MGCP/Standard Local Route Group List question

Similar Messages

• Matching Route Patterns with standard Local Route group and Specific Route Group

  Hi
  I have a customer with CUCM 8.6 with few branches
  couple of branches in UK and few in Europe and middle east.
  I configured route patterns with Standard local route group, but using their own Voice gateway, everything was working fine until adding the recent branch with matching pattern 
  UK has a mobile pattern with 9.07XXXXXXXXX (11 digits)
  One Branch has a mobile with 9.07XXXXXXXX (10 digits)
  When branch call 907X..(10digit) number there was a delay and I ticked the Urgent priority to process it quicker, but later realized the UK branch cannot dial 907x.. (11Digit) mobile.
  I created Route List for branch and added the 10 digit pattern to that but still the UK cannot call 11 digit. so i believe when you call out it will check the pattern first and the Route-List and Route-Group and gateway play a part.
  Is there a way to get 07 -10digit call out quickly also allowing the 07 -11digit pattern as well ( without changing the T302 timer)
  Really appreciate your support
  thanks
  shameer

  Yes, they key to managing overlapping centralized dial plans is to be really good with patterns, partitions, and CSSs. You can have 3 different 9.0[2-9]XX-[2-9]XX-XXXX patterns and assign them a different partition, and then assign that to the branch CSS. This will only work if each Branch has a different CSS.
  For example:
  9.0[2-9]XX-[2-9]XX-XXXX @ Egypt-PT ->Routes to Local route group of Egypt.
  9.0[2-9]XX-[2-9]XX-XXX @ UK-PT -> Routes to Local route group of UK
  9.0[2-9]XX-[2-9]XX-XXX @ Germany-PT -> Routes to Local Route group of Germany.
  //PT = partition//
  Then have Egypt-CSS that contains 9.0[2-9]XX-[2-9]XX-XXXX @ Egypt-PT. 
  UK-CSS contains 9.0[2-9]XX-[2-9]XX-XXX @ UK-PT
  Germany- CSS contains 9.0[2-9]XX-[2-9]XX-XXX @ UK-PT
  The other patterns will be invisible to your sites because they are in a different partition that is not in their CSS. 2 overlapping patterns in the same PT will cause you to wait for the inter-digit timeout unless you press #.
  Thanks,
  Frank

• Utilizing the Standard Local Route Group with CER

  Hello,
  I'm running UCM 7.1(2) and recently a contractor we brought in to install our CER 7.0(1) created a very signicicant amount of Calling Search Spaces, Route Patterns, Partitions, Route Lists and Route Groups in an effort to route calls from our 6 sites (we are centrilized with one Publisher and 6 suscribers) out the correct gateway towards the correct PSAP.
  I took the contractor's word that we needed to make such drastic additions and now I belive I made the wrong choice. We already have a Route List (PSTN_RL) that includes:
  1)Standard Local Route Group
  2) XX_RG (the backup RG)
  3) XX_RG (another backup RG)
  Most of my Directory Numbers (DN) and the Primary CER Route Point belong to one Partition (PhoneLines_PT) and I would like all the calls from the Directory Numbers associated with the PhoneLines_PT to be routed via the Route List that utilizes the Standard Local Route Group (PSTN_RL) and maintain that CER is able to "see" 911 calls.
  Can anyone tell me if I I change the PSTN_RL (Standard Local RG) associated Route Pattern Partitions to the PhoneLines_PT, will all Directory Numbers associated with the PhoneLines_PT route calls over the PSTN_RL?
  I guess I am trying to wrap a sort of reverse implementation "around my head."
  Thanks in advance for you time.

