Orchestrator Active Directory Add Computer to Group

Having trouble with the Add Computer to Group activity. I can't seem to find the right reference for an OU in my active directory forest (/Servers/KC). Any help?
William Busby, PMP

Hi William,
you can use the "Get Computer" and "Get Group" Activities to get all the information for the Group and Computer including the Distinguished Name. In the Filter tab of the two "Get-Activities" you can filter with name and other things.
The you can right click on the field for the Distinguished Names in the "Add Computer To Group" Activity and click Subscribe -> Publihed Data and choose the Distinguished Names you get as result from the Activities before.
Regards,
Stefan
German Orchestrator Portal ,
My blog in English

Similar Messages

  • 802.1X authentication process in Active Directory joined computer.

    Hi,
    I'm not really sure my understanding of the authentication process of an Active Directory joined computer, and I would like to know the purpose of multiple times auth as described below:
    1. When Windows start up,
    2. it will authenticate to the 802.1x network using computer account.
    3. When user entering AD credential and pressing login, it will disconnect the current 802.1x connection. Re-auth to the network through AD user account.
    4. once 3 is done, the AD credential will be used to auth to AD again to login.
    Why do we need 3 times of authentication? Why do we need steps 3?
    Note: this is just my current understanding on one of the mode of 802.1x authentication. Please feel free to correct and add more information so that I can understand 802.1x authentication more precisely.
    Thank you!
    Ah_Chao|| MCSE,VCP,EMCSAe

    Hi,
    According to your description, my understanding is that you want to know the reason why 802.1x has 3 times authentication.
    It is depends on your 802.1x settings. The option Computer Authentication (allows you to specify how computer authentication works with user authentication). One of the possible settings is
    With User Re-Authentication. When users are not logged on to the computer, authentication is performed using the computer credentials. After a user logs on to the computer, authentication is performed using the user credentials. When a user
    logs off of the computer, authentication is performed with the computer credentials. This is the recommended setting because it ensures that the connection to the wireless AP is always using the security credentials of the computer's current security context
    (computer credentials when no user is logged on and user credentials when a user is logged on).
    Detailed description you may reference:
    https://technet.microsoft.com/en-us/library/cc755892%28WS.10%29.aspx?f=255&MSPPError=-2147217396
    And more information about 802.1x, you may reference:
    Understanding 802.1X authentication for wireless networks
    https://technet.microsoft.com/en-us/library/cc759077(v=ws.10).aspx
    IEEE 802.1X Wired Authentication
    https://technet.microsoft.com/en-us/magazine/2008.02.cableguy.aspx
    Creating a secure 802.1x wireless infrastructure using Microsoft Windows
    http://blogs.technet.com/b/networking/archive/2012/05/30/creating-a-secure-802-1x-wireless-infrastructure-using-microsoft-windows.aspx
    Best Regards,
    Eve Wang
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

  • Cisco ISE Active Directory Add Group

    Hi,
    I came across the Cisco ISE on integrating with Microsoft Active Directory; I would like to check what may be the use case of the add group function (External identity source-->active directory-->group-->add group)? Not too sure if it may be possible to group multiple active directory groups to the created group?
    I have attached a print capture of the "add group" for reference.
    Any suggestion is appreciated.

    I apologize for not following Ravi's post. However you can enter the group if searching for groups fails. It is case and format sensitive so using the method has to be precise....one example is looking in the authenticatiin report for a user under the "other attributes" if there is a group you want to apply as a policy you can copy and paste that group syntax under the add group which you posted.
    Sent from Cisco Technical Support Android App

