add-Content -Value $Header -Path $OutFile
  $RootPath = "\\Servername\folder" ##which directory/folder you would like to extract the acl permissions##
  $Folders = dir $RootPath -recurse | where {$_.psiscontainer -eq $true}
  foreach ($Folder in $Folders){
  $owner = (get-acl $Folder.fullname).owner
  $ACLs = get-acl $Folder.fullname | ForEach-Object { $_.Access }
  Foreach ($ACL in $ACLs){
  $OutInfo = $Folder.Fullname + "," + $owner + "," + $ACL.IdentityReference + "," + $ACL.AccessControlType + "," + $ACL.FileSystemRights + "," + $ACL.IsInherited + "," + $ACL.InheritanceFlags + "," + $ACL.PropagationFlags
  Add-Content -Value $OutInfo -Path $OutFile
  Best Regards,
  Anna

• ACL rights assignment in new user script

  I've been tasked with converting an old new-user script that runs at least once a day written in VB to PowerShell. This script takes as input a CSV file we get from HR that has all necessary info and creates a user, adds them to specific groups based on
  the info in the CSV, enables their Exchange mailbox, and creates their home directory. I'm having a bit of trouble planning out the rights assignment part on the user home directory; I need to be able to add the specific user (set by variable at the beginning
  of the script) and three static groups. What is the best way to do that? I can easily grab outside modules if needed (a section of my script checks for and if necessary installs modules and adds snap-ins), but I'd rather keep this 100% PowerShell - no icacls
  or outside commands.
  Any suggestions?
  Thank you in advance.
  [email protected]

  Here's what I came up with for the File System Stuff:
  foreach ($user in $userlist)
  $samaccountname = $user.empid
  $FQN = "domain\" + $samaccountname
  $homedirpath = "\\fileserver\users\$samaccountname"
  new-item -ItemType directory -path $homedirpath -force
  #Set ACLs for user and required groups
  $homedir_acl = get-acl $homedirpath
  $acl_access1 = 'domain\HomeDirectory Admins'
  $acl_access2 = "domain\$samaccountname"
  $fullrights = "Fullcontrol"
  $modifyrights = "Modify"
  $inheritrights = "ContainerInherit,ObjectInherit"
  $rule1 = new-object system.security.accesscontrol.filesystemaccessrule ($acl_access1, $fullrights, $inheritrights, "none", "Allow")
  $rule2 = new-object system.security.accesscontrol.filesystemaccessrule ($acl_access2, $modifyrights, $inheritrights, "none", "Allow")
  $homedir_acl.addAccessRule($rule1)
  set-acl $homedirpath $homedir_acl
  $homedir_acl.addAccessRule($rule2)
  set-acl $homedirpath $homedir_acl
  #Set owner on home directory
  $owner = New-Object System.Security.Principal.NTAccount($FQN)
  $homedir_acl.setowner($owner)
  set-acl $homedirpath $homedir_acl
  [email protected]

• DMM LDAP Administrator Rights

  In the documentation for DMM 5.2.X, there doesn't seem to be any information on what rights need to be given to the Administrator for the LDAP integration.  The environment that I am configuring for is very security conscience and will want to give the MINIMUM rights that will be required for the user.  Is there a list of Active Directory right required without giving the user full Domain Admin available anywhere?
  Thanks in advance for your help.

  Something here may help.
  http://windows.microsoft.com/en-us/windows/install-printer#install-printer=windows-8
  http://windows.microsoft.com/en-us/windows/user-accounts-faq#1TC=windows-8
  Might also ask over here.
  Windows forums on Microsoft Answers
  Regards, Dave Patrick ....
  Microsoft Certified Professional
  Microsoft MVP [Windows]
  Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

• CUCM 8.6.2 and AD LDAP SYNC

  We have an issue where we can loging and sync all users but then we can not log in as those users.  We are trying to reserach whether this is related to the LDAP user rights, firewall, etc.  Any ideas?  Thanks!

  Chris:
  Thanks for the input.  We do have the LDAP configured,  we are using LDAPS.  It is looking like port 636 form the CUP server is trying to reach out to the AD server so we are opening up that port to test if that is out issue.  636 is open from CUCM to AD but not CUP to AD.
  TD

• Can I map iwtUser-role to an attribute in external LDAP???