  Partition and Calling Search Space (CSS) are closely related but always confused.
  Good examples are:
  Line A and Line B in the same partition doesn't necessarily mean Line A can call Line B.
  Phone A and Phone B have the same CSS doesn't necessarily mean Phone A can call Phone B.
  Now back to the topic of LRG (Local Route Group).  A good use case would be 911 calls.  We always want 911 calls to be routed through local gateway so it can reach local PSAP.  Without LRG, you'll have to configure multiple 911 patterns (in different partitions) so you can assoicate them with different gateways.  With LRG, you just need one 911 route pattern.  Of couse that route pattern should be accessible by everyone.  To make it simple, you may put it in null partition.
  Michael
  http://htluo.blogspot.com

• TEHO with Local Routing Group

  Hi,
  I was watching an online training video of setting TEHO using Local Routing Group on CUCM 8.6. However somehow I think he configured it wrong.
  In his example,
  He used a centralized call processing infrastructure for NY (hosts the CUCM) and CA offices. NY and CA router groups are created to contain local gateways respecitively and also assigned to corresponding device pool. When configuring Route List for the remote patterns (Pattern to reach CA numbers from NY, vice versa), he only created one RL for both patterns and only added the Standard Local Route Group to the RL… Then wrap up the configure.
  To me, in order to make TEHO work, there should be one RL for each location (one for NY and one for CA) and the NY route group needs to be added into the CA RL and CA Route group needs to be added into NY RL and both RL has SLRG as secondary option.
  Am I crazy or the video did it wrong...

  Good catch, with what is described here, when someone in CA calls a number in CA, the CA route list would be matched and the route list would be selected which contains Standard Local Route Group (SLRG) and the device pool for CA would be checked and the CA route group would be selected.  That works as expected.  Now if a CA phone calls a NY number, the route pattern would be matched, the route list the route pattern points to would be SLRG, so the device pool of the originating device would be checked.  The CA device pool being that a CA phone placed the call would be checked for the local route group and that would be set for a CA route group, so the call would go out of a CA gateway.
  What usually is done is that the route list for TEHO for the CA phone would contain, the NY route group and then SLRG in that order.  That way the call would be extended to NY first out their local gateway for TEHO and then extended to the CA local gateway if the NY gateway fails.  For NY to CA TEHO, the CA route group would be added to another route list, this time with the CA gateway first in the list followed by SLRG.

• CUCM 10.5 Local Route Group

  When utilizing the local route group for a device pool, when a change is made for that device pool, does a reset of the devices have to occur for the changes to go into affect?  The reason I ask is if you are simply making the change to the Route List there is no interruption to the end users, but what if a location's Long Distance is pointing to a Route List that references a Local Route Group.  If you want move that to another route group under the device pool is there any impact on the phones in that device pool?
  Thanks,
  Joe

  So What you ask is if you modified the route list (change the actual local route Group for other route group) will reset the phones ? as far as I now no change on rl will reset phone but change on dp will..

• Local Route Groups vs translation to E.164

  Hello.
  Can anybody describe local route groups benefits compared to dialplan with translations to E.164?
  Let's see simple scenario. I have 3 sites - MSK, SPB and NSK. All site has phones and a gateway, each site has it's partition for termination (TERM-MSK, TERM-SPB, TERM-NSK) and a partition for translation (XLAT-MSK, XLAT-SPB, XLAT-NSK). There are 2 CSS for translation and termination for each site (CSS-X-MSK, CSS-X-SPB, CSS-X-NSK, CSS-TERM-MSK, CSS-TERM-SPB and CSS-TERM-NSK). All phones has a translation CSS local to it's site configured, for example phones at MSK has CSS-X-MSK in phone configuration. There are translation patterns for translating dialed off-net numbers to E.164 format (7495XXXXXXX for MSK, 7812XXXXXXX for SPB and 7383XXXXXXX for NSK). Subscribers uses 9 for local off-net calls and 90 for long-distance, there are 2 translation patterns with corresponding XLAT partition and CSS-TERM CSS (9.[1-9]XXXXXX -> 7495 prefix plus XXXXXXX and 90.[1-9]XXXXXXXXX -> 7 plus XXXXXXXXXX, partition XLAT-MSK, CSS CSS-TERM-MSK for MSK). CSS-X CSSes has corresponding XLAT partition only. CSS-TERM CSSes has allowed TERM patitions. Each route pattern has corresponding TERM partition and points to single route list with single route group. Finally I have 3 route patterns 3 route lists, 3 route groups, 6 partitions and 6 CSSes total).
  Using Local Route Groups I have the same 3 route patterns, 3 route lists and 3 route groups but one partition and one CSS. Pros for this scheme is less partitions and CSSes. Cons is the loss of flexibility (I can't allow calls to anywhere from MSK and only MSK and NSK for NSK and can't use different prefixes for off-net calls for each office).
  Have I understood the Features and Services Guide rignt? Is there other way to translate dialed off-net number to E.164 without using extra partitions and CSSes (Translatio Pattern requires this)?

