Nested Security Groups in Device Collections

Similar Messages

• Cannot add modify permission to Group for Device Collection

  Hi All,
  I am having trouble adding the modify permission to a device collection. I am not sure why it is not applying since the group has been granted Full Admin to the collection? Please see below:
  While the group can access the distribution point properties, all them are greyed out so they cannot make any changes.
  BTW the collection comprises of all Distribution points. Is there another permission I need to grant to the Administrative Users (group in question)

  I recommend these two articles:
  Article 1
  http://blogs.technet.com/b/configmgrteam/archive/2011/09/23/introducing-role-based-administration-in-system-center-2012-configuration-manager.aspx
  Article 2
  http://blogs.technet.com/b/hhoy/archive/2012/03/07/role-based-administration-in-system-center-2012-configuration-manager.aspx
  I hope that helps!
  Nash Pherson, Senior Systems Consultant
  Now Micro -
  My Blog Posts
  If you found a bug or want the product to work differently,
  share your feedback.
  <-- If this post was helpful, please click the up arrow or propose as answer.

• Item level targeting not hitting nested security group

  Hi guys,
  Got two security groups (A & B). Group B is a member of A.
  We've applied item level targeting with security groups. We've chose a bunch of drive maps to apply to Group A (which I was hoping would apply to Group B also.
  The drive maps appear for the users of Group A but not Group B. Is this expected behaviour?
  Any help appreciated. Thanks

  Hi guys,
  Got two security groups (A & B). Group B is a member of A.
  We've applied item level targeting with security groups. We've chose a bunch of drive maps to apply to Group A (which I was hoping would apply to Group B also.
  What is your forest functional level? I am not sure, but if I recall correctly if your forest functional level is 2008 R2, I guess you should experience no problems. Otherwise you need a workaround solution like a custom script and etc.
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?

• Add AD security group to collection

  Dear Exprt,
  i have added AD security group to collection via Add resource but nothing receive by client its user base group.
  how can i configure correctly.
  note: i dont want query base what i am try is add security DL to collection for software deployment
  [email protected]

  Sorry - this is the same for 2007. You cannot import distribution lists. You can create a security group in AD and nest the DL into. Then add the security group into the collection with a direct rule.
  Cheers
  Paul | sccmentor.wordpress.com

• Security group guidance

  Hello,
  I'm having all sorts of troubles getting security groups working within SharePoint. I'm aware of the various timeouts and caching that occur and have changed my WindowsTokenLifeTime to 30 minutes to pick up security group changes faster. However, I have
  some areas in SharePoint where even after days, users in security groups with access to a site, library, or document still do not have access and they don't show up in Check Permissions. Also, I have some instances where a user, as a member of a security group
  with access to a file, has access one day and then the next day does not. This happens for multiple users in multiple locations and I have no idea what's going on. 
  Is there any guidance other than this about using AD security groups in SharePoint? 
  http://technet.microsoft.com/en-us/library/cc261972(v=office.15).aspx
  This is really messing with my head. 
  Our farm is SharePoint 2013 SP1. Some of my security groups have nested security groups, some don't, and both have these issues. 
  Thanks,
  Aaron

  I'm going to have to re-open this in a Reporting forum because this is so confusing.
  So our setup is SSRS2012 on SharePoint 2013. We are doing item level permissions, which means we have an AD security group
  Reports-All with Read to the Reports folder, then each actual report has unique permissions. We have a report with the
  ProjectManagers AD security group on it with Read (plus some other stuff to let them manage subscriptions), and another AD security group
  ProjectUsers with just Read access so they can open the reports. The data source used by this report has the AD security group I mentioned before,
  Reports-All, with Read.
  At a SharePoint level, things appear to work. When a user in ProjectManagers
  or ProjectUsers browses to the library, they see only the 3 reports that those two security groups have permission to see (out of a lot more in the library). That means SharePoint is reading those security group memberships correctly
  as far as I can tell.
  The issue is when a user in ProjectManagers or ProjectUsers
  clicks on a report, they get a reporting server based error message, and the ULS logs have an error specific to the user trying to run the report.
  Microsoft.ReportingServices.Diagnostics.Utilities.AccessDeniedException: The permissions granted to user 'MyDomain\MyUser' are insufficient for performing this operation. (Fault Detail is equal to Microsoft.ReportingServices.ServiceContract.RsExceptionInfo)
  If I add that specific user with Read permissions to the report and the data source, they are then able to run the report without errors. It seems like some Report Server component is not liking the fact that I'm using security groups. 
  Even though I'm going to put this elsewhere I figured I'd expand on my situation here in case it's an obvious solution to someone.