  Hi,
       I am using external LDAP for authentication. In the Ext. LDAP I am using
  there is an attribute named title in every user cn. I want to use this
  attribute for portal to decide which role the user belongs to. I mapped
  iwtUser-role to title in Ext. LDAP configuration. When I go to console I
  see user(s) under the roles defined in title attribute(in Ext. LDAP).
  From console if I try to change the desktop profile of a role and check
  'apply changes to all subroles', it's not applying changes to all users
  who have the title as that role (even though when I go to that user(s),
  I see them under the right tole). However, when I look at the
  iwtUser-role attribute in profile LDAP using a LDAP browser it shows
  /domainname/defaultRole which is not the value mapped (in Ext. LDAP). Do
  you have any idea why it is happeing? I would like to know if mapping
  iwtUser-role to an attribute in Ext. LDAP is right thing in the first
  place (I am doing this because the Ext. LDAP is already populated, I
  have no roles in that, all users are at same level and I have permission
  to change title attribute only in Ext. LDAP).
  Thanks,
  Siva Kancheti.

  Block off the default role if you don't want anyone going into that role but only
  the ones defined. You can do this by setting the filter to a value that will return
  nothing. (example, title=nonexistant), since the search filter will not return
  results, no one will be placed in that role (otherwise have to manually go into that
  role and 'move' users).
  Hope this helps,
  Manon
  Siva kancheti wrote:
  Hi,
  I am using external LDAP for authentication. In the Ext. LDAP I am using
  there is an attribute named title in every user cn. I want to use this
  attribute for portal to decide which role the user belongs to. I mapped
  iwtUser-role to title in Ext. LDAP configuration. When I go to console I
  see user(s) under the roles defined in title attribute(in Ext. LDAP).
  From console if I try to change the desktop profile of a role and check
  'apply changes to all subroles', it's not applying changes to all users
  who have the title as that role (even though when I go to that user(s),
  I see them under the right tole). However, when I look at the
  iwtUser-role attribute in profile LDAP using a LDAP browser it shows
  /domainname/defaultRole which is not the value mapped (in Ext. LDAP). Do
  you have any idea why it is happeing? I would like to know if mapping
  iwtUser-role to an attribute in Ext. LDAP is right thing in the first
  place (I am doing this because the Ext. LDAP is already populated, I
  have no roles in that, all users are at same level and I have permission
  to change title attribute only in Ext. LDAP).
  Thanks,
  Siva Kancheti.

• 10.6.6 Server Combo Update Crashes LDAP and Kerberos Services

  Just updated apple server from 10.6.4 to 10.6.6 with combo server overnight.
  Everything was working fine under 10.6.4
  All users can no longer authenticate to server via mail or ldap logins
  LDAP and Kerberos Services stopped.
  Will downgrade from an open directory master to standalone then back to master again and post status...

  I think there is something with LDAP on 10.6.6
  I was forced to make clean install in combo from 10.6.0 to 10.6.6 and today LDAP crashed.
  It seems to be an issue on ldap ACL.
  Message was edited by: Xalio

• LDAP Security Realm

  Using Weblogic 7.0 I have an LDAP security realm setup with the LDAP URL admins
  user name and password. I want to be able to interface this connection to access
  the LDAP and make changes to user information within in the ldap. Right now in
  my code I make a connection to the LDAP and supply the same user name and password
  set up in the LDAP security realm. I want to be able to rather then re-supply
  the URL and user name and password in my code I want to be able to just get that
  (or create a connection simil;ar to a jdbc connection pool) connection to the
  LDAP that configured in the Security Realm. Is this possible? And how would I
  go about it if so?
  Thanks
  Sjb

  the LDAPConnection pool which is used WLS Realm is not accessible to public
  for programming.
  thanks
  kiran
  "Sjb" <[email protected]> wrote in message
  news:3f5744c1$[email protected]..
  >
  Using Weblogic 7.0 I have an LDAP security realm setup with the LDAP URLadmins
  user name and password. I want to be able to interface this connection toaccess
  the LDAP and make changes to user information within in the ldap. Rightnow in
  my code I make a connection to the LDAP and supply the same user name andpassword
  set up in the LDAP security realm. I want to be able to rather thenre-supply
  the URL and user name and password in my code I want to be able to justget that
  (or create a connection simil;ar to a jdbc connection pool) connection tothe
  LDAP that configured in the Security Realm. Is this possible? And howwould I
  go about it if so?
  Thanks
  Sjb