  Maxim,
  Local Route Groups have not dependency on e.164 dial plan and vice-versa, there are independent features.  Local Route groups allow you  to consolidate your route patterns/route lists/CSS/PT, depending on complexity of your routing you can accomplish all your remote site routing via a common set of route patterns/list CSS/partitions, so routing decisions are based on local route groups assigned to device pool of the calling device rather than just the CSS.  E.164 dial plan is merely a way to structure dialed numbers, how and where you transform them is up to you, I prefer using transformation patterns vs. translation patterns for example.
  HTH,
  Chris

• UCCX Redirect Step and Local Route Groups

  Hello,
  CUCM 9.1.2
  UCCX 9.0
  I have come across a situation in one of our UCCX scripts with the call redirect step where it is forwarded to a local cell phone for after hours calls. The number in the Call Redirect step is 9, followed by the 10-digit number of the cell.
  While the call does redirect successfully from the UCCX script, the call always uses the local route group of the original calling party's device. So, if the call from an IP Phone to the cell is going out the gateway where the cell number is a local call, the 9 followed by the 10 digit number works fine.
  If it's a site across the WAN, the call redirect to the cell fails because it's using LRG of the calling party's phone and thus it needs to be a long distance call.
  I kind of thought the Service Parameter Local route group for redirected calls being set to "Local route group of last redirecting party" might have addressed this, like it did for call forward all situations, but it does not seem to be the case.
  Would the recommendation be to use Call Consult Transfer instead of the Call Redirect step? This seems to work, but was wondering if there were other ways to approach it.
  Thanks for your help,
  Frank

  Hi Anthony,
  Thanks for the reply. The Call Consult Transfer step did resolve my issue, so now the call is always coming from the local site and using the LRG of the DP of the CTI ports. I previously had it set up using the Call Redirect step in the script with 9 followed by the 10-digit number, and thus it was kind of not working when calling over the WAN from remote sites.
  I should have mentioned that we recently did an CUCM / CCX upgrade. In CUCM, all call restrictions were previously done at the device level, nothing on the line. Now we have the line doing the call restrictions. So the Call Redirect step worked fine in the old environment with the 10-digit number, not so much in the new.
  But I like your suggestion about +E164 even better, since we rolled that into the upgrade as well. I tried putting the full +E164 number in the script using the Call Redirect step. Works perfectly from all sites.
  Thanks for your help.
  Frank

• Is RTMT can monitor when the first Route Group of a Route List is not used ?

