Leaving Active Directory

Similar Messages

• Project Server 2010 Active Directory Synchronization - duplicate Windows Name - Event ID 7734

  Environment: SharePoint Server 2010, Project Server 2010, SP2, DEC 2013 CU (Farm Build number: 14.0.7113.5001)
  Scenario: 
  Domain user has been added to the Active Directory group being synchronized with Project Server for the Team Members group.
  That user has participated as a team member in numerous projects, added documents, been assigned tasks, typical project stuff...
  Employee quits.
  AD account is deleted. (NOT deactivated or moved into another OU)
  Time passes...
  Employee gets rehired.  NEW AD account is set up: same display name, SamAccountName, email address, different GUID of course.
  Daily Active Directory job runs again and throws event ID 7734 and the sync ends with a partial fail.
  I understand why this is happening.  Solutions I've found point me to deleting the Enterprise Object resource in Project Server and then rerunning the sync.  Sure, this works BUT won't all of the previous documents, tasks,
  etc. be disassociated from that user?  If so, this is not ideal.
  2 questions:
  Is there a better way to deal with the fixing of the resource in Project Server to somehow link the old resource to the new resource allowing the sync to run successfully while still leaving the association to all old content intact?
  How are other organizations dealing with rehires when they have been added as resources in Project Server?  What is the best practice guidance from Microsoft on this?  Are other companies not actually deleting AD accounts when users leave organizations
  or are they putting them into a "ARCHIVE" OU or something like that? This happens at least half a dozen times a year at my company. We would like to keep our AD as clean as possible, but this appears to change our approach.
  Any suggestion/guidance is appreciated.

  For the question to relink the new account to the account which is already available in Project Server. You will have to update the WRES_AD_GUID to Null for the the Resource in MSP_RESOURCES table in the published database.
  Whenever a users gets synchronized to the PWA his ADGUID, SAMAccountName, Display Name, Email Address and DepartmentName is Synchronized from AD to Project Server. When the user was deleted and recreated the ADGUID got changed. During the next sync, project
  found the user with similar properties but different ADGUID which was updated in WRES_AD_GUID column in MSP_RESOURCES table. Hence it says that there is a duplicate account in the table with the same properties but a different ADGUID
  Nullifying the WRES_AD_GUID column value in MSP_RESOURCES table should get the user synchronized to Project server in the next sync.
  Cheers! Happy troubleshooting !!! Dinesh S. Rai - MSFT Enterprise Project Management Please click Mark As Answer; if a post solves your problem or Vote As Helpful if a post has been useful to you. This can be beneficial to other community members reading
  the thread.

• Mobile Account and Active Directory home folder

  We install a XServe server (Mac OS X 10.6.3). We join it to Active Directory for authentification and Open Directory for policy. I read the magic triangle on the web.
  I mount a MacBook Pro with Mac OS X 10.6. I join it to AD and after to OD. When I configure an account to be mobile, the home folder configure in AD stop to mount automatically. If the account is not mobile the home folder mount correctly.
  Somebody has an idea of waht happen?

  Hello, sifeduc, and welcome to the AppleBoards,
  This really seems like a Directory Services question and is probably best suited to this board: http://discussions.apple.com/forum.jspa?forumID=1353
  That being said are you talking about Portable Home Directories? If so PHDs should be created on the server first and on the client second. If you have a client account you want to sync to the OD you need to delete the client account - *but leave it in place* - create a server account and then use the local account which will then sync to the server. The steps for this are a little more complicated than that but not much.
  Good Luck,
  =Tod

