List Membership In Privileged Groups

Regarding the script here: http://gallery.technet.microsoft.com/scriptcenter/List-Membership-In-bff89703
From: http://blogs.technet.com/b/askpfeplat/archive/2013/04/08/audit-membership-in-privileged-active-directory-groups-a-second-look.aspx#171707
In short the issue is in multi-domain forests the code running under Powershell v3 doesn't correctly query the privileged groups and the generated csv's aren't correct.
It seems when running in a multidomain forest and with Powershell v3 the findall() function fails. From memory the line: Foreach ($uniqueMember in $uniqueMembers) doesn't seem to select distinct single entities from the array $uniqueMembers so when calling
getUserAccountAttribs it throws a fit as it's passed 10-100s of accounts.
What's interesting is this issue is resolved in Powershell v2 and only apparent in v3.
Does anyone have any thoughts on to how to fix this script for Powershell v3?  it is inevitable this will become the default Powershell in later versions of Windows so I don't want to relay on needing an older (v2) version for it to function.
Note: Reported to author (as best I can) and commented on the original blog, but interested in any community sourced fixes in the meantime... 
Thanks

Hi Mark,
Did you get any solution to this. If so please update here.
Regards,
Satyajit
Please “Vote As Helpful”
if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

Similar Messages

  • Unable to manage Distribution list membership since moving from Exchange 2003 to Exchange 2010

    Hi,
    We have recently started migrating from Exchange 2003 to Exchange 2010.  One of our customers used to be able to manage a security group through the outlook address book.  This is a mail enabled security group where the customer is on
    the "Managed by" entry and the "Manager can update membership list" is ticked. 
    Now that the users mailbox has been migrated to Exchange 2010, if they try and modify the membership using outlook by finding the group in the address book they get the error "changes to the distribution list membership cannot be saved. you do not have
    sufficient permission to perform this operation on this object".
    I have now added a test account to the managed by entry on the security group to test the problem.
    I have followed the article
    http://blogs.technet.com/b/exchange/archive/2009/11/18/3408844.aspx that explains how to use the EMS to give users the right to amend groups that users own.  I did not run the script but entered the following commands:
    New-ManagementRole -name “MyDistributionGroupsManagement_Test” -parent MyDistributionGroups
    Remove-ManagementRoleEntry “MyDistributionGroupsManagement_Test\New-DistributionGroup” -confirm:$false
    Remove-ManagementRoleEntry “MyDistributionGroupsManagement_Test\Remove-DistributionGroup” -confirm:$false
    New-ManagementRoleAssignment -name “MyDistributionGroupsManagement_Test-Default Role Assignment Pol” -role “MyDistributionGroupsManagement_Test” -policy “Default Role Assignment Policy”
    All appears to have worked ok and I have seen no errors while doing this
    If I use OWA and then use the ECP, I can now see the "Public groups I own" but no groups are listed.
    I have created some new distribution groups in Exchange 2010 (One dist list and one security group) to test and added the test account as an owner of both and a member of both.  I still cannot amend the membership using outlook address book and the
    ECP still shows no groups under "Public Groups I own"
    I have seen a number of articles on how to do this and it looks like I am doing everything right and it has worked for plenty of other people.  I just don't know what's going wrong.
    I would be very grateful if anyone can help. 
    Matt

    Hi Rajith,
    I deleted the outlook profile and recreated it but this did not work.
    I have now created a brand new mailbox on Exchange 2010 added this to the "managed by" section of the Exchange 2010 dist lists and I still get the error.  I also do not see the groups listed when logging in as that user to OWA ECP and clicking on the
    Groups link.
    I had a look at the link you sent me and I could see that from the Exchange server when I opened the User roles to get to the ECP, clicked on Roles and Auditing and then User Roles the only policy applied is "Default role assignment".  When I select
    the details for this, under Distribution groups, "My Distribution Groups" is not ticked but my new one that I created "My DistributionGroupsManagement_Test" is.  So this looks ok.
    Any other ideas?
    Matt

  • "changes to the distribution list membership cannot be saved. you do not have sufficient permission to perform this operation on this object"

    Running Exchange 2010/latest updates on Windows 2008 R2 servers.
    When I create a new DL that I want someone to manage, they received the following message when trying to add/remove from the DL:
    "changes to the distribution list membership cannot be saved.  you do not have sufficient permission to perform this operation on this object"
    I have followed everything in "http://msexchangeteam.com/archive/2009/11/18/453251.aspx" with no luck
    Any suggestions?

