Mapping shares based on ADS Group membership

Similar Messages

• Shared Calendars / Room Lists and automatically forcing them to users based on Security Group Membership

  Good morning all,
  I need some help achieving the following in our Exchange 2013 Environment.  First off, we have Exchange 2013, but all our clients have Outlook 2010.
  Here's what I would like to be able to do:
  1) create/manage public calendars / rooms in exchange 2013
  2) force these shared public calendars / rooms to users' calendars who are members of particular security groups
  3) give edit permissions / "booking" permissions for the shared calendars so select users are able to make changes to the shared calendars, as well as accept/deny requests to "book" shared room calendars
  Any one got any resources they can give to point me in the right direction?
  I have already created two mailbox room resources, and have them set up in a room list in AD.  But need to know the above as far as creating a shared calendar for events, and forcing these calendars / room lists out to users based on security group
  membership.
  I don't want my users to have to know how to add a shared calendar...that would be a nightmare explaining.  I just want it to show up.
  Any help on this is greatly appreciated, thank you!

  1) I recommend using Room Mailboxes for resource calendars because it just works better.
  2) This is a standard feature of a Room Mailbox.
  3) You're pretty specific here, but I think this is also more or less available with a Room Mailbox combined with folder rights.
  I don't know any way to just make them "show up".  You'll have to teach them.  Well written instructions can work wonders.
  Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

• ACS 5.3 Group Mapping based on AD group membership

  Hi,
  I am configuring a new ACS 5.3 system. Part of the rules is that I want to match the users specific AD group membership, and match appropriatly to an identity group.
  What i'm trying to do is say that if the user is a member of the AD Group (G-CRP-SEC-ENG) then associate them with the Identity Group SEC-ENG. The under the access service, authorization portion, i assign shell profiles and command sets based on Identity Group.
  It seems that the ACS server will not match the AD Group for the user, and it will match the Default of teh Group Mapping portion of the policy every time.
  I tried several configuration choices from : AD1:ExternalGroups contains any <string showing in AD>, AD1:memberOf <group>.
  Is there something special i need to do in the Group Mapping Policy to get it to match and active directory group and result in assigning the host to an Identity Group?
  Thank you,
  Sami

  Ok, my case is like this.
  I use ACS 5.3 for VPN authentication, using AD and an external RSA for token authentication (2 factor authentication)
  I didn't add all the VPN users in the ACS, because it will be troublesome, the users authentication will be managed by AD and RSA server.
  In some cases where we need to restrict a group of user to only access certain resources, downloadable ACL is used.
  Following the Cisco docs, i manage to get downloadable ACL works when the authorization profile matching criteria is username, but when i change the matching criteria to Identity group, the downloadable ACL won't work.
  I have a case with Cisco engineer now and still in the middle to sort things out.
  The advice from the Cisco engineer is to have the Access Service set to Internal User instead of RSA server, but that will require us(the admin) to import all the VPN users into the ACS database.
  Wondering whether there is a fix for this.
  Thanks.

• Map a network drive by group membership

  Hello,
  I'd like to map network drives by group membership.
  To begin I just tried with this command.
  $TestMembers = Get-ADGroupMember -identity Test
  $TestMembers | foreach-object {New-PSDrive -name T -PSProvider FileSystem -Root \\MyServer\MyShare -persist}
  My network drive is well mapped but for all my domain users.
  Could you please tell me what's wrong in my command ?
  I know I could use Group Policy Preferences but I'd like to know the powershell command.
  Thanks by Advance.
  Seb.
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

  Hello,
  Thanks for your answer it will help me.
  Best Regards.
  Seb.
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Custom Install of Acrobat, how to enable / disable Office plugin based on User group membership

  Hi,
  Just configuring Adobe Acrobat X (10.1.5) on Citrix Xenapp 6.5 (Win 2k8 R2)
  I've set up a cusom install and have already removed the context menus and a few other bits and bobs.
  I wondered if it was possible to essentially add the Office plugins in but only for certain users.
  I've removed the plugins successfully by turning off the 5 / 6 features (IE, office , outlook etc)
  Now I just wondered what files / registry entries I could create on login (using Group policy preferences etc) which will add the plugins back in.
  Thanks
  Chris

  okay no replies yet but I've just removed the office / IE features for now, adding the context menu items in for specific users is working good enough at the moment. if anyone does know how to do this just reply to this at any point i'll pick the mail up.
  thanks

