MBAM 2.5 Accounts and Groups

Similar Messages

• AUDIT action (create, delete, privilege escalation, set and change password from users account and group) users and admins in Solaris 10

  Hello.
  in Solaris 10 i need auditing process create, delete, privilege escalation, set and change password and etc... from users account and group.
  I set settings:
  in file syslog.conf:
  *.info;mail.none;cron.none;audit.notice            @IP-Remote-syslog-server-SIEM
  in file   /etc/security/audit_control:
  dir:/var/audit
  flags:lo,ad,ex,cc,am,no,fc,fd
  minfree:20
  naflags:lo
  plugin:name=audit_syslog.so;p_flags=lo,ad,ex,cc,am,no
  in file   /etc/security/audit_user:
  root:lo,ad:no
  Now I see in the logs only the fact of a connection via SSH and run processes on behalf of users. Creation. delete users, change passwords for some reason do not is logged.
  Many users. For each individual write permissions in the file /etc/security/audit_user not possible, it is likely to forget any new user (or there is a possibility in this file one line to describe the audits for all accounts?)
  Where is the mistake?

  You are most likely hitting Bug 15779000 user/role/groupadd/mod/del don't audit their use.
  And the fix is only available in S11.2.
  -- Renaud

• Mapping NT user accounts and groups in BOXI 3.1.i'm getting below error

  Mapping NT user accounts and groups in BOXI 3.1.i'm getting below error
  In BOXI 3.1 CMC
  .NT Authentication is enabled check box is selected.
  In the Mapped NT Member Groups area, entered the NT domain\group in the Add NT Group text box.
  like : secWindowsNT:
  BLRKEC148827D\BusinessObjects NT Users
  getting error like
  "The secWindowsNT security plugin is not enabled. Contact your system administrator for details. (FWB 00002) "

  You shouldn't be using the NT plugin in 3.1, is there a reason you are using this plugin over AD? If you really want to use it you may need to open a case with support and trace the CMS. Are there any groups currently mapped? if you hit update without adding/removing what happens? What if you remove the NT users group and hit update?
  Regards,
  Tim

• MSOL Created AD Account and Group -

  I've recently installed Forefront Identity Manager 2010 R2 and we are in the process of creating a tenant connection to Office 365 and setting up Exchange Federation.
  I have installed FIM 2010 R2 and have setup DIRSYNC, and we've noticed an account and group were automatically created in the AD Domain USERS OU.
  MSOL_xxxxxxxxxxxxxx (user)
  MSOL_AD_Sync_Richcoexixtence (group) with the MSOL user the only member.
  2 questions:
  1). What is this User/Group used for? (as during the install I had to supply another AD Domain credential which I would have thought would have been used for the SYNC process.
  2). Can this MSOL user/group be pre-created or have the password modified in some fashon? (our Security folks want to "set" the password on the MSOL user to a known value?)?
  THANKS

  Hi,
  why do you install FIM when you install DirSync?
  DirSync installs the FIM 2010R2 Synchronization Service on it's own. In General Dirsync is FIM2010 Sync Engine with a frontend which makes the configuration of the FIM and some scary automatic things in the whole forest.
  Also Dirsync creates a service, which starts the runprofiles of the management agents.
  1a) The Group "MSOL_AD_Sync_Richcoexixtence" is created by dirsync and has been granted permissions in every domain in the forest (because of this dirsync wants enterprise admin rights) for the write-back attributes described in the article
  http://support.microsoft.com/kb/2256198/en-us.
  1b) The account "MSOL_<identifier>" is also created by dirsync and is added to the MSOL_AD_Sync... group. Also this account has been granted "Replicate Directory Changes" in every domain in your forest for the dirsync ldap control.
  1c) there is a third account which is created by dirsync..but this account is local and is named "AAD_<identifier>".
  2.) you can change the password. the account is used in the ad management agent. so you have to go in the FIM Synchronization Service Manager and change it.
  In big environments dirsync is crap...
  regards

• BizTalk Service Account and Groups

  Hi,
  I need to install BizTalk server 2013 in Development server, please let me know the list of BizTalk service Account and What are all the groups need to  be created.
  Regards, Aboorva Raja R Please remember to mark the replies as answers if they help and unmark them if they provide no help.