• Active Directory Issues 10.7.4 & 10.7.5

  Hi
  I'm having problems with all my 10.7.4 & 10.7.5 mac's. They're losing their connection to AD. When I got to unbind I get the follwing error:
  Unable to access domain controller
  This computer is unable to access the domain controller for an unknown reason. Warning: If you click force unbind you will leave an unused computer account in the directory.
  I then get an option to ok or force unbind. If I force unbind if I force unbind I get the following error:
  An unknown error occurred
  An unknown error occurred
  Helpful, I'm sure you'll agree! If I go in to Console I can see the following to errors:
  02/10/2012 16:01:25.682 Directory Utility: An instance 0x7f8f02b30f30 of class ODCUnbindFromADAction was deallocated while key value observers were still registered with it. Observation info was leaked, and may even become mistakenly attached to some other object. Set a breakpoint on NSKVODeallocateBreak to stop here in the debugger. Here's the current observation info:
  <NSKeyValueObservationInfo 0x7f8f02b56970> (
  <NSKeyValueObservance 0x7f8f02b568c0: Observer: 0x7f8f01cea980, Key path: progressStatus, Options: <New: NO, Old: NO, Prior: NO> Context: 0x0, Property: 0x7f8f02b569a0>
  and...
  02/10/2012 16:03:32.463 Directory Utility: -[SFAuthorization obtainWithRights:::::] failed with error Error Domain=NSOSStatusErrorDomain Code=-60007 "The operation couldn’t be completed. (OSStatus error -60007.)" (The authorization was denied since no user interaction was possible. )
  When users are curently logged in they lose access to SSH sessions, and network drives etc... they have had issues with saving work and subsiqently losing it!
  When I go in to opendirectyd.log I see the following:
  2012-10-02 15:37:42.208 BST - opendirectoryd (build 172.17) launched...
  2012-10-02 15:37:42.265 BST - Logging level limit changed to 'error'
  2012-10-02 15:37:42.902 BST - Initialize trigger support
  2012-10-02 15:37:42.904 BST - Registered node with name '/Active Directory' as hidden
  2012-10-02 15:37:42.904 BST - Registered node with name '/Configure' as hidden
  2012-10-02 15:37:42.905 BST - Discovered configuration for node name '/Contacts' at path '/Library/Preferences/OpenDirectory/Configurations//Contacts.plist'
  2012-10-02 15:37:42.905 BST - Registered node with name '/Contacts'
  2012-10-02 15:37:42.906 BST - Registered node with name '/LDAPv3' as hidden
  2012-10-02 15:37:42.939 BST - Registered node with name '/Local' as hidden
  2012-10-02 15:37:42.964 BST - Registered node with name '/NIS' as hidden
  2012-10-02 15:37:42.965 BST - Discovered configuration for node name '/Search' at path '/Library/Preferences/OpenDirectory/Configurations//Search.plist'
  2012-10-02 15:37:42.965 BST - Registered node with name '/Search'
  2012-10-02 15:37:43.024 BST - Discovered configuration for node name '/Active Directory/NUCA-AD' at path '/Library/Preferences/OpenDirectory/Configurations/Active Directory/NUCA-AD.plist'
  2012-10-02 15:37:43.024 BST - Registered subnode with name '/Active Directory/NUCA-AD'
  2012-10-02 15:37:43.024 BST - Registered placeholder subnode with name '/Active Directory/NUCA-AD/All Domains'
  2012-10-02 15:37:43.040 BST - Discovered configuration for node name '/LDAPv3/nuca-mon1.nuca.ac.uk' at path '/Library/Preferences/OpenDirectory/Configurations/LDAPv3/nuca-mon1.nuca.ac.uk. plist'
  2012-10-02 15:37:43.040 BST - Registered subnode with name '/LDAPv3/nuca-mon1.nuca.ac.uk'
  2012-10-02 15:37:43.108 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/legacy.bundle'
  2012-10-02 15:37:43.307 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/search.bundle'
  2012-10-02 15:37:44.311 BST - '/Search' has registered, loading additional services
  2012-10-02 15:37:44.311 BST - Initialize augmentation support
  2012-10-02 15:37:44.352 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/SystemCache.bundle'
  2012-10-02 15:37:44.423 BST - Successfully registered for Kernel identity service requests
  2012-10-02 15:37:44.482 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/PlistFile.bundle'
  2012-10-02 15:37:44.566 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/FDESupport.bundle'
  2012-10-02 15:37:45.461 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/ConfigurationProfiles.bundle'
  2012-10-02 15:37:45.463 BST - Registered subnode with name '/Local/Default'
  2012-10-02 15:37:45.556 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/ldap.bundle'
  2012-10-02 15:37:45.600 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/AppleODClient.bundle'
  2012-10-02 15:37:45.645 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/ActiveDirectory.bundle'
  2012-10-02 15:37:45.654 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/Kerberosv5.bundle'
  2012-10-02 15:37:45.858 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/NetLogon.bundle'
  2012-10-02 15:37:45.858 BST - Registered subnode with name '/Active Directory/NUCA-AD/nuca.ac.uk' as hidden
  2012-10-02 15:37:45.859 BST - Unregistered placeholder node with name '/Active Directory/NUCA-AD/All Domains'
  2012-10-02 15:37:45.860 BST - Registered subnode with name '/Active Directory/NUCA-AD/All Domains'
  2012-10-02 15:37:45.861 BST - Registered subnode with name '/Active Directory/NUCA-AD/Global Catalog' as hidden
  2012-10-02 15:37:57.468 BST - failed to retrieve password for credential
  2012-10-02 15:37:59.051 BST - failed to retrieve password for credential
  2012-10-02 15:38:04.052 BST - failed to retrieve password for credential
  2012-10-02 15:38:14.054 BST - failed to retrieve password for credential
  2012-10-02 15:38:29.056 BST - failed to retrieve password for credential
  2012-10-02 15:38:49.076 BST - failed to retrieve password for credential
  2012-10-02 15:39:11.505 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/configure.bundle'
  2012-10-02 15:39:11.900 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/keychain.bundle'
  Interestingly enough, the problem doesn't seem to effect users runing 10.6.8 or my iMac which is running 10.8.2. I've spoken to network manager and he can't see anything strange going on, on the network.
  I've also spoekn to our AD guy and nothing has changed.
  This is now the second time it's happend, I've managed to get everyone working (before it happened again) by deleting the AD plist in /Library/Preferences/OpenDirectory/Configurations/Active\ Directory/ then rebinding via a scipt pushed out via ARD
  If anyone can offer any assitance I'd be most gratful as I'm about to be shot by our users! as it's the start of our new academic year!
  Thanks!
  Paul