  • WebLogic Server 8.1 Integrating Active Directory Filtering Users by Group

    I am trying to specify the User Base DN value with a Group. I only want users with in that group retrieved from AD. Any assistance would be appreciated.
    Using AD examples from this site:
    http://support.bea.com/support_news/product_troubleshooting/LDAP_Issues_Pattern.html
    I attempted to enter LDAP config values in the following way. However, while users DO exist in the group Users, which is specified in the UserBaseDN parameter, no users from LDAP show up on the Admin Console's users screen. No error occurs on the lookup either, so this values agrees with the directory structure:
    <weblogic.security.providers.authentication.ActiveDirectoryAuthenticator
    ControlFlag="SUFFICIENT" Credential="{3DES}96Kl0euDFQQ="
    GroupBaseDN="CN=Users,DC=supportLDAP,DC=example,DC=com"
    GroupFromNameFilter="(&(cn=%g)(objectclass=group))"
    Host=" HOST IP or NAME OF LDAP"
    Name="Security:Name=myrealmActiveDirectoryAuthenticator"
    Principal="CN=Administrator,CN=Users,DC=supportLDAP,DC=example,DC=com
    Realm="Security:Name=myrealm"
    StaticGroupDNsfromMemberDNFilter="(&(member=%M)(objectclass=group))"
    StaticGroupNameAttribute="cn"
    StaticGroupObjectClass="group"
    StaticMemberDNAttribute="member"
    UserBaseDN="CN=Users,DC=supportLDAP,DC=example,DC=com"
    UserFromNameFilter="(&(cn=%u)(objectclass=user))"
    UserNameAttribute="cn" UserObjectClass="user"/>

    Hi
    I didn't filter it on the provider configuration.
    Instead I removed some presentation services prvileges from authenticated users and granted them only to some specific application roles. You don't have to remove authentiated users from much privileges just some basic ones as "see Dashboards" and so on.
    Now everyone can authenticate on the login page but after logon they get a message that the don't have permissions to access answers, dashboards and so on.
    Regards

  • Add Computer to Group as Author

    Hello,
    ist there a way that non administrators can add Computers to individuell groups ?

    Hi,
    You could create "New User Roles" in Administration> Security> User Roles
    For more information, please review the link below:
    Security in Operations Manager – some perspectives and typical customer scenarios
    http://blogs.technet.com/b/kevinholman/archive/2012/02/17/security-in-operations-manager-some-perspectives-and-typical-customer-scenarios.aspx
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • Lion Server not reading Active Directory Groups reliably

    I am trying to upgrade one of our XServes from Snow Leopard Server to Lion Server and am running into a strange issue with our Active Directory based users and Groups.
    The current Snow Leopard Server serving files from a XSan volume is running fine, though we find a very long Lag time for Windows users to connect. Once a few users have connected the lag seems to go away, but it is still not nearly as fast as Mac users connecting or Windows connecting to a PC server.
    So I have connected a second Xserve to the SAN and performed a clean install of Lion Server. Initially while it would find my Active Directory Groups it would not import any of the users, so obvioulsly no one could connect. In a last ditch effort I installed the beta of 10.7.4, which seemed to resolve the issue for a small group of test users. However as I expanded the test I found that some users would get a message that the were no resources available to them, or they didn't have the correct permissions. This is very strange as everyone is in the same group so should have the same permissions. As a test I took one of the user accounts and created a new share and gave him R/W permission to that share and suddenly all of the shares that he should have had permission to in the first place popped up.
    The only thing that I can think of is that we have such a large Active Directory structure that the authentication is timing out or reaching some user limit and stops looking. (we have over 50,000 users and thousands of groups spread through multiple OUs in the AD structure)
    The new Server.app in Lion looks nice, but it does not seem to have nearly the robustness of the previous Server Admin tools. For instance, I never needed or wanted to setup a "Golden Triangle" but with Lion it is required. Perviously I could search for AD users or groups and drag them from the search window to the share to assign permission, now even though I've imported the groups and users it needs to search the entire directory when assigning permissions - why can't it see the groups that are already there? Why can I run a dscl search and find a user or group instantly, but the Server.app hangs for 5 minutes and shows 0 results?
    Has anyone found a way to make Lion Server work in an enterprise environment?

    Yesterday morning I bound a 10.7.4 server to our AD, and in the afternoon I eventually saw all the AD users, groups, etc show in Workgroup Manager. Now, with dscl, I can see all the AD user and group records, and with Workgroup Manager, I can search the groups, users, and computers, but with the Server.app, when trying to create new group of the type "Imported group from another directory", the searches returned nothing. Directory Utility can show all the AD information also. Our AD has thousands of user record, and so it is reasonable that it may take some time for the Mac server to get all the info. But from the add users or groups interface, I just could not get any search results. What could be wrong then? 