• Report on a devices local security groups

  To my knowledge SCCM does not collect any information on a devices local security groups. To support this I have not been able to find anything in the tables/views but there is allot there and I'm hoping I've overlooked it.
  I would welcome someone proving me wrong on this. I would like to create a report on a particular missing local security group on our devices.

  See
  http://mnscug.org/blogs/sherry-kissinger/244-all-members-of-all-local-groups-configmgr-2012
  Torsten Meringer | http://www.mssccmfaq.de

• Not able to set security group without mail enabled as site collection admin using powershell in sharepoint online site - office 365

  not able to set security group without mail enabled as site collection admin using powershell in sharepoint online site - office 365?
  Any idea?

  after few days test in my lab, I can see that only email enabled group can be added as site collection admin using POWERSHELL.
  hope this helps who stuck like me!! :-)

• Using a security group to add members to the collection question

  Hi,
  I have a collection created in SCCM 2007 that is using a security group for membership. So I added a computer to the security group in AD but when I go to SCCM and click on the collection I dont see the computer in the collection. Should it show here or
  because it is a security group based membership will it not show the members?
  THanks!

  Details from Active directory are added to SCCM database through discovery methods. Please ensure that AD security group discovery and AD system discovery are enabled in the primary site. If they are enabled, check the frequency set for these discovery
  methods. Once you added these computers to the AD group, you need to wait till the next discovery cycle before it appears in SCCM collections. Till that point, SCCM database will not have information about the group memberships of these computers

• How to set security group as primary site collection admin and secondary site collection admin using powershell in sharepoint online site - office 365?

  How to set security group as primary site collection admin and secondary site collection admin using powershell in sharepoint online site - office 365?

  Hi,
  According to your description, my understanding is that you want to set security group as admin of primary and secondary site collection using PowerShell command in office 365.
  I suggest you can use the command below to set the group to site owner, then it will have the site collection admin permission.
  Set-SPOSite -Identity https://contoso.sharepoint.com/sites/site1 -Owner [email protected] -NoWait
  Here are some detailed articles for your reference:
  https://technet.microsoft.com/en-us/library/fp161394(v=office.15)
  http://blogs.realdolmen.com/experts/2013/08/16/managing-sharepoint-online-with-powershell/
  Thanks
  Best Regards
  Jerry Guo
  TechNet Community Support