  It's been a few weeks now, and (touch wood) it's not happended again on mass. We have had a few individual ones, but nothing major.
  We still don't quite know exactly what happened, but trouble shooting found the following:
  Our time server wasn't working corrctly centrifys ADCheck tool showed it as having a firewall (even though it didn't) our AD guy fixed that problem (sorry not sure exactly what he did)
  We checked the AD kerberos ticket from a machine that lost it's connection to AD, on another mac that worked and found that it couldn't connect as the password was wrong. It seems that by default Active Directory ticket wants to change it's password every 14, and when trying to it's failing so I set it to 0
  We had tried to set the server the AD plugin see's to a specific DC but this wasnt happening due to subnets not being configured in AD sites and Services
  Some of the Mac's did not like being set to GMT in the time zone and the time was an hour out, people where able to login though! So I've now set them to Eurpoe\London and they're now picking up the correct time and even picked up the daylight savings over the weekend.
  Our DNS is still not great but we are in the process of sorting out our subnets and when we do the consolodation we'll also asign reservations for all the mac's in the hope that apeases DDNS
  Thanks Paul

• Active Directory Sites and Exchange 2013 Deployment

  I've recently took over responsibility of an Exchange 2013 Organization that is deployed as follows:
  Active Directory consists of 4 Sites. AD Site A, B, C, D  Exchange 2013 Enterprise resides in 2 of the 4 AD Sites as follows:
  AD Site A - ExchangeServer 1 and ExchangeServer 2
  AD Site B - Exchange Server 3
  AD Site C - No Exchange Servers
  AD Site D - No Exchange Servers
  All 4 AD Sites are 4 different Physical locations/datacenters. All 3 Exchange 2013 servers are multi-role servers.
  The Forest in which Exchange resides in consists of an empty Root domain, a Production (child) domain and a Test (child) domain. Exchange resides in the Production (child) domain.
  Issue: AD Site A contains DC's from all 3 domains: Root Domain, Production child Domain (this is where Exchange lives) and Test child Domain. I notice that Exchange in AD Site A is using DC's from the Root Domain for it's "DefaultGlobalCatalog",
  "DefaultConfigurationDomainController" and "DefaultPreferredDomainControllers" This to me does not seem to be very efficient as any Address Book queries will have to be referred to by the Root Domain DC's to the Production child domain
  where Exchange lives. All of the AD User accounts and mailboxes are in the Production child domain.
  In a situation such as this, would it be advisable to build 2 additional AD sites specifically for Exchange? Rather than re-IP Exchange or risk the impact of moving several other (non exchange) servers to another AD site, I would add the IP address
  of the Exchange servers /32 to the new Exchange dedicated AD Sites and erect a DC in these new sites adding its IP address /32. Any thoughts on this idea? If the subnet that exchange resides on is (for example) 10.60.3.0 /16 in AD Site A, and
  I build a new AD site for Exchange and add the IP address of the Exchange server such as 10.60.3.141/32 for this new Exchange AD Site boundary, I can still leave the 10.60.3.0 /16 unaffected in AD Site A, correct?
  I'm looking for Microsoft's best practices in terms of laying out AD and domain controllers pertaining to Exchange server 2013.

  Hi Anthouyray,
  Thank you for your question.
  We could use the following command to exclude domain controller which is root domain controller:
  Set-ExchangeServer –Identity  <exchange servername> -StaticExcludeDomainControllers <root domain controller>
  Then we could restart the service of “Microsoft Exchange Active Directory Topology” to check if the issue persist.
  If there are any questions regarding this issue, please be free to let me know.
  Best Regard,
  Jim
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Jim Xu
  TechNet Community Support

• How to populate a sharepoint 2010 list from the active directory. How to populate a sharepoint 2010 list with all sharepoint user profiles

  How to populate a sharepoint 2010 from the active directory.
  I want a list of all the computers in the active directory,
  another one with all users.
  I want also to populate a sharepoint 2010 list from the sharepoint user profiles.
  Thanks
  sz