  Hi
  You can find complete list of service accounts and groups on
  Windows Group and User Accounts in BizTalk Server MSDN page.
  These accounts needs to be created in your Active Directory server. 
  I would suggest you to have a look of
  Installing BizTalk Server 2010 in a Basic Multi-Computer Environment: The need for a Domain Controller – Windows Groups and Service Accounts (Part 2) blog post . Although this is for BizTalk 2010, but this may give you some idead about Accounts used in
  BizTalk setup.
  Also please have a read of
  Installation Overview for BizTalk Server 2013 and 2013 R2 
  Feel free to post any errors you get while installing. 
  Greetings,HTH
  Naushad Alam
  When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or
  Mark As Answer
  alamnaushad.wordpress.com

• Group Chart Of Accounts and Group Account Number

  Hi SAP Gurus,
  For the sake of consolidated reporting, we are planning to create group chart of accounts and assign a Group account number to the GL account master. The structure is going to be like this:
  Operating Expenses (Group Account : 461000).
  Air Conditioning Exp   (GL account 461000001)
  Elevators                   (GL account 461000002)
  Coffee and snacks      (GL account 461000003)
  This is being done to achieve a detail level reporting at the company code level and a consolidated reporting at a group level where the reporting would be based on group account or FSIs. We would define a financial statement version based on FSIs.
  My question is : do we need to activate the consolidation (EC-CS) module to push the data to the FSIs or the data would flow automatically to the group account if we assign this to the GL master. If we go to fetch the data from the ECMCT table, do we need to have a consolidation unit?
  Any inputs are highly appreciated.
  thanks
  sri

  Hi,
  There are certain preliminary steps to be carried out in ECCS. You can find them under SPRO->Enterprise Controlling->Consolidation->Integration: Preparation for Consolidation.
  You need to choose the type of consolidation, create Company, link it to Cons Unit in ECCS, Creating/Copying FS Items (each account in Group COA will have an FS Item; 1:1),  etc.,
  After the setup, you actually need to carry out Rollup or Flexi Upload for importing FI data into ECCS FS Items. This is done to Data Monitor - CXCD.
  In ECMCT, typical selections would be Dimension, Cons Unit, Cons COA, FS Item.
  I suppose these preliminary steps are requried for the data to flow to FS Items.
  Hope this clarifies.
  Rgds.

• Creating management accounts for protected accounts and groups in Active Directory

  I'm following step-by-step instruction for creating management accounts for protected groups that I found in Microsoft book "Best Practise for Securing Active Directory", published april 2013.
  What is confusing me is the "Enabling management accounts to modify the membership of protected groups" step. When I use DSACLS command:
  Dsacls "CN=AdminSDHolder,CN=System,DC=MyDomain,DC=com"/G
  [email protected]:RPWP;member
  what I have to type insted of "member".
  When I use previous command with simple "member" at the end I dont get this:
  Verify that the account has been granted only Read Members and
  Write Members permissions on the DA group, and click OK.
  My account have flag on all properties.
  I hope You understand me.

  The last field is for the attribute to delegate. You can read about it here: https://technet.microsoft.com/en-us/library/cc772662%28v=ws.10%29.aspx
  You can also refer to this for updating AdminSDHolder container: http://social.technet.microsoft.com/wiki/contents/articles/22331.adminsdholder-protected-groups-and-security-descriptor-propagator.aspx
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• How to Design User Accounts and Groups for Human Task

  Hi All,
  I have a requirement wherein we have a group of people to whom tasks get assigned. Details are below
  Assume
  PO- Purchase Order
  IN- Invoice
  CL1 - Client 1
  CL2 - Client 2
  CL3 - Client 3
  REP1 - User 1
  REP2 - User 2
  REP3 - User 3
  APP1 - Approver 1
  APP2 - Approver 2
  APP3 - Approver 3
  1. There are two groups of people say PO_Team and IN_Team.
  2. REPx are the folks who are in the IN_Team. They handle monitor invoices and run reports on them (READ - Only)
  3. APPx are the folks who are in the PO_team. They approve order and sometimes modify them (READ-WRITE)
  4. CLIx are the clients each of whom send PO and expect IN in return
  5. CLI1 - APP1- REP1 together handle one client.
  Now the requirement is something like this
  1. APP1 must be able to see the PO and IN only from CLI1
  2. APP1 must be able to see editable view of PO from CLI1
  3. APP1 must be able to see red only view of IN from CLI1
  4. REP1 must be able to see the PO and IN only from CLI1
  5. REP1 must be able to see read only view of IN from CLI1
  6. REP1 must be able to see read only view of PO from CLI1
  7. In exception cases APP1 can assign a PO from CLI1 to APP2
  Can someone help me in the design of groups and permissions for this?
  TIA