  • Not able to open active directory user and computer in windows server 2008r2

    Hi All techies,
    i would like to know one issue which i am facing mostly, i have created 5 virtual machine all with window server2008r2 and one windows 7 on vm-ware now when ever i start my virtual machines everything going rite but when i try to open active directory user/
    computer or domain and trust i get a following error "data from active directory user and computers is not available from dc(null) bcoz unspecified error" even when i chk in events log its give me no help, and after 15-30 min everything works good
    Please let me know the cause of it and really appreciate it .
    Thanks
    Atul

    You need to ensure that
    1. group policy that says "wait for network before logon" is applied to all computers including servers and workstations is applied
    2. DNS record exists for all DCs in DNS
    3. If there are multiple Domain Controllers in Forests, then they point them as secondary DNS server. This way they will be able to resolve IPs if local DNS server service takes time to start.
    As Chris mentioned, you need to start all DCs first, give a time of 5 minutes and then start member servers and workstations for successful logon.
    - Sarvesh Goel - Enterprise Messaging Administrator

  • FCS 1.5 Not all Active Directory groups visible in list

    Hi,
    We just upgraded Final Cut Server to 1.5 and want to make use of Active Directory groups to set permissions in FCS. I've created a few groups in AD which do not appear in the list when I want to add these to Group Permissions. I do see many AD groups but some are not in the list. I can find the group in the Directory application and also with dscl (dscl /Active Directory/domain.tld -read /Groups/fcs-editor).
    Please advice.
    Thanks in advance,
    Martin

    I found a solution, though it might be still temporary. See if you can narrow down your Directory Search Policy. In your AD forest, you might need just one domain for your department, location, etc.
    So, in Directory Utility, click on Search Policy, delete "/Active Directory/All Domains", don't apply yet, but click on the plus sign, and see what specific domains you can choose from there. Do the same to contacts.
    Though still I can see now 1.592 records of groups or users when I run dscl but at least I know that AD administrators can really clean up our groups listings ( some of those groups are not being used) , and try to keep the number under 2,000.
    It has to be a way to increase the default number of 2,000 in Search Policy, but I haven't had time to do that

  • Snow Leopard and Windows 2003 Active Directory Binding Issues

    Ok I have a new imac 27" with snow leopard (completely patched).
    I am attempting to join it to an active directory domain.
    First the prequel:
    * I have opened full traffic to and from the machine and our domain controllers
    * I have enabled full logging on the firewall and there are no blocked packets
    * I have used wireshark to watch the traffic on the mac and there appear to be no anomalies (packets being sent out but not getting a response, dns requests that aren't answered, etc)
    * I have enabled full KDC logging on the domain controller in question and there are no errors in any of the event logs on either domain controller.
    * The domain admin account in question has Enterprise, Schema and Domain Admin rights
    * I have tried it both with and without an existing computer account and with every conceivable combination of caps and no caps on domain name, user and computer names.
    I am getting the following error at the very end of the process:
    "Unable to add server. Credential operation failed because an invalid parameter was provided (5102)"
    I enabled debugging on Directory Services and will post a log in a reply.
    Anyone have any ideas? I have been banging my head on this for a week with no luck.