  Hi everyone,
  I want to find how monitor this event in RTMT without success. I hope someone will have an idea to suggest !
  My problem :
  I have one Route List (RL_Remote) wich is used to route calls between two sites. This Route List has two Route Group :
  - the first is a SIP trunk connected to my remote site (RG_SIP)
  - the second is a local route group wich used PSTN (RG_PSTN) [BACKUP]
  Is it possible that RTMT sends me an alarm when calls are routing via RL_Remote but are not using RG_SIP ?
  In fact, I want to receive an alarm as soon as the Backup Route Group (RG_PSTN in my example) is used.
  Thanks for your help !
  Have a nice day,
  Franck-Emanuel

  More or less correct yes:
  Core Issue
  This issue can occur if an available route is not found in the indicated route list.
  If  the call fails on the current gateway, Cisco CallManager attempts to  extend the call to the next route in the route list. This occurs until  it reaches the last route. If the call cannot be completed with the last  gateway, the Route List Exhausted event is logged.
  These are possible reasons for a failure on the current gateway:
  Unallocated number, such as a non-existing destination
  Busy user
  Out of bandwidth   
  Gateway fails to respond to the call setup request 
  The user receives alerts similar to this in the Real-Time Monitoring Tool (RTMT):
  Most  Recent Alert Raised: At 09:19:27 on 12/21/2005 on cluster  CALLMANAGER1-Cluster. Number of RouteListExhausted events exceed 0  within 60 minutes.
  There  are at least five RouteListExhausted events (up to 30) received during  the monitoring interval from 09:07:27, 12/21/2005 to 10:07:27,  12/21/2005.
  https://supportforums.cisco.com/docs/DOC-29032

• Sonicwall E5500 Local Group Membership Question

  In Users > Local Groups open any group and click on the members tab. In the non-member users and groups list box there is an entry that looks like this: ------
  Example membership list:
  Sonicwall Admins
  Sonicwall read only admins
  All LDAP Users
  Does anyone know what the ------ entry means? We are using integrated LDAP security. Thanks.

  I recently acquired a SuperMicro chassis that has a SAS2 expander backplane. It has SFF-8087 ports on it.http://www.supermicro.com/manuals/other/BPN-SAS2-846EL.pdfI made a post on another forum and someone mentioned that the card couldn't be used with that backplane since it's a SATA controller, however, the backplane is both SAS and SATA device compliant, it's only the RAID controller, as far as I know, that is a "SATA II" controller, and not a SAS controller.So, I couldn't find anything in the official documentation of this controller on whether or not it was able to control SAS devices. The card itself has a 3 SFF-8087 ports though, couldn't this theoretically still be used with a SFF-8087 to SFF-8087 cable(seen below)since the backplane is a SAS/SATA backplane?...

• List users in local admin group on all workstations

  Hi, I created a script that is supposed to query workstations and list all users in the local admin group. I originally used "test-connection" for logging purposes but it caused an issues when the computer responded but dns was incorrect for
  that pc so i would get a false list of local admin members on that workstation. I changed to a wmi query instead and queried the system name using that so If the system name matched the workstation name being queried then write it is supposed to write to a
  csv. For some reason, when i use $wmi.name as the variable, it does not work. What am i missing?
      $CurrentDate = Get-Date
      $CurrentDate = $CurrentDate.ToString('MM-dd-yyyy_hh-mm-ss')
      import-module activedirectory
       $servers= get-content "C:\Scripts\AD Audits\Local Admin\workstations.txt"
       $output = "c:\temp\local admin audit $CurrentDate.csv"
       $results = @()
       $servers | ForEach-Object{
      $wmi = gwmi win32_ComputerSystem -ComputerName $_ -ErrorAction SilentlyContinue
      $connected = Test-Connection $_ -Count 1 -Quiet -ErrorAction SilentlyContinue
      $state = if($wmi.name -eq '$_') {"$_ Verified"} else {"$_ did not respond"}
      $state | Out-File -Append "c:\temp\LocalAdmin log $CurrentDate.txt"
      $group =[ADSI]"WinNT://$_/Administrators,group"
      $members = $group.Members() | ForEach-Object {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_,   $null) }
      if($wmi)
         New-Object PSObject -Property @{
             DistinguishedName = (Get-ADComputer $_).DistinguishedName
             Server = $_
             Members = $members -join ";"
      } | Export-Csv $Output -NoTypeInformation