• LDAP - Could not send e-mail

  Hi guru
  We used SAP MDM 5.5 SP 6 (64.92)
  In workflow we use e-mail notification, when SAP MDM Server work without LDAP e-mail is sending.
  When we load SAP MDM Server with LDAP, every time when we send e-mail we get error "Could not send e-mail "
  Sender and Receiver Users and their e-mail adress is exist in LDAP and right.
  Moreover, we test sending e-mail from Server(where installed SAP MDM) through telnet for the same users and same e-mail adress(which precent in LDAP) - all work OK.
  Question:
  How we should configure SAP MDM Server for e-mail notification work correctly when it work through LDAP?
  Regards
  Kanstantsin Chernichenka

  Hi Vinay M.S
  Thank you for your answer, but
  Really, in our case mail server attribute was named as "mail" and it exist in mds.ini (but that is not standart name for all ADs)
  My another question: Why e-mail notification doesn't work from workflow in LDAP for all users?
  Additiona information:
  We have ~30000 users in AD but in MDM we used only ~500 from it.
  For test we created 3 simple workflows with e-mail notification block:
  1.Launcher set as user which name starting from symbol "B"
  2.Launcher set as user which name starting from symbol "P"
  3.Launcher set as "Launcher"
  We set as receiver the same user for all workflows.
  In 1 case e-mail notification is OK
  In 2 case e-mail notification isn't work and we got error "Could not send e-mail" in workflow report. but username and sender receiver e-mail is right
  In 3 case  e-mail notification from user which we started workflow  is OK (and for user which name starting from symbol "P")
  Any ideas?
  Regards
  Kanstantsin
  Edited by: Kanstantsin Chernichenka on Oct 2, 2009 1:35 AM

• How can I set ACLs on MAC remote volumes.

  Hi,
  I am having Mac OS X 10.5 leopard as server and 10.4 as client. I have mounted 10.5 server from 10.4 remotely through Apple Filing Protocol(Basically an AFP mount). On the remote mounted volumes I am unable to enable/set the ACLs right now. But I have already enabled the ACLs on 10.5 local volumes before I mount them from different clients.
  "sudo fsaclctl -p </Volumes/MACVOL1> -e" is the command used to enable ACLs on the remote MAC Volumes. This one throwed ENOT SUPPORT error. It should not be due to any file system differences, as both are having same file system.
  *Basically I want to see an ACL(AFP's FPGetACL/FPSetACL) request going on wire from a MAC client to contact the MAC server.*
  I have tried the option of workgroup manager. There the sharing option was dimmed out after the authentication part. And I was unable to add the remote server in the server admin part. I have tried all the options that were suggested in various threads. But nothing worked out.
  I am looking out for some simpler solution to see the ACL request coming from a Mac client directing to a MAC server.
  Thanks,
  Yogesh.

  Any suggestions please...

• Retrieving user and group information from LDAP using j_securrity_check

  Hi
  I am using j_security_check to authenticate users against LDAP. I have made all necessary configuration for the server to perform LDAP group search as well as mentioned in the WAS documentation of LDAP settings. Now, how can I retrieve the user and the user group info after the j_secuirty_check. Apart from the UserPrincipal object which I can get from the request which just has the user name, is there any other object which will give me the user and user group info by which I need to connect to LDAP using my java code to retrieve these informations?
  Regards
  Deepak

  Hi
  I am using j_security_check to authenticate users
  against LDAP. I have made all necessary configuration
  for the server to perform LDAP group search as well
  as mentioned in the WAS documentation of LDAP
  settings. Now, how can I retrieve the user and the
  user group info after the j_secuirty_check.
  Apart
  from the UserPrincipal object which I can get from
  the request which just has the user name, is there
  any other object which will give me the user and user
  group info by which I need to connect to LDAP using
  my java code to retrieve these informations?Hmm, you don't need the user group info to connect to the LDAP server, right? You would need the user's Id (which you have) and password (which you don't). You could use the LDAP credentials and bind as that to look up the user info via the user id. Or if the server is set up to allow anonymous bind you could do it without credentials. But if all you want is group info then you should be able to call Security.getCurrentSubject().getPrincipals() to get the user principal as well as all groups (this is true in BEA WebLogic at least).
  Good Luck
  Lee