    Here is the log with the Active Directory: entries grepped... the full log is far too large to reply to here, if you think you need it let me know and I can email it to you it is 548kb
    obviously machine names, usernames and ip addresses have been munged.
    2011-02-09 12:13:32 EST - T\[0x0000000100404000\] - Active Directory: copyNodeInfo called for /Active Directory
    2011-02-09 12:13:36 EST - T\[0x0000000100404000\] - Active Directory: copyNodeInfo called for /Active Directory
    2011-02-09 12:13:41 EST - T\[0x0000000100404000\] - Active Directory: copyNodeInfo called for /Active Directory
    2011-02-09 12:13:46 EST - T\[0x0000000100404000\] - Active Directory: copyNodeInfo called for /Active Directory
    2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Bind Step 1 - Searching for Forest/Domain information
    2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: subdomain.domain.tld - Start checking servers for site "any"
    2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Total Servers "any" LDAP - 2, Kerberos - 2, kPasswd - 2
    2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Adding Server - "dc3.subdomain.domain.tld"
    2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Adding Server - "dc1.subdomain.domain.tld"
    2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: subdomain.domain.tld - Finished checking servers for domain
    2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: DomainConfiguration reachabilityNotification - Node: subdomain.domain.tld - resolves - enabled
    2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Bind Step 2 - Finding nearest Domain controllers
    2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Bind Step 3 - Verifying credentials
    2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: subdomain.domain.tld - Start checking servers for site "any"
    2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Total Servers "any" LDAP - 2, Kerberos - 2, kPasswd - 2
    2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Adding Server - "dc3.subdomain.domain.tld"
    2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Adding Server - "dc1.subdomain.domain.tld"
    2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: subdomain.domain.tld - Finished checking servers for domain
    2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: DomainConfiguration reachabilityNotification - Node: subdomain.domain.tld - resolves - enabled
    2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: EstablishConnectionUsingReplica - Node subdomain.domain.tld - New connection requested
    2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: FindSuitableReplica - Node subdomain.domain.tld - Attempting Replica connect to dc3.subdomain.domain.tld.
    2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: watchReachability watching socket = 21, xxx.xxx.164.71 -> xxx.xxx.174.77
    2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: VerifiedServerConnection - Verified server connectivity - dc3.subdomain.domain.tld.
    2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: CheckWithSelect - good socket to host dc3.subdomain.domain.tld. from poll and verified LDAP
    2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: FindSuitableReplica - Node subdomain.domain.tld - Established connection to dc3.subdomain.domain.tld.
    2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: kadmEntry port is nil, will use default 464
    2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: populateKerberosToDomain - Bailing no domain cache for
    2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Password verify for [email protected] succeeded - cache MEMORY:vyvyIt4
    2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Switching active cache to MEMORY:vyvyIt4
    2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Secure BIND Session Success with server dc3.subdomain.domain.tld.:389 using cache MEMORY:vyvyIt4 user [email protected]
    2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Processing Site Search with found IP
    2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: No site name available
    2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: subdomain.domain.tld - Start checking servers for site "any"
    2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Total Servers "any" LDAP - 2, Kerberos - 2, kPasswd - 2
    2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Adding Server - "dc3.subdomain.domain.tld"
    2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Adding Server - "dc1.subdomain.domain.tld"
    2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: subdomain.domain.tld - Finished checking servers for domain
    2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Updating Mappings from inSchema.........
    2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Updated schema for node name subdomain.domain.tld
    2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Configuration naming context = cn=Partitions,CN=Configuration,DC=subdomain,DC=domain,DC=tld
    2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Top domain set as <cn=subdomain,cn=partitions,cn=configuration,dc=subdomain,dc=domain,dc=tld>
    2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Updating domain hierarchy cache
    2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Updating policies from domain subdomain.domain.tld
    2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Updated policies for node name subdomain.domain.tld
    2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Bind Step 4 - Searching for existing computer
    2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: EstablishConnectionUsingReplica - Node subdomain.domain.tld - New connection requested
    2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: watchReachability watching socket = 18, xxx.xxx.164.71 -> xxx.xxx.174.77
    2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: VerifiedServerConnection - Verified server connectivity - dc3.subdomain.domain.tld.
    2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: establishConnectionUsingReplica - Node subdomain.domain.tld - Previous replica = dc3.subdomain.domain.tld. responded