• Mapping Default Profiles of PT groups and folders for automating subportal experience

  I need to automate the subportal experience by adding the users to the folders. These folders will correspond to the Plumtree groups that we create.
  We are already planning on automating the maintainence of these PT groups by authentication source by applying custom business logic in Java program. I believe I can do the folder maintainence in the same program as well. However to make iot more effeicient and maintainable, I have the following questions.
  Is there a way to map the PT groups to the folders by using Default profiles(by auth source?)? I think this would help me avoid hard coding which users belonging to certain groups go in which folders. Is there another better approach? Any help would be appreciated.
  Thanks.
  Vanita
  Staples

  Thanks a lot for you reply Mark. I tried to add the Plumtree only groups to the Auth source and I am not allowed. It seems like this works only for the Auth Sorce(NTLM, AD etc.) groups not Plumtree only groups. Is there a way to do this kind of mapping for Plumtree only groups (to avoid doing this programmatically)?
  Regards
  Vanita
  ------- Mark Dimas wrote on 1/28/05 10:41 AM -------
  You can have users placed directly in folders based off of group membership by using the Partial Users Synchronization mode.
  On the auth source select Partial Users Synchronization and run a synch job. This will import all the groups. Then go back to the auth source, on the first page under Default Profiles add the groups, and for each group you can select the destination folder for members of that group. Then, on the Fully Sychronized Groups page you can add all the groups you want to import members from. Run the job again and all the users that are members of the selected groups will be imported and placed in the correct folder.

• AD groups membership not working for target Audience

  Hiya,
  Got a peculiar problem here. Trying to set audience on a link it doesnt work as we want it to. We have the following behavior:
  If adding users directly on SharePoint Group no problems. However if adding AD group to SP group, it doesnt work. Member count for AD Group is 0
  AD Group is created as Global, however tried placing it in a Domain Local group to see if that changed anything. SP synchs the AD groups fine, however it seems like it doesnt read the members, thus not granting any users access based on AD group membership.
  Not sure if this is default behavior or?

  Hi,
  It seems a known issue, but there is no workaround for this.
  It worth to reading these threads
  http://social.technet.microsoft.com/Forums/en-US/sharepoint2010setup/thread/8ede2f40-2b11-416b-b426-51c1b6479c33
  http://social.technet.microsoft.com/Forums/en-US/sharepoint2010setup/thread/586494b9-d259-4abf-a857-26137fa30460
  Hope this helps
  Thanks!
  Stanfford
  Everything will be fine.

• How to create LDAP filter-based rule to check Group membership in OAM

  Hi folks,
  I'm having hard time creating an authorization rule to verify ldap group membership. I've followed "Configure User Authorization" article from Oracle website (http://download.oracle.com/docs/cd/E10761_01/doc/oam.1014/b32420/v2authz.htm#BABHBFEJI) and created an Authorization scheme w ldap_attribute_name as User Parameter and ruleExpression as Required Parameter. Then, inside my policy I created an Authorization Rule based on my Authz scheme w Allow Access attrib filter-based Rule which looks like this:
  ldap://ldap_server:port/ou=People,o=Company,c=US??sub?(ldap_attribute_name=ldap_attribute_value)
  This works fine.
  Now, I've added another filter-based rule under the same Authz Rule/Allow Access:
  ldap://ldap_server:port/ou=Groups,o=Company,c=US?uniqueMember?sub?(&(objectClass=groupOfUniqueNames)(cn=ldap_group_name))
  While query looks somewhat correct and works as a command-line argument (slightly modified format), it does not work in OAM (meaning people w out req-d group membership can still login).
  Can someone steer me to the right direction as to what do I need to do:
  1. Change/fix the ldap query
  2. Create new Authz scheme with uniqueMember userParameter; create new Authz rule based on new authz scheme; create new Allow Access filter rule with the ldap query I have
  3. Do smth else
  Any help is greatly appreciated.
  Thank you, Roman