  I agree use GP it is more reliable and easier to manage.
  For the sake of demonstration of how this can be don here is how most of us would be likely todo this or a very close variation.
  There is no issue with using Test-Connection and DNS.  AD/DNS cannot have the wrong names or your domain would crash.  Using Get-AdCOmputer instead of a file eliminates stale information.
  $csvfile="c:\temp\local admin audit $([DateTime]::Now.ToString('MM-dd-yyyy_hh-mm-ss')).csv"
  import-module activedirectory
  #adjust Filter as needed
  $adfilter='OperatingSystem -like "Windows 7*" -or OperatingSystem -like "Windows XP*"'
  Get-AdComputer -Filter $adfilter |
  ForEach-Object{
  $props=@{
  Server=$_.Name
  IsAlive=$false
  DistinguishedName=$_.DistinguishedName
  Members=$null
  if(Test-Connection $_.Name -Count 1 -Quiet){
  $props.IsAlive=$true
  $group =[ADSI]"WinNT://$($_.Name)/Administrators,group"
  $members=$group.Members() |
  ForEach-Object{
  $_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)
  $props.Members=$members -join ";"
  New-Object PSObject -Property $props
  } |
  Export-Csv $csvfile -NoTypeInformation
  Use GP and you won't have to be bothered with all of these techy details that usually require a Network Admin to sort out.
  ¯\_(ツ)_/¯

• Record group/list of values question

  Is it possible to assign one record group/list of values to multiple data items on a canves? If so, how is it done.
  Thanks

  Thanks for the replies..
  What I have is this... I have a db record with 3 currency code fields, three different types of codes, displayed on the canvas. When the user mouse's over to any of the currency code fields, I wanted the lov to pop up and the user pick one of the selections. The lov has 2 columns, country and currency
  Ex: France | Euro
  U.S. | Dol
  I built this as a static record group. If I'm in the second currency code field and pick a value, the first currency code field gets overlayed with the new value.

• Removing old exchange 2003 routing groups from Exchange 2010.

  I have migrated over to Exchange 2010(server2008) from Exchange 2003(SBS2003). I've also already run the uninstall for exchange 2003 on the old SBS 2003 server. The old server itself is still running but exchange has been removed and once I get this fixed
  I plan to fully remove the old SBS server.
  I now get event ID 5020 and 5006 throughout the day on the new server. From what I've read, this happens because the old routing group connectors still exist.
  If I run Get-ExchangeServer I get
  Name                Site                 ServerRole  Edition     AdminDisplayVersion
  SERVER                                   None       
  Standard    Version 6.5 (Bui...
  SERVER2008          hr.local/Configur... Mailbox,... Standard    Version 14.0 (Bu...
  Am I correct in assuming that the way to fix this now is to go into ADSI edit and delete records under CN=First Administrative Groups? As in delete CN=Routing Groups and CN=Servers and everything under both of those? I'd try this myself but I'm not aware
  of any way to restore those records easily if I'm wrong.
  Event ID 5006
  Cannot find route to Mailbox Server CN=SERVER,CN=Servers,CN=first administrative group,CN=Administrative Groups,CN=HR,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=hr,DC=local for store CN=Public Folder Store (SERVER),CN=First Storage Group,CN=InformationStore,CN=SERVER,CN=Servers,CN=first
  administrative group,CN=Administrative Groups,CN=HR,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=hr,DC=local in routing tables with timestamp 27/09/2014 1:57:43 PM. Recipients will not be routed to this store.
  Event ID 5020The topology doesn't contain a route to Exchange 2000 Server or Exchange Server 2003 server.hr.local in Routing Group CN=first routing group,CN=Routing Groups,CN=first administrative group,CN=Administrative
  Groups,CN=HR,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=hr,DC=local in routing tables with the timestamp 27/09/2014 1:57:43 PM.