  While
  the contacts list is usually filled out for contacts that are outside the company, there are times when you would use a contacts list to store internal and external resources.  Wouldn’t it be nice if you didn’t have to re-type your internal contacts’
  information that are already in the system?  Now you can with a little InfoPath customization on the contacts list. 
  Here’s our plan:
  Create the contacts list, and open in InfoPath
  Create a data connection to the User Profile web service
  Customize the form adding some text, a people picker and a button
  Create InfoPath rules that will populate the contact fields from the user fields in the User Profile store
  Let’s get going!  Before we begin, make sure you have InfoPath 2010 installed locally on your computer.  I also want to give credit Laura
  Rogers and Darvish Shadravan’s book Using
  Microsoft InfoPath 2010 with Microsoft SharePoint 2010 Step by Step.  I know it looks like a lot of steps, but it’s easy once you get the hang of it.
  So obviously we need a contacts list.  If you don’t already have one, go to the SharePoint site where it will live, and create a contacts list.
  From the list, click the List tab on the ribbon, then click Customize form:
  So now we have our form open in InfoPath 2010.  Let’s add our elements to the form. 
  Above all the fields, let’s add some text instructing users what to do with the the field we’re about to add (.e.g To enter an existing user’s information, choose the user below).
  Insert a people picker control by clicking the Person/Group Picker control in the Controls section of the ribbon.  This will add a column to the contacts list called group.
  Below the people picker, insert a button control from the same section of the ribbon as above.  With the button still highlighted, click the Control Tools|Properties tab on the ribbon. 
  Then in the Label box, change the text to something more appropriate to our task (e.g. Click here to load user data!).
  You can drag the button control a little larger to account for the text.
  We should end up with something like this:
  Before we can populate the fields with user data, we need to create a connection to the User Profile Service.
  Add a data connection to the User Profile Service
  Click the Data tab on the ribbon, and click the option From Web Service, and From SOAP Web Service.
  For the location, enter the URL of your SharePoint site in the following format – http://<site url>/_vti_bin/UserProfileService.asmx?WSDL.  Click Next.
  Note - for the URL, it can be any SharePoint site URL, not just to the site where your list is.
  For the operation, choose GetUserProfileByName.  Click Next.
  Click Next on the next two screens.
  On the final screen, uncheck the box for “Automatically retrieve data when form is opened”. This is because we are going to retrieve the data when the button is clicked, also for performance reasons.
  Now we need to wire up the actions on our button to populate the fields with the information for the user in the people picker control.
  Tell the form to read the user from the people picker control
  Click the Home tab on the ribbon.
  Click the button control we created, and under the Rules section of the ribbon, click Manage Rules. Notice the pane appear on the far right.
  In the Rules pane, click New –> Action. Change the name to something like “Query and load user data”.
  Leave the condition to default (none – rule runs when button is clicked).
  Click the Add button next to “Run these actions:”, and choose “Set a field’s value”.
  For Field, click the button on the right to load the select a field dialog.  Click the Show advanced view on the bottom.  At the top, click the drop down and choose the GetUserProfileByName
  (Secondary) option.  Expand myFields and queryFields to the last option and highlightAccountName.  Click ok. 
  For Value, click the formula icon. On the formula screen, click the Insert Field or Group button. Again click the show advanced view link, but this time leave the data
  connection as Main. Expand dataFields, then mySharePointListItem_RW.  At the bottom you should see a folder called group (the people picker control we just added to the form).  Expand this, then pc:Person,
  and highlightAccountId.  Click Ok twice to get back to the Rules pane.
  If we didn’t do this and just queried the user profile service, it would load the data of the currently logged in user.  So we need to tell the form what user to load the data for.  We take the AccountID field from the people
  picker control and inject into the AccountName query field of the User Profile Service data connection. 
  Load the user profile service information for the chosen user
  Click the Add button next to “Run these actions:”, and choose Query for data.
  In the popup, for Data connection, click the one we created earlier – GetUserProfileByName and clickOk.
  We’re closing in on our goal.  Let’s see our progress.  We should see something like this:
  Now that we have the user’s data read into the form, we can populate the fields in the contact form.  The number of steps to complete will depend on how many fields you want to populate.  We need to add an action step for
  each field.  I’ll show you one example and then you will just repeat the steps for the other fields.  Let’s update the Job Title field.
  Populate the contact form fields with existing user’s data
  Click the Add button next to “Run these actions:”, and choose “Set a field’s value”.
  For Field, click the button on the right to load the select a field dialog.  Highlight the field Job Title.
  For Value, click the formula icon. On the formula screen, click the Insert Field or Group button.  Click the Show advanced view on the bottom. At the top, click the
  drop down and choose theGetUserProfileByName (Secondary) option.  Expand the fields all the way down until you see the Value field.  Highlight it but don’t click ok, but click the Filter
  Data button, then Add. 
  For the first dropdown that says Value, choose Select a field or group.   The value field will be highlighted, but click the field Name field
  under PropertyData.  Click Ok. 
  In the blank field after “is equal to”, click in the box and choose Type text.  Then type the text Title. 
  Click ok until you get back to the Manage Rules pane.  The last previous screen will look like this.
  We’re going to update common fields that are in the user’s profile, and likely from Active Directory.  You can update fields like first and last name, company, mobile and work phone number, etc.  For the other fields, the
  steps are the same except the Field you choose to update from the form, and the very last step where you enter the text will change.  Here’s what the rules look like when we’re done:
  We’re all done, good work!  You can preview the form and try it now.  Click Ctrl+Shift+B to preview the form.  Once you’re satisfied, you can publish the form back to the library.  Click File –> Quick
  Publish.  Once it’s done, you will get confirmation:
  Now open your form in SharePoint.  From the contact list, click Add new item.  Type in a name, and click the button and watch the magic happen!