• Need help creating a device collection based on members of a user collection

  Hello everyone,
      I am working on developing a device collection based on the membership of a user collection. The purpose of the device collection is to provide us with the capability of deploying software to users while the users are logged off their systems.
  I would love to use AD security groups but unfortunately that isn't an available approach in this case. I have been experimenting with SQL queries to find the best way to obtain the results I want and the following query works like a champ:
  Select SYS.Name0,
  v_R_User.Unique_User_Name0
  FROM v_R_System AS SYS
  JOIN v_UserMachineRelationship ON SYS.Name0=v_UserMachineRelationship.MachineResourceName
  JOIN v_R_User ON v_UserMachineRelationship.UniqueUserName=v_R_User.Unique_User_Name0
  JOIN v_FullCollectionMembership AS FCM on FCM.ResourceID = v_R_User.ResourceID
  JOIN v_Collection AS COLMEM ON COLMEM.CollectionID = FCM.CollectionID
  Where FCM.CollectionID = 'cha0000B'
  The problem arises when I attempt this same query in SCCM 2012, I don't get any results from this query so of course it won't work to base a Device Collection from. Here is the WQL:
  Select SYS.Name,
  SMS_R_User.UniqueUserName
  FROM SMS_R_System AS SYS
  JOIN SMS_UserMachineRelationship ON SYS.Name=SMS_UserMachineRelationship.MachineResourceName
  JOIN SMS_R_User ON SMS_UserMachineRelationship.UniqueUserName=SMS_R_User.UniqueUserName
  join sms_v_FullCollectionMembership AS FCM on FCM.ResourceID = SMS_R_User.ResourceID
  join SMS_v_Collection AS COLMEM ON COLMEM.CollectionID = FCM.CollectionIDwhere FCM.CollectionID = 'cha0000B'
  I am hoping that someone will be able to look at my SQL and tell me how I can get the WQL right so I can use this query properly or provide suggestions to accomplish what I need.
  Thanks in advance for the assist,
  Chris Bolton

  Hi Torsten,
       While your suggestion of that link was close, it still went in the direction of using security groups as the basis for device queries and that isn't the direction I am pursuing. I had a colleague look at my original query and he identified
  that I had some unnecessary redundancy but that didn't resolve my SQL -> WQL inconsistency. I continued to play with the query and the following SQL also works (and actually works a bit better for my purposes)
  select distinct v_R_System.Name0,
  v_R_User.Unique_User_Name0
  FROM v_R_System
  JOIN v_R_User on v_R_User.Full_User_Name0 = v_R_System.User_Name0
  JOIN v_UserMachineRelationship ON v_R_System.Name0 = v_UserMachineRelationship.MachineResourceName
  JOIN v_FullCollectionMembership on v_R_User.Unique_User_Name0 = v_FullCollectionMembership.SMSID
  WHERE v_FullCollectionMembership.CollectionID = 'cha0000b'
  however when I translate it to WQL I still am unable to get results (here is the WQL version)
  select distinct sms_R_system.Name,
  sms_R_User.UniqueUserName
  FROM sms_R_system
  JOIN SMS_R_User on SMS_R_User.FullUserName = SMS_R_System.UserName
  JOIN SMS_UserMachineRelationship ON SMS_R_System.Name = SMS_UserMachineRelationship.MachineResourceName
  JOIN SMS_FullCollectionMembership on SMS_R_User.UniqueUserName = SMS_FullCollectionMembership.SMSID
  WHERE SMS_FullCollectionMembership.CollectionID = 'cha0000b'
  I think I am on the verge of getting this right but it sure seems to be a challenge. Is there a "WQL Workbench" that I could use that is similar to SQL Management Studio inside of which I could test these queries rather than having to use the rather clunky
  SCCM "Edit Query Statement" dialog box?
  Thanks again,
  Chris Bolton

• AD security groups listed in user groups in Config Manager however not listed when selecting values for the "System Resource - System Group Name" query

  Morning All,
  We are in the process of setting up our SCCM 2012 infrastructure and are experiencing issues with our device collection querys based on AD security groups.
  I can see the security groups are being updated per adsgdis.log - i can see the computers that are members of the groups in AD are being recorded in the same log. Issue is when we build the device collection query - click the value button for the string,
  only 2 of the 18 AD security groups are displayed.  These are 2 AD groups we setup initially to test.
  We have since added several additional yet they only appear to populate as user groups in config manager.
  The same goes for additional OUs that we have created with AD.
  When i click the value button only the initial 10 OUs that were created are populating in the list of applicable OUs.
  We have the discovery methods Group Discovery & System Discovery enabled and set to search the parent OU recursively
  I'm wondering if there might be an SQL issue with this as it initially worked but stopped...
  Additionally we added an OU recently that now appears in in the Values options in the query but the ones added previously and additionally after are not showing up....
  Any help is appreciated.
  Thanks,
  Jeff