  Get-RoutingGroupConnector shows nothing. As for the servers group. It has the old server under it as shown in the image I posted above. That's actually what stops me from just deleting it because other guides have said not to delete it if an old server
  is listed.
  Is the SBS2003 server listed because I haven't ran DCPROMO to remove it from the network yet? I am planning to do this but was waiting till I cleaned up all the errors before transferring the 5 FMSO roles and running DCPROMO on the old server.
  DCPROMO isn't related to this, no.
  So you removed Exchange already? How? With setup? It should have removed the Exchange Server object then.
  It is supported to remove Exchange 2003 manually if required with adsiedit:
  http://support2.microsoft.com/kb/833396
  Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

• CUCM 10.5 - Order of trunks in Route Group ignored...Not sure why

  Question #1   
  I've had a voice mail pilot number working for a long time now.  It's MS Unified Messaging (MS UM for short).  Since we have more than one MS UM server, I thought I'd go ahead and create a SIP trunk for each of the MS UM servers and then put them in the existing Route Group (RG).  I thought I'd go ahead and reorder the trunk groups listed in the RG just to be sure my configure for the new trunk groups was correct.  I have the SIP Options Ping enabled in my SIP profile and I do see all the MS UM SIP trunks with a status of 'Full Service'.  Anyway, if I place one of the newly added SIP trunks for MS UM at the top of the existing RG, my calls are still ending up at the original MS UM server.  It's like CUCM is ignoring the fact that I placed the new SIP trunk at the top and it keeps routing to the old/existing SIP trunks/MS UM server I had in this RG.   I tried resetting the SIP trunks and also reset the Route List (which I didn't think I'd need to do, but I did it anyway) and the result is the same.  It won't select the new SIP trunks no matter what I try.  
  I didn't try removing the original SIP trunk from that RG yet and I don't want to do it during the business day, but I could try that after hours and see what happens then.  
  Any ideas about why it won't use the new SIP trunks even though they're in service and at the top of the RG list (higher priority), above the original SIP trunk?  My RG is set for top down, not circular.  
  Question #2:
  Here's a somewhat related question.  (screenshot attached for this one)  I first thought I could simply go to the original SIP trunk and add the other IP addresses for the ofther MS UM servers so I wouldn't need to create more SIP trunk groups for this.  Maybe I'm understanding it wrong, so please enlighten me what these fields are really used for.  On the SIP trunk page, there's a SIP Information section and that's where you add the IP address of the device CUCM is talking to (Destination).  For example, the MS UM server.  Was I wrong to assume that if the SIP trunks would be identical in their config you can simply add the other IP addresses for the alternate MS UM servers here in this section of the SIP trunks page?   What exactly would the extra IP address fields be used for (when you click + to added another address)?   
  As soon as I added a second IP address, my calls to MS UM stopped working.  After I removed the second IP (which is for an alternate MS UM server), everything started working again.  Just curious how that IP address field should really be used.  For now, I simply created new SIP trunk groups for the other MS UM servers.
  Thanks :-)

  Hello,
  For me both questions are related, and I expect a communication issue between CUCM and the new MS UM server.
  I would like to start with the 2nd question as it answers both, the below is mentioned in the admin guide of CUCM 8.5 but no much explanation was added to the admin guide of 10.0:
  "•When an outbound call gets placed, a destination address gets chosen randomly. No preference is given to one destination address over another. All SIP messages that are sent out for a given outbound call go to the same destination address.
  •The SIP trunk accepts inbound messages from any of the configured destination addresses."
  The above answers your inquiry, redundancy cannot be achieved by configuring multiple destinations. And calls are dropped when you add the new ip address within the same trunk, because it was chosen but the CUCM was not able to communicate with it, and also this explains why the new MS UM server trunk was not selected in the RG, as CUCM also was not able to communicate with it and moved to the next member in the RG (i.e. the old MS UM).
  - Can you try to ping the new MS UM server from CUCM server, SSH to CUCM server and issue the following command: utils network ping IP_ADDRESS_OF_NEW_MS_UM
  - It can be that the new MS UM server is configured to accept only SIP UDP messages, can you try changing it from the SIP security Profile?
  If the above two suggestions did not help to isolate the issue, then we need detailed CCM logs covering test outgoing call together with the IP addresses of both MS UM servers.
  Thank you,
  Shadi