  You can create two authorization rules
  First for user with attribute
  and second for group
  and then in authorization expression you can have AND of these two.
  Regarding your query...
  First ... If your requirement is to give access to all the members of a particular group then you don't require any ldap filters
  All you have to do is in the authorization rule -> Allow access -> Select People (here you have to select group so click on the group tab, its little hard to see but its there in light blue color on dark blue tab) -> select the group you want to give access
  Second.. If your requirement is such that you want to give access to a member of a group which has certain attribute lets say group with status active ( In this case you are not aware of the name of the group because user can be a member of any group but you want to give access only to the group with specific attribute.) then you have to write custom authorization plugin.
  If the option is second let me know i can give you a solution which will work for a single domain without any effort of developing a major plugin.
  Hope this helps,
  Sagar

• Active Directory Group membership based on OIM Role

  In OIM 11g, is it possible to determine additional AD group membership based on role membership?
  If it is, could someone point me to documentation or give me a brief description of what to do in order to make this work?
  Thanks!

  In OIM 11g, is it possible to determine additional AD group membership based on role membership?
  If it is, could someone point me to documentation or give me a brief description of what to do in order to make this work?
  Thanks!

• Calculate Set membership based on Group Membership

  I know this has been asked before, but I haven't really found a clear answer to the problem - so here's me re-igniting the fire!
  I want to calculate set membership based on group membership? So, I have a set called "My Set" - its members should be all the members of the group "My Group" (The group is a Manual group, not a criteria based one). I know that Sets cannot
  refer to Groups when using "Resource ID" - bummer!
  I guess this can be done using a custom action WF which triggers whenever a member is added to the Group and goes and it goes and updates the Set with the ExplicitMember reference, but I'm wondering if there's a more elegant solution using some OOTB activities?
  Thanks

  I've done this using a custom WF, but still curious to see if there is some other way around it.
  For those interested, the custom workflow gets the member being added from the request, and adds it to the set - fairly simple really. I'm using the FIM PowerShell WF activity for this, in conjunction with the fantastic FIM PowerShell Module

• How to change the values in custom profiles based on security group ??

  Hi,
  i am facing problem for my requirement, can anybody help me for below scenario...
  i have custom check in profiles , there are content types and sub types. sub type nothing but a categories on for particular content type. For example i have News content type , same in the below subtypes drop down list are press release, events, articles etc.
  what i want to do is, when i open custom checkin profile, subtype values need to be changed( some values in subtype should hide) based on security group changes .
  In the Sub type listed values, some values need to hide only when i choose different security groups.. sub types values should display based on the particular security group only. when ever i change the security group, drop down Values in subtypes needs to change.
  hope understand my requirement.
  How to achieve this task. Any help would be greatly appreciated.
  Thanks,
  yt

  Hi,
  Thanks alot. its working fine
  Can we configure DCL Relation two times in one information filed ??? i should not create not more than fields to this requirement.
  Type -> subtype = DCL already existed
  Now, i want to Create DCL to
  Subtype ---> Security group
  As per my requirement, if i change the security group in checkin form, values should be change in the SubType drop down list.
  Created checkin profile there was DCL relation to " Type and "Sub Type" . now i want to map Relation ( DCL ) for subtype to security group.
  i was trying do for DCL for subtype and security group. but there was already existing DCL created for subtype information field (Relation configuration done for content type). even though i was trying to do for DCL in Security group information field. but, i could not find security group information field in configuration manager.
  Now what should i do ?? how to create DCL to subtype and security group ??
  Help would be appreciated.
  yt