  Groups are the way to go. Every Human Task can be assigned to either a user or a group or a user and a group. Select the last option so that it goes to a particular user but also to a group. That way anyone in the group can approve these tasks though it is sent to one particular users list. Anyone from that group can pick that task up and approve it

• Need info regarding Oracle UCM Accounts and Security Groups behaviour

  Need information regarding Oracle UCM Accounts and Security Groups behaviour.
  Oracle UCM version: 11.1.1.5.0
  Steps:
  1. Log in with "weblogic" user and created a content with id "content1"
  2. Applied "@acc1(R)" and "TestGroup1" to the cotent created in step 1
  3. Log out
  4. Log in as "acc1user1", the user is not able to see the "content1"
  5. Log out
  6. Log in as "role1user1", the user is not able to see the "content1"
  Account and Group information:
  1. User "acc1user1" is part of "@acc1(R)"
  2. User "role1user1" is part of "role1(R)" and is mapped to "TestGroup1" in UCM
  Expected:
  Both "acc1user1" and "role1user1" should be able to see "content1" as they have at least Read permission.
  Please help me understand why the users are not able to see the content.

  ACLs, like Accounts, are optional security setting which may add on some extra functionality to mandatory security groups. Likewise, the resulting permission is taken as an intersection of SG and ACLs.
  But in the second part the number of set of users is huge (approx say 600)I don't get this completely. Does this mean that those "sets of users" (users who see the same data) are distinct and that there is 600 of such groups?
  If you read thoroughly the manual I sent earlier, there is a recommendation that there should be maximum 50 security groups, and you should use accounts, should this number be exceeded. This means you could have all the documents in one security group (and have one common role with Read permission), but combine it with accounts. ACLs are not a good choice here - their performance and manageability is much worse than of accounts. ACLs are primarily used if you expect security settings to change during the lifetime (e.g. a project manager adds temporarily rights to access an item to another user, and revokes it when the user finishes his or her work).
  Note that accounts as well as permissions of users within accounts can also be mapped externally (from LDAP/AD) and it usually follows some kind of org chart.
  I'd feel more comfortable not to speak about users, security groups, roles, etc., but about some real-life objects and scenarios.

• SharePoint tool to create External Users and Groups

  Our organization is currently looking for a product that will allow us to create user account and group for users outside the organization (e.g Clients, subcontractors, etc.) and that will only need to access to our external SharePoint Collaboration site.
  We have one product right now but it is very problematic. For example if one of our clients need to change their email address which is their username it won't allow it so the account has to be re-created with the new email address and the permissions re-configured
  all over again. The groups created using the tool called Roles most of the times don't work. We are testing our SharePoint 2013 environment so we thought it is a good time to find something new. If you know of some products that I can check please let
  me know. I will really appreciate it

  Hi,
  According to your post, my understanding is that you wanted to create user account and group for users outside the organization.
  External User Management seems to be a solution. It allows for easy management of external users and roles.
  More information:
  http://ventigrate.codeplex.com/wikipage?title=External%20User%20Management
  Best Regards,
  Linda Li
  Linda Li
  TechNet Community Support

• 10.6.7 OD - Try to delete a computer account and it won't delete.

  I am trying to clean out a problematic computer account in OD and it refuses to delete. I even enabled the "all records" inspector tab, selected the Computers list then selected the account then clicked delete. I get the typical warning, I confirm that I want the account deleted. Then I click refresh and the account is back, or never even deleted. The logs so far are unhelpful. Any ideas? I'm using 10.6.7 server.