• Active Directory users not made member of Local Network group

  Hi all,
  I've just done a clean install from 10.6 Server to 10.8.4.
  The issue I seem to be having is a mismatch between what Groups in Server.app is reporting as members (who happen to be users or groups from our Active Directory domains) of a Local Network group and what dseditgroup reports as members of the same network.
  The Setup:
  In Groups in Server.app under Local Network Group I have created a group call "AccessServer"
  Members in that group are:
       - AD-Domain User Group (so should be all users in the domain)
       - MacOS X "netaccounts" group (again, should capture all users that connect through the network I've used this in the past/10.6 very handy)
       - AD User 1
       - AD User 2
       - AD User 3
  The Server is bound to the AD Domain, All-Domains is not selected and a Search Path is added for each Domain needed and set at the top of the search order.
  The Behaviour:
  AD User 1 can access AFP and other services as expected.
  AD User 2 and 3 cannot.
  Another user within AD-Domain User Group or netaccounts can access AFP and other services as expected
  Yet other users within AD-Domain User Group or netaccounts cannot
  Furthermore: 
  If I REMOVE AD User 1 (a working user) *and* the AD Domain Group and netaccounts Group.  I can still login with that account!
  Diagnosis:
  I tried checking group membership with dseditgroup, the results match the behaviour, not the setup.
  >dseditgroup -o checkmember -m ADUser1 accessserver
  yes ADUser1 is a member of accessserver
  >dseditgroup -o checkmember -m ADUser2 accessserver
  no ADUser2 is NOT member of accessserver
  >dseditgroup -o checkmember -m ADDomainUser/netacc accessserver
  yes ADDomainUser/netacc is a member of accessserver
  >dseditgroup -o checkmember -m n accessserver
  no ADUser2 is NOT member of accessserver
  When non-member users try to connect I get a message in the logs of (IP/DNS values anonymized):
  2013-06-25 3:04:36.794 PM sshd[5217]: error: PAM: authentication error for illegal user ----- from ----.mala.bc.ca via x.x.
  I get the same results even after removing the user from the Groups screen!
  Failed Solutions
  - As we are a large AD I've tried specifying specific Active Direcotry servers that might better be able to find the users in question and authenticate.
  - I've let the system just sit, in hopes delayed replication would solve the problem overnight.
  - I've deleted and recreated the groups.

  Upon further investigation we have discovered:
  a) the main behaviour that is causing the problem is best described as AD users that are added to a Local or Network OS X group... either individually or through a Domain group.... are not actually recognized as members of that OS X group even though the GUI or CLI tool have added them and acknowledge them as being in the list.
  b)  This is NOT limited only to MacOS X Server 10.8.  The same behaviour is occuring on a long-running 10.6 server as well.
  c) The problem remains whether we nest AD groups to capture a large bunch of users, or add users individually.  If the user is part of the mysteriously denied set, how they are added to the OD or local group is irrelevant, including if added from the command line.
  d) Which users are allowed and which are not is unclear and appears generally random.  We have found 3 'classes' of users:    
            1 - those that are successfully becoming members every time.
            2 - those that are intermittent members.  Members on one server or another, or in one case even go from being reported as a member (by dseditgroup), to not being a member, to being a member again within the span of only a minute or two.
            3 - those that are never successfully admitted as a member.
  So the problem is both Apple's and Windows in that:
  Apple: Is allowing a group and/or user to be added and implying then membership in the group even though that membership is not being honoured in some way and there is no feedback or communication of that fact aside from generic 'denied' or 'illegal user' errors.
  Windows:  Is passing along membership through its groups and users, but not completely, for reasons that are, at this point, a mystery.
  Really hoping people have some ideas on this.  This system of nested groups or individual user access is something we have of course being using for many years.  So this is a major setback.