  Given the adsgdis.log lists the new pc and the group it's assigned to it appears the AD group discovery is working.
  Have the following excert from the adsgdis.log
  INFO: Processing discovered group object with ADsPath = 'LDAP://************.****.COM/CN=Software - Microsoft Project Professional 2010 x64,OU=Software,OU=US-West,DC=*****,DC=com' SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT 10/4/2012 7:08:13 AM 8180
  (0x1FF4)
  INFO: DDR was written for group '*****\Software - Microsoft Project Professional 2010 x64' - E:\Program Files\Microsoft Configuration Manager\inboxes\auth\ddm.box\userddrsonly\asg8ud94.DDR at 10/4/2012 7:8:12. SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT 10/4/2012
  7:08:13 AM 8180 (0x1FF4)
  INFO: DDR was written for system 'THURMANWIN7VM' - E:\Program Files\Microsoft Configuration Manager\inboxes\auth\ddm.box\adhh8419.DDR at 10/4/2012 7:8:12. SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT 10/4/2012 7:08:13 AM 8180 (0x1FF4)
  Here you can see it processes the new members in the Software - Microsoft Project Professional 2010 x64 group and captures Thurmanwin7vm as a member.
  I did find some log entries that reference permission issues with objects in the SQL database and have opened a case with MS to get that looked into.  Hopefully that will be where the issue lies.

• How to create a group of devices in MARS

  Hi folks.
  I have quite a list of devices which MARS pulls syslog from and the client's security policy requires to run periodic queries against those devices (they are 871 routers). Is there any way to create a group of devices and add it to the "Reporting devices" instead of manually checking every router.
  Eugene

  Anyone could suggest something???
  I'll try to be more detailed. There's a custom rule which is created to run a query for a specific event type. The query is run against many devices and the list of devices added to MARS earlier is quite big. So when you configure the rule at "Reporting Devices" section there is a limited list of devices (see attachment). I wish I can have a custom device type which will include all devices in question.
  Plus, why there's no "Select All" button for the right pane. This would be quite logical once you have a list devices showing in your right hand pane. Instead of going through all of them and click each one clicking "Select All" would be nice.

• How to create a site and add security groups through code: scripts, csom, ... ?

  Hi,
  I'm new to CSOM and are looking for a way to create sites in SharePoint Office365 and especially add user to it with a specific role eg. 'visitor' or 'owner'.
  I use this code to add sites from a csv file, so far so good.
  But now I want to add security groups based on the csv file and assign a role. The security groups allready exists.
  and also how to add a user with a 'owner' role for some sites.
  That would make my life easier :-)
  so thank you in advance!
  # load assemblies
  #[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client")
  #[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client.Runtime")
  Add-Type -Path "c:\Program Files\Common Files\microsoft shared\Web Server Extensions\15\ISAPI\Microsoft.SharePoint.Client.dll"
  Add-Type -Path "c:\Program Files\Common Files\microsoft shared\Web Server Extensions\15\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"
  # site collection
  $siteUrl = “https://mysharepoint.com”
  # admin
  $username = "[email protected]"
  $password = Read-Host -Prompt "Enter password" -AsSecureString
  # get clientcontext as object
  $ctx = New-Object Microsoft.SharePoint.Client.ClientContext($siteUrl)
  # assign credentials to clientcontext object
  $credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($username, $password)
  $ctx.Credentials = $credentials
  # create site from template 'teamsite' => STS#0
  $data = Import-Csv "c:\tools\CSOM\vakwerking_test.csv"
  foreach ($row in $data) {
  $webCreationInformation = New-Object Microsoft.SharePoint.Client.WebCreationInformation
  $webCreationInformation.Url = $row.vakwerkingurl
  $webCreationInformation.Title = $row.vakwerkingnaam
  $webCreationInformation.WebTemplate = "STS#0"
  $webCreationInformation.UseSamePermissionsAsParentSite = $false
  $newWeb = $ctx.Web.Webs.Add($webCreationInformation)
  Write-Host "Title" $newWeb.Title
  #send to sharepoint
  $ctx.Load($newWeb)
  $ctx.ExecuteQuery()