• Use of active directory userid/password authentication instead of SAP R/3 User/Password for digital signature?

  Dear all,
  I am looking to setup the use of active directory userid/password authentication instead of SAP R/3 User/Password for digital signature. We SSO to the backened ABAP AS via an SAP NW Portal to which SPNEgo kerberos authentication is setup. Today we specify R3 user id/password to digitally approvae a lot release. The idea is to have users maintain one AD password and don't have to remember the R/3 password anymore and also our Security team to avoid password maintenance.
  I know there are 3 options for digital signature and
  System signature with authorization by user ID and password (We use this currently)
  Digital User signature with verification - (We would like to use this with AD userid/password, so the system still ask the users their AD userid/password for the authentication when they try to "sign" a document.)
  User signature without verification
  Do you think there is a way to configure the system in order to ask and check the active directory userid/password instead of SAP R/3 password? Where can I found documentation about it ?
  I have several different versions of AS ABAP starting from NW 7.02 to NW 7.31.
  My active directory is based on Windows 2008.
  Thanks in advance!!
  Dhee

  Actually enabling Kerberos for SSO purposes and enabling Kerberos for digital signatures are two different topics although the latter is because of the former. I'm interested in the topic as well and I'm currently looking at different options. SAP provides a BAdI for the digital signature API which can be used for external authentication but they do not provide the solution to invoke Kerberos authentication based on username and password. SAP provides a semi solution with NWSSO 2.0 SP2 which works only on Windows with classic dynpros meaning SAP GUI for Windows is assumed. The solution is based on an ActiveX component which does the actual Kerberos authentication using the Secure Login Client which is part of the NWSSO suite. Extending that implementation to non-Windows and non-GUI applications would require some sort of web enabled service that could be used to authenticate the user with username and password. In case authentication is successful, a Kerberos token would be returned to SAP which would then be validated. All the required pieces are there since SAP has Kerberos support now in both stacks of the NetWeaver Application Server, some bits are still missing though which leaves customers looking at 3rd party or custom solutions.

• ISE 1.2 Active Directory Question

  Hi,
  I have a question regarding using Active Directory as an External Identity Source.
  Our customer has 4 AD servers in their domain and thus 4 DNS entries for the domain. When I join ISE to the domain DNS resolves to one address and uses that machine to perform the join operation. What happens if the machine subsequently fails - does my ISE node need to leave and then re-join the domain or is this handled by some other method?
  Thanks
  Alan

  Assuming that they're part of the same AD domain ISE will learn all of the DCs in the domain and you'll likely find after a while that it has moved to a different DC. We have over 100 DCs in our domain and it works just fine, no intervention is required to get it to connect to a different DC if the one it's connected to disappears.
   

• Active Directory + Resource action to delete home directory

  Hi all,
  I am trying to delete home directory from the disk physically after the user is deleted from AD. I followed the link http://docs.sun.com/app/docs/doc/820-6551/bzbuc?a=view and implemented the delete resource action as mentioned in the link.
  here are the steps i followed (For testing, I mentioned delete >> C:\test.txt to see if it deletes the text file)
  1. Enter delete after action in the Identity Manager User Attribute column of the resource’s schema map.
  2. In the Attribute Type column, select string.
  3. In the Resource User Attribute column, enter IGNORE_ATTR. Leave the Required, Audit, Read Only, and Write Only columns unchecked.
  4. Add this to the Deprovision Form user form after the </Include> tag:
  <Field name= ’resourceAccounts.currentResourceAccounts[AD].attributes.
  delete after action’>
  <Expansion>
  <s>AfterDelete</s>
  </Expansion>
  </Field>
  5. Create the following XML file and import into Identity Manager. (Change file paths according to your environment.)
  <?xml version=’1.0’ encoding=’UTF-8’?> <!DOCTYPE Waveset PUBLIC
  ’waveset.dtd’ ’waveset.dtd’>
  <Waveset>
  <ResourceAction name=’AfterDelete’>
  <ResTypeAction restype=’Windows Active Directory’ timeout=’6000’>
  <act>
  echo delete >> C:\test.txt
  exit
  </act>
  </ResTypeAction>
  </ResourceAction>
  </Waveset>
  6. Edit the XML for the Active Directory resource and add information to the “delete after action” schema mapping. Here is an example of a complete schema mapping for this resource with the new additions. (You will be adding the views-related information.)
  <AccountAttributeType id=’12’ name=’delete after action’ syntax=’string’
  mapName=’IGNORE_ATTR’ mapType=’string’>
  <Views>
  <String>Delete</String>
  </Views>
  </AccountAttributeType>
  To test, I deleted a user from AD and I was expecting the file c:\test.txt to be deleted as it invokes the Resource action after delete. Has anyone been successful in deleting the home directory from drive after the user is deleted. Any pointers or help
  Thanks,
  Ani