• AD Group Membership with User From Domain Outside of Forest

  Here's one to twist your brain around -
  I have kerberos authentication using Active Directory working between a client's web browser and my web-app hosted in JBoss. I also have limited authorization working by checking group memberships using LDAP. This currently only works if all users are in the same domain. The ever-helpful adler_steven has detailed in another thread (http://forum.java.sun.com/thread.jspa?threadID=603815&tstart=15) how to do a group membership check for all Users/Groups in a single forest using the Global Context.
  I need to go beyond the domain and even beyond the forest and try to authorize a user from a trusted domain by checking if the user is a member of a group in my domain. Authentication works fine using kerberos. It's the authorization by group check I am having trouble with. I believe there are two ways to approach this:
  Approach #1
  Access the MS-specific PAC in the kerberos token from the client to get the group SIDs. The structure of the PAC is nicely defined in this article: http://appliedcrypto.com/spnego/pac/ms_kerberos_pac.html. However, I have no idea how to access the decrypted token. I pass the encrypted token that I receive from the browser to myGssContext.acceptSecContext(...) to complete the authentication.
  Question: Does anyone know how to get the decrypted kerberos ticket from there, specifically the authorization-data field?
  Approach #2
  Try to walk through the Active Directory structures in both domains using LDAP. In the domain group that I am checking, I can see a member attribute that references a foreignSecurityPrincipal object. The CN of this object happens to be the objectSID of the user I am looking for in the remote domain. Unfortunately, I have to check the remote domain server directly to verify that. The foreignSecurityPrincipal object itself does not contain any hint about what user it refers to aside from the SID (no originalDomainName attribute or something similar). It is feasible that I could walk the chain of references back to the remote domain AD server. That would require that my configuration include a list of remote domain servers to check (since I could have users from multiple trusted domains) and that my JBoss server have access to those servers.
  Question: Does anyone know of some other LDAP-related way of finding information about a user from a remote, trusted domain without having to hit the server for that domain directly?
  adTHANKSvance
  Eric

  You should be able to work back from the foreignSecurityPrincipal object :-) He says with a wry smile..
  This post prompts me to think whether one day someone will draw the entity relationship diagram for AD. Oh well, I've been procrastinating for years, a few more won't hurt !
  If it was a user from within the same forest, you should just be able to perform a search against a GC using the objectSID as the search filter. I've forgotten, but I don't think they will be represented as foreign security principals.
  Have a look at the post titled JNDI, Active Directory and SID's (Security Identifiers) available at
  http://forum.java.sun.com/thread.jspa?threadID=585031&tstart=150 that describes how to search for an object based on their SID.
  Now if it is a user from another forest, with which you have a trust relationship, then we begin the navigation excercise.
  You'll need obtain the user's SID (either from the cn or from the objectSID attributes) from the foreignSecurityPrincipal object. For example CN=S-1-5-21-3771862615-1804478405-1612909269-2143,CN=ForeignSecurityPrincipals,DC=antipodes,DC=com
  objectSID=S-S-1-5-21-3771862615-1804478405-1612909269-2143Then obtain the domain RID, eg.S-1-5-21-3771862615-1804478405-1612909269Next you will have to recurse each of the crossRef objects in the Partitions container, in the configuration naming context (which you will find listed in the RootDSE). The crossref objects that represent trusted domains or forests will have values for their trustParent attributes. A sample query would be something like//specify the LDAP search filter
  String searchFilter = "(&(objectClass=crossRef)(trustParent=*))";
  //Specify the Base for the search
  String searchBase = "CN=Partitions,CN=Configuration,DC=antipodes,DC=com";For each crossRef object, you can then use the dnsRoot attribute to determine the dns domain name of the forest/domain (if you want to later use dns to search for the dns name,ip address of the domain controllers in the trusted domains/forests), and then use the nCName attribute to determine the distinguished name of the trusted forest/domain.dnsRoot = contoso.com
  ncName = dc=contoso,dc=comPerform another bind to the ncName for the trusted domain/forest and retrieve the objectSID attribute, which will be the domain's RID. You may want to cache this information as a lookup table to match domain RID's with domain distingusihed names and dns names.String ldapURL = "ldap://contoso.com:389";
  Attributes attrs = ctx.getAttributes("dc=contoso,dc=com");
  System.out.println("Domain SID: " + attrs.get("objectSID").get());Once you find out which domain matches the RID for the foreignSecurityPrincipal, you can then perform a search for the "real user" .And then finally you should have the user object that represents the foreign security principal !
  Just one thing to note. Assume that CONTOSO and ANTIPODES are two separate forests. If you bind as CONTOSO\cdarwin against the CONTOSO domain, the tokenGroups attribute (which represents teh process token) will contain all of the group memberships of Charles Darwin in the CONTOSO domain/forest. It will not contain his memberships if any, of groups in the ANTIPODES forest. If Charles Darwin accesses a resource in ANTIPODES, then his process token used by the ANTIPODES resource will be updated with his group memberships of the ANTIPODES forest. Also you can have "orphaned foreignn security principal", where the original user object has been deleted !
  BTW, If I was doing this purely on Windows, IIRC, you just use one API call DsCrackNames, to get the "real user", and then the appropriate ImpersonateUser calls to update the process token etc..
  Good luck.