• Access rights problem

  I have set up two OID instances to talk between one another and think I have the mapping files correct.
  I now see Insufficient Access Rights in the logs. Does anyone have any ideas what this could be? Does the exchange between servers run under a specific user?
  orclOdipSynchronizationStatus: Mapping Failure, Agent Execution Not Attempted
  orclOdipSynchronizationErrors: Error Creating Entry in OID
  Sleeping for 1secs
  Exception creating Entry : javax.naming.NoPermissionException: [LDAP: error code 50 - Insufficient Access Rights
  ]; remaining name 'cn=[email protected],cn=users,dc=hoc,dc=test,dc=com'
  [LDAP: error code 50 - Insufficient Access Rights]
  OIDUserImport:Error in Mapping EngineODIException: DIP_OIDWRITER_ERROR_CREATE
  ODIException: DIP_OIDWRITER_ERROR_CREATE
  at oracle.ldap.odip.gsi.LDAPWriter.createEntry(LDAPWriter.java:975)
  at oracle.ldap.odip.gsi.LDAPWriter.insert(LDAPWriter.java:328)
  at oracle.ldap.odip.gsi.LDAPWriter.writeChanges(LDAPWriter.java:239)
  at oracle.ldap.odip.engine.AgentThread.mapExecute(AgentThread.java:406)
  at oracle.ldap.odip.engine.AgentThread.execMapping(AgentThread.java:262)
  at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:155)
  Regards

  Do let us know if you find the answer. I've been stuck for days on an LDAP access rights problem.

• LDAP & Commerce Server 3.5

  Hello Again,
  I have been making some decent headway in configuring Netscape's LDAP Server
  and WLS 6.0/WLCS 3.5. When I log into the console I can see my LDAP users as well
  as my LDAP Groups. However when I try to log in to the WLCS admin tools I am rejected.
  The account I am using (beasys) has LDAP administrative rights and is a member
  of the Admin group (per instructions in BEA example).
  I have attached the output logs I am getting (with DEBUG turned on).
  Thanks
  Joshua Bennett
  ####<Dec 27, 2001 1:30:16 PM CST> <Debug> <CachingRealm> <eqqaap2> <wlcsServer>
  <ExecuteThread: '10' for queue: 'default'> <> <> <000000> <user: pos HIT beasys>
  ####<Dec 27, 2001 1:30:16 PM CST> <Debug> <CachingRealm> <eqqaap2> <wlcsServer>
  <ExecuteThread: '10' for queue: 'default'> <> <> <000000> <authenticate("beasys")>
  ####<Dec 27, 2001 1:30:16 PM CST> <Debug> <CachingRealm> <eqqaap2> <wlcsServer>
  <ExecuteThread: '10' for queue: 'default'> <> <> <000000> <auth: pos HIT beasys>
  ####<Dec 27, 2001 1:30:16 PM CST> <Debug> <CachingRealm> <eqqaap2> <wlcsServer>
  <ExecuteThread: '10' for queue: 'default'> <beasys> <> <000000> <getUser("beasys")>
  ####<Dec 27, 2001 1:30:16 PM CST> <Debug> <CachingRealm> <eqqaap2> <wlcsServer>
  <ExecuteThread: '10' for queue: 'default'> <beasys> <> <000000> <user: pos HIT
  beasys>
  ####<Dec 27, 2001 1:30:16 PM CST> <Debug> <CachingRealm> <eqqaap2> <wlcsServer>
  <ExecuteThread: '10' for queue: 'default'> <beasys> <> <000000> <getUser("beasys")>
  ####<Dec 27, 2001 1:30:16 PM CST> <Debug> <CachingRealm> <eqqaap2> <wlcsServer>
  <ExecuteThread: '10' for queue: 'default'> <beasys> <> <000000> <user: pos HIT
  beasys>
  ####<Dec 27, 2001 1:30:16 PM CST> <Debug> <COMMERCE_SERVER_FRAMEWORK> <eqqaap2>
  <wlcsServer> <ExecuteThread: '10' for queue: 'default'> <beasys> <> <000000> <@@@@@
  Is WAR : false>
  ####<Dec 27, 2001 1:30:16 PM CST> <Debug> <COMMERCE_SERVER_FRAMEWORK> <eqqaap2>
  <wlcsServer> <ExecuteThread: '10' for queue: 'default'> <beasys> <> <000000> <@@@@@
  Is WAR : false>