  Hi Gaurav,
  I have to implement Resource Action functionality for Solaris system. I followed the link http://download.oracle.com/docs/cd/E19225-01/820-6551/bzbuc/index.html and the first message of this thread. I am using 8.1 IDM.
  But unfortunately I can’t trigger any bash commands on the resource like echo deleting of user wiht next name - $WSUSER_accountId >> /tmp/resultFile.txt.
  There are any errors on log file.
  Can you share your work configuration and steps to reproduce?
  I have done next but Resource Action doesn’t triggered:
  1. My Action:
  <?xml version='1.0' encoding='UTF-8'?>
  <!DOCTYPE Waveset PUBLIC 'waveset.dtd' 'waveset.dtd'>
  <Waveset>
  <ResourceAction name='AST-ResAct-SOL-AfterDelete'>
  <ResTypeAction restype='Solaris' timeout='6000'>
  <act>
  #!/usr/bin/bash
  echo deleting of user wiht next name - $WSUSER_accountId >> /tmp/resultFile.txt
  exit 0
  </act>
  </ResTypeAction>
  </ResourceAction>
  </Waveset>
  2. Added next line to “Deprovision Form”
  <Field name='resourceAccounts.currentResourceAccounts[SOLARIS 10].attributes.delete after action'>
  <Expansion>
  <s>AST-ResAct-SOL-AfterDelete</s>
  </Expansion>
  </Field>
  3. Added a new attribute mapping on the resource:
  <AccountAttributeType id='12' name='delete after action' syntax='string' mapName='IGNORE_ATTR' mapType='string'>
  </AccountAttributeType>
  4. Assigned role (this role provisioned resource to user) to user, delete user from resource via Deprovision IDM page. But my Action commands didn’t trigger on resource.
  Thanks’ in advance!

• Cannot get "passwd" to work with pam_winbind (Active Directory/Samba)

  I've have a Samba Active Directory server and AD users can log in to linux boxes. I'd like them to be able to change their passwords from Linux.
  I've set up winbind and PAM and users can log in fine. However, users cannot change passwords.
  I used the PAM configuration as per the wiki, although I note that /etc/pam.d/passwd doesn't include the "system-auth" file that the Wiki instructions describe. I can either paste the "password" entries into /etc/pam.d/passwd or modify it to include "system-auth". I've tried both ways without any luck. Here is the PAM config I have (from the Wiki instructions):
  password [success=1 default=ignore] pam_localuser.so
  password [success=2 default=die] pam_winbind.so
  password [success=1 default=die] pam_unix.so sha512 shadow
  password requisite pam_deny.so
  password optional pam_permit.so
  and here is a typical session
  $ passwd
  Changing password for MYDOMAIN\myuser
  (current) NT password:
  Enter new NT password:
  Retype new NT password:
  passwd: Authentication failure
  passwd: password unchanged
  and the journal (I enabled debug in the above config)
  Mar 02 13:59:48 tsodium passwd[981]: pam_winbind(passwd:chauthtok): [pamh: 0x9c1fe98] ENTER: pam_sm_chauthtok (flags: 0x4000)
  Mar 02 13:59:48 tsodium passwd[981]: pam_winbind(passwd:chauthtok): username [MYDOMAIN\myuser] obtained
  Mar 02 13:59:48 tsodium passwd[981]: pam_winbind(passwd:chauthtok): getting password (0x00000021)
  Mar 02 13:59:51 tsodium passwd[981]: pam_winbind(passwd:chauthtok): request wbcLogonUser succeeded
  Mar 02 13:59:51 tsodium passwd[981]: pam_winbind(passwd:chauthtok): user 'MYDOMAIN\myuser' granted access
  Mar 02 13:59:51 tsodium passwd[981]: pam_winbind(passwd:chauthtok): [pamh: 0x9c1fe98] LEAVE: pam_sm_chauthtok returning 0 (PAM_SUCCESS)
  Mar 02 13:59:51 tsodium passwd[981]: pam_winbind(passwd:chauthtok): [pamh: 0x9c1fe98] ENTER: pam_sm_chauthtok (flags: 0x2000)
  Mar 02 13:59:51 tsodium passwd[981]: pam_winbind(passwd:chauthtok): username [MYDOMAIN\myuser] obtained
  Mar 02 13:59:51 tsodium passwd[981]: pam_winbind(passwd:chauthtok): getting password (0x00000001)
  Mar 02 13:59:58 tsodium passwd[981]: pam_winbind(passwd:chauthtok): user 'MYDOMAIN\myuser' denied access (incorrect password or invalid membership)
  Mar 02 13:59:58 tsodium passwd[981]: pam_winbind(passwd:chauthtok): [pamh: 0x9c1fe98] LEAVE: pam_sm_chauthtok returning 7 (PAM_AUTH_ERR)
  I've done a bit of searching and have seen others reporting the same "incorrect password or invalid membership" but nothing concreate on how this should be configured. So I'd really appreciate anyone who can share a working configuration...