• DPM 2012 still requires put end users into local admin groups for the purpose of end user data recovery?

  On client computers that are protected by DPM 2010 and prior versions, you had to put the end users account in the local administrators group. If you did not add the end user account to the local administrators group you would get this error after opening
  the recovery tab in the DPM client: “DPM found no recovery points which you are authorized to restore on the specified DPM server. You can restore only those recovery points for which you were an administrator at the time the
  backup was taken. To restore other recovery points, contact your DPM administrator, or attempt to restore from another DPM.”  This is not ideal on many networks because the end users are not allowed to have local administrator access.
  Ths fix to this was included in hotfix 2465832 found here: http://support.microsoft.com/kb/2465832.
  This hotfix (a hotfix rollup package for DPM 2010) resolves other issues with DPM 2010 as well. You can find the full list of what this hotfix corrects on that link.
  One would think this issue should have been resolved in DPM 2012, however I am encountering the same exact issue, had to include end-users into the workstation local admin group before they can search for recovery points on the DPM server. This is not acceptable
  practice.
  Is there a new hotfix for the same issue on DPM 2012? I am hesitated to apply KB2465832 since it also includes many other fixes for DPM 2010, which may not appicable for version 2012.
  Please help.
  Thanks,

  This is a hands off solution to allow all users that use a machine to be able to restore their own files.
  1) Make these two cmd files and save them in c:\temp
  2) Using windows scheduler – schedule addperms.cmd to run daily – any new users that log onto the machine will automatically be able to restore their own files.
  <addperms.cmd>
  Cmd.exe /v /c c:\temp\addreg.cmd
  <addreg.cmd>
  set users=
  echo Windows Registry Editor Version 5.00>c:\temp\perms.reg
  echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Agent\ClientProtection]>>c:\temp\perms.reg
  FOR /F "Tokens=*" %%n IN ('dir c:\users\*. /b') do set users=!users!%Userdomain%\\%%n,
  echo "ClientOwners"=^"%users%%Userdomain%\\bogususer^">>c:\temp\perms.reg
  REG IMPORT c:\temp\perms.reg
  Del c:\temp\perms.reg
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Regards, Mike J. [MSFT] This
  posting is provided "AS IS" with no warranties, and confers no rights.
  That's a good one! Thanks for that.
  I've been scripting on KIX for some time, so here is mine, hope it helps to someone... (it's probably not the best, but it works)
  ========================================================================
  $RC=setoption("WOW64AlternateRegView","on") 
  $DPMkey = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Agent\ClientProtection"
  $uservariable = "%userdomain%\%username%"
  If KeyExist ($DPMkey)
  $Userstring=ReadValue($DPMkey, "ClientOwners")
  If $Userstring == ""
  WriteValue($DPMkey,"ClientOwners", $uservariable, "REG_MULTI_SZ")
  ? "Key created"
  else
  If not instr($Userstring,$uservariable)
  $Userstring = "$Userstring,$uservariable"
  WriteValue($DPMkey,"ClientOwners", $Userstring, "REG_MULTI_SZ")
  EndIf
  Endif
  EndIf
  ==========================================================================
  The problem actually is that you still need to use an admin account to write on the registry, so ensure you configure it properly on the schedule task.
  In case you use a service account on the schedule task... the "$uservariable" will get populated with that account. As a work around to this... I changed it for the following line:
  =========================================================
  $uservariable = ReadValue("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI", "LastLoggedOnSAMUser")
  =========================================================
  The only problem with that, is that key gets created/updated only if user gets logged phisically on that PC, but will not work for anyone connecting through RDP.