  That could be the issue.
  Please try with webapp tools in a war format.
  "Joshua Bennett" <[email protected]> a écrit dans le message news:
  [email protected]...
  >
  Thanks for the info, would that prevent me from logging into the WLCSAdmin tools?
  >
  Josh
  "ludovic le goff" <[email protected]> wrote:
  Hello Joshua,
  The following debug message :
  ####<Dec 27, 2001 1:30:16 PM CST> <Debug> <COMMERCE_SERVER_FRAMEWORK>
  <eqqaap2><wlcsServer> <ExecuteThread: '10' for queue: 'default'> <beasys>
  <>
  <000000> <@@@@@ Is WAR : false>
  indicates that you have not deployed your application as a WAR file but
  are
  using a file system probably located under
  ..../server/public_html/portals/...
  Please check this out.
  Ludovic.
  Developer Relations Engineer
  BEA Support
  "Joshua Bennett" <[email protected]> a écrit dans le message news:
  [email protected]...
  Hello Again,
  I have been making some decent headway in configuring Netscape'sLDAP
  Server
  and WLS 6.0/WLCS 3.5. When I log into the console I can see my LDAPusers
  as well
  as my LDAP Groups. However when I try to log in to the WLCS admin toolsI
  am rejected.
  The account I am using (beasys) has LDAP administrative rights andis a
  member
  of the Admin group (per instructions in BEA example).
  I have attached the output logs I am getting (with DEBUG turnedon).
  Thanks
  Joshua Bennett
  ####<Dec 27, 2001 1:30:16 PM CST> <Debug> <CachingRealm> <eqqaap2><wlcsServer>
  <ExecuteThread: '10' for queue: 'default'> <> <> <000000> <user: posHIT
  beasys>
  ####<Dec 27, 2001 1:30:16 PM CST> <Debug> <CachingRealm> <eqqaap2><wlcsServer>
  <ExecuteThread: '10' for queue: 'default'> <> <> <000000><authenticate("beasys")>
  ####<Dec 27, 2001 1:30:16 PM CST> <Debug> <CachingRealm> <eqqaap2><wlcsServer>
  <ExecuteThread: '10' for queue: 'default'> <> <> <000000> <auth: posHIT
  beasys>
  ####<Dec 27, 2001 1:30:16 PM CST> <Debug> <CachingRealm> <eqqaap2><wlcsServer>
  <ExecuteThread: '10' for queue: 'default'> <beasys> <> <000000><getUser("beasys")>
  ####<Dec 27, 2001 1:30:16 PM CST> <Debug> <CachingRealm> <eqqaap2><wlcsServer>
  <ExecuteThread: '10' for queue: 'default'> <beasys> <> <000000> <user:pos
  HIT
  beasys>
  ####<Dec 27, 2001 1:30:16 PM CST> <Debug> <CachingRealm> <eqqaap2><wlcsServer>
  <ExecuteThread: '10' for queue: 'default'> <beasys> <> <000000><getUser("beasys")>
  ####<Dec 27, 2001 1:30:16 PM CST> <Debug> <CachingRealm> <eqqaap2><wlcsServer>
  <ExecuteThread: '10' for queue: 'default'> <beasys> <> <000000> <user:pos
  HIT
  beasys>
  ####<Dec 27, 2001 1:30:16 PM CST> <Debug> <COMMERCE_SERVER_FRAMEWORK><eqqaap2>
  <wlcsServer> <ExecuteThread: '10' for queue: 'default'> <beasys> <><000000> <@@@@@
  Is WAR : false>
  ####<Dec 27, 2001 1:30:16 PM CST> <Debug> <COMMERCE_SERVER_FRAMEWORK><eqqaap2>
  <wlcsServer> <ExecuteThread: '10' for queue: 'default'> <beasys> <><000000> <@@@@@
  Is WAR : false>

• Begining with LDAP !!! Please help me ?

  Hi.. I am beginning working with Ldap.
  I want to make a central users with Ldap.
  So... Need i install a Ldap server right ? It can install on Window XP ?
  Thanks
  Diego

  Please, don't duplicate a thread for the same problem. See my reply [*here*|http://forums.sun.com/thread.jspa?messageID=10827602#10827602] .

• Can you add a group in LDAP as owners for a calendar?

  The documentation indicates that you can create a group calendar by adding
  owners to a calendar. The set_calprops
  WCAP command allows you to specify
  a list of owners for the calendar. However, I would like to know if there is
  a way to add a group in LDAP as owners for a calendar.
  <P>
  No, you cannot reference an LDAP group in this version of the iPlanet Calendar
  Server.

  Has this problem been resolved in Update 3 ?
  I just set up LDAP ACL with OpenLdap v 2.4.10 . Every thing work fine so far, except that I can't add a user or group by Admin Console ,
  It response this :
  {color:#ff0000}for host x.x.x.x trying to POST /admingui/admingui/newUserDialog, service-j2ee reports: Exception : ADMIN3132: Error while communicating to the LDAP server: ldap://127.0.0.1:389/dc=xxx,dc=xxx,dc=xxx
  {color}
  Though I can do this task in other tool . It will be good for SJSWS to support OpenLdap .