  Hi,
  The command above about creating a group only works for the root site of the site collection, because the scope of the user group is site collection level, these groups
  can be used in all the sites in this site collection.
  With the existing groups in the root site, we can add users into them and grant specific permissions of a specific sub site to these groups.
  Here is a demo about how to assign permission to a group using Client Object Model(though in C#) for your reference:
  http://www.c-sharpcorner.com/UploadFile/54db21/set-permission-to-group-in-sharepoint-2010-programmatically/
  Best regards,
  Patrick
  Patrick Liang
  TechNet Community Support

• Security Groups not being discovered / Talking a long time to be discovered

  Hi All.
  When creating user collections i am creating the majority of them with a membership rule that links directly to a discovered Security Group, so in order for this to happen the security group has to first be discovered by Security Group Discovery Method.
  Ok, what i am seeing is that it is taking a long time, very long time for the security group to appear. At the moment a security group that i am waiting on was created more then 24hours ago and has still not appeared in the All User Groups collection.
  Now this has got me thinking, some of these security groups are created and will not be populated with users from active directory so it is basically an empty security group, the security group that im waiting on to be discovered is empty also...
  So my question... if a security group has no members, does this stop it from being discovered / appearing in All Users Groups collection ?
  If this answer is 'no' then i got to ask some more questions as to what is causing this severe lag in my discovery :-(

  Hi Jason, 
  been trawling the internet and found this.... its dated 2010 so must be referring to SCCM 2007, but could still be relevant.. ???
  5. Active Directory User Discovery
  It discovers the following:
  User name
  Unique user name (includes domain name)
  Active Directory domain
  Active Directory container name
  User groups (except empty groups)
  http://systemcentersupport.blogspot.co.uk/2010/01/discovery-methods-do-what.html
  (just added a user to my 'empty' security group - see what happens)

• How to move members of a certain OU from one security group to distribution group?

  Looking for a powershell script that could move members from a certain OU that are members of a certain security group to a distribution group. Anyone point me in the right direction?

  It is easy to determine the members of a group. My concern is that once you know the users, it can be tricky to determine their parent OU in a script. There are ways to parse the user distinguishedName, but some are unreliable (the names of OU's, and even
  DC components, can include commas, for example). The most reliable method would be to bind to the user object with the [ADSI] accelerator and invoke the Parent method, but even then you must parse the result since it will be an ADsPath rather than a DN.
  My approach would be to use Get-ADUser to find all users in a specified OU that are direct members of a specified group. Even here I assume you are only concerned with users (not contacts or groups or computers). I also must assume that no users have the
  group specified as their "primary" group. The code I would suggest to  retrieve all users in an OU that are members of a group:
  Get-ADUser -SearchBase "ou=Sales,ou=West,dc=MyDomain,dc=com" -LDAPFilter "(memberOf=cn=MyGroup,ou=West,dc=MyDomain,dc=com)"
  This does not find users in the OU that are members of the group due to group nesting. However, if that matters, it can be handled using another LDAP syntax filter. In that case use:
  Get-ADUser -SearchBase "ou=Sales,ou=West,dc=MyDomain,dc=com" -LDAPFilter "(memberOf:1.2.840.113556.1.4.1941:=cn=MyGroup,ou=West,dc=MyDomain,dc=com)"
  The "1.2.840.113556.1.4.1941" part is a special chain matching rule that results in a recursive match to handle group nesting. You can also devise a filter to include membership as the "primary" group. You could even use Get-ADObject
  instead  of Get-ADUser if you need to include contacts (or computers or groups), but I assume that is unnecessary.
  The next steps, to remove from one group and add to another, would follow.
  Richard Mueller - MVP Directory Services