  Hello,
  We are getting the same message output: "com.sco.tta.common.asadutils", but ours say: "com.sco.tta.common.asadutils.ExpiredEvaluationException: ErrEvalExpired\Session failed: Command execution failed"
  Does anyone know where can I get info about this output?
  cs0aluc, how did you get your error fixed?
  Thanks in advance.

• OS X Lion in Active Directory - disable default shares?

  I have an iMac running Lion (10.7.3) which is joined to my Active Directory domain. If I enable SMB file sharing then even with no users explicitly enabled for sharing and no shares explicitly defined domain users can access the Mac via Windows file sharing. Depending on the type of user (administrator or not) who is accessing the Mac they will see either just their Mac home directory exposed via SMB sharing, if they are a non admin user, or their home directory plus all attached hard drives (Macintosh HD, Time Machine Backup) exposed if they are an admin user.
  This is very insecure and prevents me properly exploiting SMB sharing.
  Is there any way to 'disable' these default shares leaving just shares I create explicitly?
  Thanks,
  Chris

  Thanks David, that pretty much did the trick! Even though the article refers to Lion Server it seems the same holds true for Lion desktop. Also, the VirtualAdminShares flag is not present ther by default so it seems in its absence it defaults to Enabled. I disabled it (set flag to NO), rebooted and now admins do not see all attached disks as shares.
  However, any user who connects still sees their home directory as shared even though those are not explicitly shared. it would be nice to be able to control that too but it is much better than previously so I am not too concerned.
  Thanks again for that useful pointer.

• Logon problem with Active Directory

  I maintain iMacs and Mac Pros connected to a Windows campus network using a combination of Mac OS X's Active Directory utility and DAVE, a Windows file and print sharing software from Thursby Software. I have found that a handful of users cannot connect to the network. They can log on, but they get the default screen and the sparse default Dock. The campus network services are not available to them.
  I have found on studying the issue is that their active directory accounts of aliases in lower-case letters; in contrast, the vast majority have aliases in upper-case letters. Evidently, users with upper-case aliases in their Active Directory accounts can enjoy full network access, whereas those with lower-case aliases do not.
  Is there an underlying issue here that keeps users with lower-case aliases from accessing both Apple and network resources, or should I look elsewhere for the cause?

  There are several folders in the User Template on Leopard. One, English.lproj, is what I use to store the user template settings. There are also two others, user.template and non-localized.
  user.template is a truly root-level folder which is inaccessible from the Aqua visual interface; when unlocked its icon turns into a folder. In terminal mode, logged on as root, I found a basic set of folders. I decided to leave those alone.
  non-localized appears to be the same thing as English.lproj; it certainly has the same set of user folders. I decided to copy the folders and settings I made for English.lproj into non-localized. I invited another person with the lower-case alias problem to log on. He got the entire configuration, wallpaper, Dock and all. I confirmed this with the same person I had test the log on yesterday. He too got the whole config.
  So it is evident that Leopard was using information from LDAP/AD to determine which template to download. The majority with the upper-case aliases gets the configuration from the English.lproj folder; the lower-case-alias minority get the non-localized configuration, i.e., nothing at all. Knowing this, I can now prepare our iMacs to accommodate everyone.

• Oracle 9i and Active directory

  Hi,
  We have Oracle 9i R2 and windows 2003 Active Directory as domain controller on the same server.
  I'm not comfortable with this idea having both on the same machine and I am considering to put them on separate servers, and to integrate Oracle with Active Directory.
  Is it advisable to leave then on the same machine? are there any known problems?
  I couldn't find any documents from Oracle regarding this. any suggestions any links will be appreciated.
  Tony Garabedian

  If I remove the server of being a domain controller with AD (dcpromo out, and losing the Administrator profile on that machine) and leave only Oracle on it, will Oracle still be functional?Yes. But I'd check file access rights. Anyway you'll still have local Admin account available. Think about:
  . I got a domain admin account
  . I install Oracle
  . I leave the company and my account is deleted
  => oracle is still working perfectly
  I can't see any reason this would work otherwise in your case. Anyway you could just create a full server backup, and if any problem restore it (Ghost for example).
  The sole problem would be if you defined oracle users identified via AD acess, but that works weird anyway.
  Furthermore, I totally agree with Jaffar. Use OID rather than AD. We had many problems to setup a working config there... afterwards this was too much time-consuming to manage and I changed it to OID. Since then it's working kind of magic.
  Regards,
  Yoann.