  I don't see a duplicate record. I ended up renaming the computer account in order to get it out of the way. The other funny thing with this account is I can go in and delete attributes using the inspector and they come back also. I'm half tempted to export all my computer accounts and groups then demote the domain and recreate it and reimport the good accounts.
  I did a test with creating/deleting a user account. The user account would not delete until I changed its password type to crypt. There isn't a way to do something similar with a computer account?

• Material type and account assignment group relation

  Hi,
  Getting an error while creating material master save. Account assignment Zx can't be with Material Type Zxxxx.
  Please advise where is the link maintained between material account assignment group and material type.
  My material is Z service material.
  As I no for plant,industry, material type valuation class quanity update tick required but that is for stockable materials which is not the case above.
  Thanks

  HI,
  You can make the field Account Assignment Group of Material Master as inactive.
  But it depends up on Plant, Industry Sector Type and Material Type.
  You can do this in IMG --> Logistic General --> Material Master --> Field Selection
  Or
  use SHD0.. give T-code MM01. and you can deactivate the field.
  Hope this helps you.
  TC
  BR
  AKS

• No zero balance for GR/IR account  between Document curr and Group curr

  Dear Experts,
         I have problem about balance in GR/IR account while posting GR and MIRO between Document currency and Group currency , there are no zero balance . Pls see step by step below:
  1.  Company Code ABC have    Company code currency = THB
                                                     Group Currency  = USD
  2.  I created PO with document currency = SGD
                 Amount in SGD = 269.78
                 Exchange rate =   23.59740  (SGD/THB)
  3.  Goods Receipt
                  Posting date = 13.03.2010
                  Exchange rate =  23.59740  (SGD/THB)
  FI Doc.
                Document Curr.
                     Dr. Expense   269.78      SGD                                     6,366.11    THB
                            Cr.  GR/IR  269.78-   SGD                                     6,366.11-    THB
               Group Curr.
                     Dr. Expense     193.81      USD                                  6,366.11    THB         
                            Cr.  GR/IR  193.81-     USD                                  6,366.11-    THB
  4.  Invoice Receive
                  Posting date = 01.04.2010
                  Exchange rate =  23.70920  (SGD/THB)    
  FI Doc.
          Document Curr.
                     Dr. GR/IR              269.78    SGD                                  6,366.11     THB
                     DR. Exch diff          0          SGD                                   30.16          THB
                            Cr.  Vendor   269.78    SGD                                   6,366.11    THB
            Group Curr.
                     Dr. GR/IR              192.02    USD                                   6,366.11  THB     
                     DR. Exch diff          0          USD                                   30.16          THB
                            Cr.  Vendor   192.02    USD                                   6,366.11  THB
  My question are;
  1. Why amount in group currency with GR/IR between GR and MIRO step didn't 0 balance ,no post currency diff?
  2. This is an error from standard program or It's relate to configuration via t-code "OB22" or "OBRW" ?
  Best Regards.
  Edited by: nasalapoa on Jun 16, 2010 4:02 AM
  Edited by: nasalapoa on Jun 16, 2010 5:38 AM
  Edited by: nasalapoa on Jun 16, 2010 9:00 AM

  As per my understanding it could be due to OB22 settings.
  refer following SAP notes
  335608,191927,
  373296

• How to Assignment between Material and Account Assignment Group

  Hi,
  When we are creating a sales order with material ABCD, then in material line item -->under Billing Document Tab --> in Accounting screen, there is field Acct asgnmt grp (Account Assignment Group).
  From where we can assign between Material and Account Assignment Group, after that it automatically pick in sales order creation.
  Please guide..

  Please refere to below link it may help.
  Re: how to configure new account assignment group of material
  Thanks Dev.

• HT2486 I recently updated to Lion, when I accessed my address book I now have duplicates of cards that are in my contacts and groups. When I try to merge it says they come from different accounts. Any suggestions?

  I recently updated to Lion, some of my groups lost members and when I add them back in I get duplicate and even more of the same card. I am not allowed to merge the because the msg says they come from different accounts, any suggestions?

  You likely have them in both the On My Mac account and the iCloud account. I deleted all from my On My Mac account except the ones I didn't want iClouded. Did the opposite on the iCloud account.