    Piggybacking off of the discussion above, with our deployment of Exchange 2007, we created a set of web-based tools that allowed people to create Exchange Resources including distribution lists.  To allow multiple people to manage the lists for a given
    department, we programmatically created a group, which is populated with one or more users from the "resource department".  We then set the following AD permissions to allow members of the group to manage membership of departmental distribution lists:
    Add-ADPermission -User DepartmentalGroup -AccessRights ReadProperty, WriteProperty -Properties 'Member' -DomainController dc.contoso.com
    Fast forward to Exchange 2010 and the landscape has changed with Exchange 2010's implementation of Role Based Access Control and I'm struggling to come up with a way to programmatically allow a group of users to manage distribution list membership for a
    subset of distribution lists - note that we have approximately 75 departments, with each having its own set of coordinators who should be able to manage distribution lists for their department but not lists created by other departments.  The specific
    error we receive in Outlook when attempting to modify group membership is the same as the title of this thread - "Changes to the distribution list membership cannot be saved.  You do not have sufficient permission to perform this operation on this object". 
    I implemented the settings referred to at
    http://sysadmin-talk.org/2010/06/omg-allowing-end-users-to-manage-distribution-group-membership-in-exchange-2010-2/ which details the process of creating a new management role and revoking the role's ability to create new distribution lists and remove distribution
    lists (which we want because we want those actions to be performed using our web tools). 
    All that to say that the ultimate problem we have is that the above relies on the "ManagedBy" field of a distribution list (viewable by Get-DistributionList Listname | fl *ManagedBy*) to determine group ownership.  When "ManagedBy" is set to a user,
    the user CAN edit a distribution list's membership from Outlook and OWA.  When "ManagedBy" is set to a group, members of the group are UNABLE to edit the membership of the distribution list via Outlook or Outlook Web Access/ECP.   Furthermore,
    Set-DistributionGroup does not allow you to specify a list of users to assign to the ManagedBy field.  However, if "ManagedBy" was set to a specific user and that user logs in to the Exchange Control Panel and adds additional "owners" of the distribution
    list, which I can then see from EMS - both the original owner and any additional owners added can in turn modify group membership for the list using Outlook or Outlook Web Access/ECP.
    My questions:
    1) Is it "expected" behavior that while I can assign a group to the "ManagedBy" property of distribution list, members of that group are still unable to edit the group membership?  ...or is there a fix for the behavior I'm seeing?
    2) Can multiple values be assigned to the "ManagedBy" property when using Set-DistributionList - ex: Set-DistributionList DLName -ManagedBy:user1,user2
    3) Any other suggestions?
    Thanks,
    -Lance

  • List of Portal Users/Groups

    Is there a way to get the list of users/groups in the Portal to allow us to add security to our custom built portlet? Once the security has been added, we can use the APIs to check if someone is privileged, but how do we get a list of the users/groups to select from in the first place.
    Regards
    Jenny

    Just check if<b> IRole and IUser</b> Interfaces have the necessary methods to do so.....

  • List of Portal Users/Group

    Is there a way to get the list of users/groups in the Portal to allow us to add security to our custom built portlet? Once the security has been added, we can use the APIs to check if someone is privileged, but how to we get a list of the users/groups to select from in the first place.
    Regards
    Jenny

    Search for LDAPSEARCH in metalink. I've seen a stored procedure that one may use to list either users or groups. You have to use both if you want to dump list of groups with users. Optionally there's an LDAPSEARCH command that may be used via command line. Refer to Metalink Note 251776.1. This note will give you syntax on the command line LDAPSEARCH. In order to do this though, you must know the base domain parameters for your portal groups...which you can obtain from the Administrator -> Global Settings -> SSO, and you also must know the password to your orcladmin superuser account that's used to login to the LDAP.
    Hope this helps...

  • Is it possible to have "OM: List Price Override Privilege" specific to pri

    is it possible to have list price override privilege specific to price lists?
    Edited by: anand on Feb 16, 2011 6:33 AM

    Hi,
    Item group would be a better way to classify items. Especially for price list.  Try it.
    Thanks,
    Gordon

  • What is difference between distribution list and share point group? Can we add distribution list into person and group column of share point list?

    what is difference between distribution list and share point group? Can we add distribution list into person and group column of share point list?

    there is a workaround you can try, create audience and add DL to them and deal with the audience or convert DL to groups
    https://social.technet.microsoft.com/Forums/en-US/02f0d773-8188-4d94-a448-0c04d838b0cf/distribution-lists-in-sharepoint?forum=sharepointgenerallegacy
    Kind Regards,
    John Naguib
    Technical Consultant/Architect
    MCITP, MCPD, MCTS, MCT, TOGAF 9 Foundation
    Please remember to mark your question as answered if this solves your problem

  • I have two users listed in my admin group. How do I get rid of one?

    I have two users listed in my admin group, but the undesired one doesn't show up in users and groups settings pane. How do I get rid of it?

    Well, I found a link which showed me how to find the hidden/unwanted user and get rid of it (remove hidden users: Apple Support Communities). Now when I get info from the drive on my network I find this:
    Is this normal? I would expect to find something other than (unknown).