• Mount SMB share based on user name at Login

  I'm trying to get an SMB share mounted at login for Users where the UNC path is based on the username. I have written a simple script to accomplish this:
  set username to do shell script("whoami")
  try
  mount volume "smb://path/to/files/" & username
  end try
  The script works. I saved it as an application. I added that application as a login item for the group I want it applied to in Workgroup Manager. When logging in as a memeber of that group it shows up in the login items on the client as Unnknown Unknown and does nothing.
  I then put the application on the client and added it as a login item locally and it worked fine.
  How can I make this work via Workgroup Manager? I need to run a different script based on what group the user logging in is a member of. It doesn't even need to be a script if there is another solution to get shares mounted with different paths including the username of the user logging in. Thanks for the help. If anything is unclear please let me know.

  how do you run this script on the client and save as an application?

• Mapping EBS account codes to Group Account Numbers - Customization

  Hi,
  I want to map the account codes that are present in the Oracle EBS to BI Mappings.
  I am aware of the changes to be made to the following three files:
  ■ file_group_acct_names.csv - this file specifies the group account names and their corresponding group account codes.
  ■ file_group_acct_codes_ora.csv - this file maps General Ledger accounts to group account codes.
  ■ file_grpact_fsmt.csv - this file maps Financial Statement Item Codes to group account codes.
  The overview of my case is as flows:
  The client requires the general accounts to be clubbed into different sub-groups based on their reporting practices. This would lead to generation of around 60-70 odd group account numbers. My queries are as follows:
  1.There are cases where accounts belonging to a single parent account needs to be bifurcated into two different group account numbers. In that case, to which group account number should the parent account be classified?
  2.Can we go about modifying the existing group account numbers and adding new group account numbers as long as we are able to categorize them in the existing 6 financial statement buckets?
  3.What are the changes needed to be done in the RPD file to reflect the changes made to the group account numbers? Any documentation highlighting the same would be highly helpful.
  Thanks,
  Regards,
  Rajit

  Hi Krishna,
  I have the same required as yours.
  I implemented the note 914437.
  I noticed two peculiar cases from the standard mapping i.e. (standard BP Role sold to party)
  1) In BP transaction, in Display in BP Role drop down list box there is no custom BP Role as shown above but if I select the detail Icon I can find it there as shown in below screen shot.
  2) I found in Tx BP there is only one BP Role as shown above but in CRM Web UI there are two BP Roles in the ROLEs assignment block.
  Could you please add your comments or solution for it.
  Thanks,
  Raja

• Group membership alterations timeout

  Hello,
  I've imported about 100 security groups with their members from AD to FIM and have altered precedence so that FIM now manages these groups. I want to change the groups to criteria based membership and have successfully done so in a number of cases,
  however I am finding that groups with more than apx. 700 members are causing an error in the portal.
  Event viewer says that the diagnostic log may contain more information but it does not. It also suggests checking the SharePoint log but unfortunately I have been unable to find an appropriate log.
  I've had this error occur before in similar circumstances and my guess is that there is some sort of timeout cancelling the operation.
  Does anyone know of a fix for this? Is there a way to empty the group memberships?
  Many thanks 
  Portal error:
  "Unable to process your request. Please contact your help desk or system administrator."
  Event viewer:
  "The portal was unable to complete a request and showed a user the default error page.
  An unhandled exception was caught.
  Check the product diagnostic log file and then check the SharePoint log file."

  Hello FIM-EN,
  You probably have a timeout issue. Tyr to increase the value in the file "C:\Program Files\Microsoft Forefront Identity Manager\2010\Service\Microsoft.ResourceManagement.Service.exe.config":
  /configuration/ resourceManagementClient/ @timeoutInMilliseconds
  [0,360000]
  90,000
  The timeout of the client side of communication.
  link:
  http://technet.microsoft.com/en-us/library/ff800821%28v=ws.10%29.aspx
  Regards,
  Sylvain