• Active Directory credential caching issues under OS X 10.5.5 (and 10.5.4)

  We are experiencing issues with cached credentials and login delays using the Active Directory DirectoryServices plugin under 10.5. In our case, the plugin works fine as long as the system is on one of our networks, and credential caching works when the system is disconnected. Everything is repeatable, scripted and reasonably well tested. We're pretty happy with how it's working on-site. Once a system leaves our network however, as laptops tend to do, it is not possible to log in without a massive delay. Looking into the issue, I have determined that the following contribute to the problem:
  1) There are 9 active directory servers in our "/Library/Preferences/DirectoryServices/ActiveDirectoryDynamicData.plist" file.
  2) The timeout appears to be 90 seconds, according to the string value of the LDAP Connection Timeout element in "/Library/Preferences/DirectoryServices/ActiveDirectory.plist".
  The login delay does seems to coincide with the value of 90 seconds multiplied by the number of AD servers, about 13 1/2 minutes. Changing the value of the LDAP Connection Timeout does not seem to resolve the issue, even after a reboot. Moving the ActiveDirectoryDynamicData.plist file out of the way (to prevent the system from contacting any AD servers) does not seem to resolve the issue either. I'd like the ability to force cached credentials without the AD delay. Is this possible to change this value without rebooting, or at least without patching the binaries?
  I am currently testing on a MacBook Air with 10.5.5, and the following procedure was used from the command line to configure AD (note that you'd need to replace the AD username, OU, and domain values):
  dsconfigad -a `hostname -s` -u "ad-admin-user-replaceme" -ou "OU=Whatever, OU=You, OU=Have" -domain=example.com -mobile enable -mobileconfig disable -useuncpath disable
  dscl -q localhost -create /Search SearchPolicy ds AttrTypeStandard:CSPSearchPath
  defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Active"
  plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist
  Reboot and all seems to be working for us, except when the systems leave our network.
  Note that the last command (plutil) is not strictly necessary, but the DirectoryService utility seems to write the file in xml1 format, so this makes things consistent with what Apple is doing and hopefully less likely to break anything.

  As silly as it seems to respond to one's own posts, I think I've found a solution. Using the first set of commands at the bottom of this post, I disable Active Directory authentication (and ensure that LDAPv3 is disabled as well). This seems to still allow for cached credentials to function, since AD is still in the search path. Although there is still a rather long 2 minute initial delay on the MacBook Air, it seems to work and is nowhere near 13 1/2 minutes. Interestingly enough, it seems to work with little delay on a test Powerbook G4 using the same baseline configuration with little to no delay.
  My plan is to push this out through my update mechanism as a cron job every 5 minutes, with a script that detects whether it's on one of our networks. The cron job will also be run on bootup so systems initially booted shouldn't need to suffer a 13.5 minute delay. This could be made better with a mechanism that could launch a script when the network interface came up or went down, I'll look at launchd for clues. If you have any comments feel free to reply...
  Commands executed on networks which cannot access our AD servers:
  defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Inactive"
  /usr/libexec/PlistBuddy -c "Set \"LDAP Connection\ Timeout\" 0" /Library/Preferences/DirectoryService/ActiveDirectory.plist
  Commands executed when a system is back on one of our networks:
  defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Active"
  /usr/libexec/PlistBuddy -c "Set \"LDAP Connection\ Timeout\" 90" /Library/Preferences/DirectoryService/ActiveDirectory.plist

• The Active Directory cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.

  the solution what i got from this from is to Depromote and promote it again to DC, my question when i depromote, will the OU , object will remain as it is or it will be lost. And what precautions do i need to take?
  Adding to the above points, my Domain has only 2 DC, should both the DC be demoted and promoted

   Under NO curcumstances you demote both of your DCs. You must always have one or 2DCs running, otherwise you will loose your entire AD. Only 1 DC should be demoted. you should wait couple of hours prior to promoting it back to DC role again.
  Ideally your primary DC will continue maintaining the OUs, GPOs, and user accounts.
  I would suggest brining in a new, 3rd DC intro play, leave it for a day or 2 to replicate everything properly, confirm that its propagating properly with the primary DC, and only then demote and remove the offending DC.
  There are actually ways for recovering from tombstone lifetime much painlessly than DC demotion/promotion. Depending on what is your AD running on, Windows 2003 or 2012 R2 servers:
  here a few links that might help you understand how it works:
  Primary link :http://blogs.technet.com/b/askpfeplat/archive/2012/11/23/fixing-when-your-domain-traveled-back-in-time-the-great-system-time-rollback-to-the-year-2000.aspx
  http://community.spiceworks.com/topic/343609-ad-replication-can-t-because-exceeded-tombstone-life
  https://support.microsoft.com/en-us/kb/2020053?wa=wsignin1.0
  http://shebangme.blogspot.com/2011/01/active-directory-time-since-last.html