    2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: kadmEntry port is nil, will use default 464
    2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: populateKerberosToDomain - Bailing no domain cache for
    2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Password verify for [email protected] succeeded - cache MEMORY:zXpbfEi
    2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Switching active cache to MEMORY:zXpbfEi
    2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Secure BIND Session Success with server dc3.subdomain.domain.tld.:389 using cache MEMORY:zXpbfEi user [email protected]
    2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Doing Computer search for Ethernet address - 10:9a:dd:56:1b:1d
    2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Bind Step 4 - no mapping for Ethernet MAC address
    2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Doing DN search for account - machinename
    2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: stopWatching socket = 21, xxx.xxx.164.71 -> xxx.xxx.174.77
    2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: LDAP connection closed - dc3.subdomain.domain.tld.:389 - cache MEMORY:vyvyIt4 user [email protected]
    2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Destroying cache name MEMORY:vyvyIt4 user [email protected]
    2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Closing All Connections
    2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: stopWatching socket = 18, xxx.xxx.164.71 -> xxx.xxx.174.77
    2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: LDAP connection closed - dc3.subdomain.domain.tld.:389 - cache MEMORY:zXpbfEi user [email protected]
    2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Destroying cache name MEMORY:zXpbfEi user [email protected]
    2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Bind Step 5 - Bind/Join computer to domain
    2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: EstablishConnectionUsingReplica - Node subdomain.domain.tld - New connection requested
    2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: watchReachability watching socket = 18, xxx.xxx.164.71 -> xxx.xxx.174.77
    2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: VerifiedServerConnection - Verified server connectivity - dc3.subdomain.domain.tld.
    2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: establishConnectionUsingReplica - Node subdomain.domain.tld - Previous replica = dc3.subdomain.domain.tld. responded
    2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: kadmEntry port is nil, will use default 464
    2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: populateKerberosToDomain - Bailing no domain cache for
    2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Password verify for [email protected] succeeded - cache MEMORY:10xG6op
    2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Switching active cache to MEMORY:10xG6op
    2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Secure BIND Session Success with server dc3.subdomain.domain.tld.:389 using cache MEMORY:10xG6op user [email protected]
    2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Looking for existing Record of machinename
    2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Doing DN search for account - machinename
    2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: EstablishConnectionUsingReplica - Node subdomain.domain.tld - New connection requested
    2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: watchReachability watching socket = 21, xxx.xxx.164.71 -> xxx.xxx.174.77
    2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: VerifiedServerConnection - Verified server connectivity - dc3.subdomain.domain.tld.
    2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: establishConnectionUsingReplica - Node subdomain.domain.tld - Previous replica = dc3.subdomain.domain.tld. responded
    2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: kadmEntry port is nil, will use default 464
    2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: populateKerberosToDomain - Bailing no domain cache for
    2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Switching active cache to MEMORY:10xG6op
    2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Secure BIND Session Success with server dc3.subdomain.domain.tld.:389 using cache MEMORY:10xG6op user [email protected]
    2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: KerberosID Found for account CN=MACHINENAME,CN=Computers,DC=subdomain,DC=domain,DC=tld - MACHINENAME$
    2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Existing record found @ CN=MACHINENAME,CN=Computers,DC=subdomain,DC=domain,DC=tld with [email protected].
    2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: Setting Computer Password FAILED for existing record......
    2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: Computer password change date is 2011-02-04 18:21:01 -0500
    2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: Schtldled computer password change every 1209600 seconds - starting 2011-02-09 12:13:50 -0500
    2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: Closing All Connections
    2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: stopWatching socket = 21, xxx.xxx.164.71 -> xxx.xxx.174.77
    2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: LDAP connection closed - dc3.subdomain.domain.tld.:389 - cache MEMORY:10xG6op user [email protected]
    2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: stopWatching socket = 18, xxx.xxx.164.71 -> xxx.xxx.174.77
    2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: LDAP connection closed - dc3.subdomain.domain.tld.:389 - cache MEMORY:10xG6op user [email protected]
    2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: Destroying cache name MEMORY:10xG6op user [email protected]
    2011-02-09 12:13:50 EST - T\[0x00000001026AA000\] - Active Directory: Failed to changed computer password in Active Directory domain
    2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: copyNodeInfo called for /Active Directory
    2011-02-09 12:13:51 EST - T\[0x0000000102481000\] - Active Directory: copyNodeInfo called for /Active Directory
    Message was edited by: aelana