  • Strange Problem in dynamically list population with record group

    Hello Room,
    I am dynamically populating a single list with 2 record groups. I am having a strange problem. All the code are written in 2 seperate buttons. The code of every button is given below.
    Button 1 code:-
    DECLARE
    rg_reports RECORDGROUP;
    rg_name VARCHAR2(40) := 'REPORTS';
    vTemp NUMBER;
    BEGIN
    -- Pls make sure Group doesn't already exist
    rg_reports := FIND_GROUP(rg_name);
    -- If it doesn't exist then create it and add ur query to it
    IF Id_Null (rg_reports) THEN
    rg_reports:=CREATE_GROUP_FROM_QUERY(rg_name , 'SELECT companyname,to_char(co) from companymaster order by companyname');
    end if;
    --Populate the Record Group
    vTemp:=POPULATE_GROUP(rg_reports);
    POPULATE_LIST('REPORTS.EXAMPLELIST', rg_name);
    Delete_Group( rg_reports );
    END;
    Button 2 Code:-
    DECLARE
    rg_reports RECORDGROUP;
    rg_name VARCHAR2(40) := 'REPORTS';
    vTemp NUMBER;
    BEGIN
    -- Pls make sure Group doesn't already exist
    rg_reports := FIND_GROUP(rg_name);
    -- If it doesn't exist then create it and add ur query to it
    IF Id_Null (rg_reports) THEN
    rg_reports:=CREATE_GROUP_FROM_QUERY(rg_name , 'SELECT accountname,to_char(co) from accountmaster order by accountname');
    end if;
    --Populate the Record Group
    vTemp:=POPULATE_GROUP(rg_reports);
    POPULATE_LIST('REPORTS.EXAMPLELIST', rg_name);
    Delete_Group( rg_reports );
    END;
    The code is same here only the sql is different in these 2 buttons. Now the problem point.
    when i press button 1, I get the list populated ok. when i try to click on the list item and keep the button pressed the list gets scrolled properly.
    when i press button 2 after that i get account names well populated in the same list item as well, but this time, when i keep the button pressed the list does not scroll below as in button 1. It does not even allow to select different item from the list of button 2 code.
    I tried to clear cache, cookies, exit browser everything and try to run the button 2 first, but still the problem in button 2 code.
    Following are my system details.
    windows 7 professional edition.
    Oracle database 11g on windows 7
    Oracle forms 10g patchset 10.1.2.0.2 on windows 7
    Browser Netscape Navigator with oracle jinitiator 1.3.1.22
    But this form is run by a client side html file where oracle forms 10g is not installed on windows xp. html file is just referring server url to run the module. The file is run on Netscape navigator browser with oracle jinitiator 1.3.1.22
    My question is that is this a bug ? if button 1 gets the list item scrolled, why is the problem with button 2 even though i press it first. Here I am deleting the record group also. after the code is over. Initially I thought this may be the character length problem so I took the maximum character length for that list item as given by the 2 columns in database.
    Why is the list scrolling not happening in button 2 but in button 1 with same codes on both ?
    Anybody please help me.

    The problem is the second query. I would guess that the TO_CHAR(co) is not unique for each account, but is the same for the accounts. And as the second item in the select-list is the listitems values, all your listitem-entries have the same value. therefore, of you select any entry, the list will always go the the first entry again.
    Adjust your query.

  • SharePoint Hosted App to Read members of Site owner group, if "Who can view the membership of the group? " is set to Group members only

    Hi,
    Is there a way to read group members of site owner group via SharePoint hosted app . The "Who can view the membership of the group? " is set to Group members only. As per my research SCA can only view the group members of site owner group
    if this settings is applied.
    Thanks,
    Sudhir
    Sudhir rawat

    See this.
    Avoid changing the MaxPageSize LDAP query policy
    http://jeftek.com/219/avoid-changing-the-maxpagesize-ldap-query-policy/
    Regards~Biswajit
    Disclaimer: This posting is provided & with no warranties or guarantees and confers no rights.
    MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
    MY BLOG
    Domain Controllers inventory-Quest Powershell
    Generate Report for Bulk Servers-LastBootUpTime,SerialNumber,InstallDate
    Generate a Report for installed Hotfix for Bulk Servers

  • Can I Change SEARCH to default as LIST view rather than GROUPS view?

    Can I Change SEARCH to default as LIST view rather than GROUPS view?
    I always end up doing a command+2 and if I can default this it would be better.
    THANKS

    Perform a search, click on the List View icon in the Finder window's toolbar, press COMMAND-J to open the View Options dialog, check the box labeled "Always open in list view."

  • Becoming a member of the Privilege Group

    People,
    I am using the PL/SQL packages wwsec_api and wwsec_oid to create and maintain users and groups. The problem is that I need some users to members of the "Privilege Group". This is described on the OID html interface as "Grant members full DAS privilege".
    Problem is I can't find the Privilege Group anywhere. I'm not having any problems adding a user to the DBA group, PORTAL_PUBLISHERS group, or my own groups.
    Does anyone know how to programmatically add a user to the Privilege Group?
    Thanks in advance
    James Hayward
    Cheers
    James.

    Yes to 1 thru 5
    To access the account it is faster just to logout and login rather than rebooting.

  • Calculate Set membership based on Group Membership

    I know this has been asked before, but I haven't really found a clear answer to the problem - so here's me re-igniting the fire!
    I want to calculate set membership based on group membership? So, I have a set called "My Set" - its members should be all the members of the group "My Group" (The group is a Manual group, not a criteria based one). I know that Sets cannot
    refer to Groups when using "Resource ID" - bummer!
    I guess this can be done using a custom action WF which triggers whenever a member is added to the Group and goes and it goes and updates the Set with the ExplicitMember reference, but I'm wondering if there's a more elegant solution using some OOTB activities?
    Thanks

    I've done this using a custom WF, but still curious to see if there is some other way around it.
    For those interested, the custom workflow gets the member being added from the request, and adds it to the set - fairly simple really. I'm using the FIM PowerShell WF activity for this, in conjunction with the fantastic FIM PowerShell Module

  • Command to list all email aliases /groups and members on the mail server.

    Hi,
    We are using SJS MEssaging server 6.2 .
    Which is the command to use to list all email aliases/groups and members on the mail server.
    Thanks,

    sureshsamuel wrote:
    We are using SJS MEssaging server 6.2 .
    Which is the command to use to list all email aliases/groups and members on the mail server.Email aliases/groups can exist in text files in the configuration directory of Messaging Server or be defined in the LDAP Directory Server. You can use the "commadmin group search" command to list the ldap groups (if you have Delegated Administration installed/configured), otherwise you can use a directory ldapsearch to find the groups.
    Regards,
    Shane.

  • Is it possible to list out CATALOG ITEMS GROUP in a Query Result of a Request Offering??

    Hi Experts,
    Is it possible to list out  CATALOG ITEMS GROUP as a result of Query Result in Request Offering ?? Because each and every Catalog Items Groups are being created as a SingleTon Child Class of System.CatalogItemGroup. i.e., Each CatalogItemGroup instance
    will have its own singleton class.
    Is it possible to list out all CatalogItemGroup Instances consolidatedly in the QueryResult Window??
    Though the System.CatalogItemGroup class is an Abstract class, I tried to list out the Classinstances via powershell command as below, which lists all catalog group instances, Note: Actually these are instances of SingleTon
    Child Classes
    "Get-SCClassInstance -Class (Get-SCClass -Name System.CatalogItemGroup)"
    But when I configured the QueryResult window with the "System.CatalogItemGroup" class, it doesn't list out any Group instances in the Porta.......
    Am I missing anything, Any suggestions please???
    Thanks and Regards, Narayana Babu

    Thanks Anton, I already tried that too... But it doesn't list out any Group instances in the Portal.
    Since each Catalog Groups are individual Single ton Class instances derived from "System.CatalogItemGroup" class. Therfore If I specify the internal ID of the abstract class "System.CatalogItemGroup" in the tag below, it doesn't list any in the
    Portal.... But if I specify ID of any one of the derived singleton class, it does displays the one instance of that particular class..
    Thanks and Regards, Narayana Babu

Maybe you are looking for

  • No programs open, but 3GB RAM in use?

    I'm running into some problems with the amount of free RAM I have available to me, and it's causing serious performance problems. I have a new 2011 MBP and I just ran into a situation where I ran out of RAM and the computer became extremely sluggish.

  • Invoice Split due to different VAT Registration nos.

    Hi all, I have a problem where a sales order and delivery is created but Invoice is getting split into 2 invoices which is Unwanted. There are 4 items in the order - the 1st invoice contains the first 2 items and 2nd invoice contains last 2 items. Th

  • Bios Beep Codes

    I have a system consisting of an msi k7t266 pro2 motherboard. When I place the board in, put back in the screws, connect the wires and it wont post. I check the d-led's and I am getting memory errors. The memory has not been messed with up to this po

  • Windows 8.1 onedrive error 0Xd0000022

    buongiorno a tutti, after a migration at windows 8.1 I ve an issue when i try to join at onedrive using Microsoft account. after insert a code i received this error: 0Xd0000022. Probably this occurred because I am logged as a domain user (my PC are i

  • My tags are broken

    I logged into acrobat.com today to find that most of my tagged files are not appearing under their tags. They're all there under All Files, and showing there as tagged, but won't appear in the relevant tag window. Untagging and retagging them works u