  • LDAP Active Directory Problem

    Hi,
    i have a win 2003 server (german) and apex 3.x. I (hope i ) have read all postings to this topic. Read the Apex Book, tried the Oracle Examples but all examples i have found won´t work for me. After three hours i found one solution that works:
    (Domain: marco.de)
    create or replace FUNCTION check_ldap_user(
    p_username IN VARCHAR2,
    p_password IN VARCHAR2
    ) RETURN boolean IS
    l_session DBMS_LDAP.session;
    l_ret binary_integer;
    BEGIN
    l_session := DBMS_LDAP.init (
    hostname => '192.168.178.100',
    portnum => '389');
    IF (DBMS_LDAP.simple_bind_s (
    ld => l_session,
    --dn => 'cn='||upper(p_username)||',cn=user,dc=marco,dc=de', /* <= This line does not work */
    dn => upper(p_username), /* <= This Version work */
    passwd => p_password)) = 0 AND p_password IS NOT NULL THEN
    l_ret:=DBMS_LDAP.UNBIND_S(ld=> l_session);
    RETURN True;
    ELSE
    RETURN False;
    END IF;
    EXCEPTION WHEN OTHERS THEN
    dbms_output.put_line(sqlerrm);
    RETURN FALSE;
    END;
    The Question is, if there any problems with a german Active Directory Server (Mayby the groups like "Domänen-Admins" are the problem)
    Thanks
    Marco

    Hi,
    Any help?

  • ACS 5.3 WLC Certificates RADUIS Active Directory

    Hi,
    I have a wireless controller and an ACS 5.3. I would like to create a wireless network where a corporate laptop would use the certificates installed to connect to the wireless and then authentication with AD and laptop certificates to the ACS. So if a user from work brings a home laptop this won't be able to connect as they don't have a certificate installed on the laptop.
    I have setup ACS to connect to AD.
    I have added the local certificate with my company's CA
    acs.blah.com
    acs.blah.com
    SubCA3-1
    09:50 28.09.2012
    09:50 28.09.2018
    EAP, Management Interface
    I create a very simple rule and then try connect through the laptop. I select the certicate on the client and click connect. The connection works fine and I am on the network.
    Authentication Summary
    Logged At:
    October 2,2012 3:06:37.996 PM
    RADIUS Status:
    Authentication succeeded
    NAS Failure:
    Username:
    blah\Eddy
    MAC/IP Address:
    18-3d-a2-26-7f-b9
    Network Device:
    L39-WC-5508-01 : 10.49.2.150 :  
    Access Service:
    WirelessAD
    Identity Store:
    AD1
    Authorization Profiles:
    Wireless AD
    CTS Security Group:
    Authentication Method:
    PEAP(EAP-MSCHAPv2)
    I then just try a laptop I brought from home I used my AD username and password and this also connected. This Laptop doesn't have a certificate how can I make it so only work laptops with certificates be allowed to connect to the wireless?
    any help would be great happy to send screen shots of my setup.
    Cheers
    Eddy

    Hi Guys,
    Well I configured the ACS following Scott's information, and I then tried to connect with the laptop and I got this.
    Logged At:
    October 12,2012 2:50:17.866 PM
    RADIUS Status:
    Authentication failed : 15039 Selected Authorization Profile is DenyAccess
    NAS Failure:
    Username:
    blah\eddy
    MAC/IP Address:
    00-21-6a-07-31-88
    Network Device:
    -WC-5508-01 : 10.10.2.10 :  
    Access Service:
    WirelessAD
    Identity Store:
    AD1
    Authorization Profiles:
    DenyAccess
    CTS Security Group:
    Authentication Method:
    PEAP(EAP-MSCHAPv2)
    I copied the two rules used in the setup by Scott and I still get this. I have copied and pasted the logs below any ideas on how to get this to work? I dont have MARS is MARS required for this PEAP setup?
    24423  ACS has not been able to confirm previous successful machine authentication for user in Active Directory
    Evaluating Identity Policy
    15006  Matched Default Rule
    15013  Selected Identity Store - AD1
    24430  Authenticating user against Active Directory
    24416  User's Groups retrieval from Active Directory succeeded
    24101  Some of the retrieved attributes contain multiple values. These values are discarded. The default values, if configured, will be used for these attributes.
    24420  User's Attributes retrieval from Active Directory succeeded
    24402  User authentication against Active Directory succeeded
    22037  Authentication Passed
    Evaluating Group Mapping Policy
    11824  EAP-MSCHAP authentication attempt passed
    12305  Prepared EAP-Request with another PEAP challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12304  Extracted EAP-Response containing PEAP challenge-response
    11810  Extracted EAP-Response for inner method containing MSCHAP challenge-response
    11814  Inner EAP-MSCHAP authentication succeeded
    11519  Prepared EAP-Success for inner EAP method
    12314  PEAP inner method finished successfully
    12305  Prepared EAP-Request with another PEAP challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12304  Extracted EAP-Response containing PEAP challenge-response
    12306  PEAP authentication succeeded
    11503  Prepared EAP-Success
    24423  ACS has not been able to confirm previous successful machine authentication for user in Active Directory
    any ideas guys?
    thanks for the help.

  • How to deploy EUS  using OVD with existing active directory ?

    Hi,
    I am new in Oracle FMW and want to explore more into it,
    I have existing MS active directory with users and group policies defined there  and I need to implement the solution for  all users  to authenticate in oracle Database (11gR2) via AD.
    and after searching reading some docs I came to know that It can be done by  "EUS deployment using AD and OVD".
    Now I am bit confused for where to start Please guide me . My env is as follows
    I have existing MS AD server (win2003) and oracle Database 11gR2 on HP unix..So Do I need another server (Win2003/2008) to install OVD or can I install OVD on existing AD server.
    What exactly software required to install OVD as I have downloded software from e delivery site "Oracle Identity and Access Management 11g (11.1.1.7.0)"  
    Is it same or do i need to download other one?

    Check this:
    Installing and Configuring Oracle Virtual Directory
    OIM Image: OID and OVD 11g Basic Install Steps
    Oracle&amp;reg; Fusion Middleware
    Middleware Technologies : Installing Oracle Virtual Directory

  • Structure of our Active Directory

    Hi All,
    We have following active directory structure in our organization. I am not sure, if this is a flat or deep hierarchy.
    We have domain(forest)as xyz.com. we have a group created SAP under OU=Applications,DC=xyz,DC=com. All our users accessing Portal will be member of the group SAP. So our Grouppath is OU=SAP,OU=Applications,DC=xyz,DC=com
    About User accounts, we have our users scattered in the forest xyz.com. For testing purpose, we are taking few users from account group Dallas. The structure is OU=Dallas-SAP,OU=Dallas-Contractors,OU=Dallas,DC=xyz,DC=com.
    These users will be member of group SAP. Since users can be a member of any group (for example SAP group), i presume they represent flat hierarchy structure.
    groups and user accounts are stored in tree structure as mentioned above, so they represent deep hierarchy structure.
    So i am confused, what should be our Data source configuration? Is it flat or deep or mixed?
    FYI : An admin user is created in SAP group.
    Any help is highly appreciated.
    Thanks & Regards,
    Gowri

    Ok, correct me if I am wrong with the structure.
    Active Directory Users and Computers  GROUPS
    |_Xyz.com
             |_Applications
                    |_Any Program
                    |_Excel
                    |_SAP
                            |_Group1
                            |_Group2
                            |_Group3
                            |_Group4
                    |_Word
                    |_Data
                    |_Other Stuff
    Active Directory Users and Computers  USERS
    |_Xyz.com
           |_Applications
                      |_Any Program
                      |_Excel
                      |_SAP
                            |_Group1
                            |_Group2
                            |_Group3
                            |_Group4
                      |_Word
            |_Data
            |_Dallas
                      |_Dallas-Contractors
                            |_Dallas-SAP
                                   |_User1
                                   |_User2
                                   |_User3
                      |_Dallas-Sales
                      |_Dallas-Travel
             |_New York
          |_Other Stuff

  • Active Directory error using Upgrade Mgmt Tool - BI 4.1 sp 3

    I am in the process of creating a new BI 4.1 SP 3 environment within out company.  The software has been installed and I wanted to perform a Complete Upgrade from our existing XI 3.1 sp5 environment into our new 4.1 environment.  Also, we are using Windows Active Directory authentication and AD groups for security.
    The Upgrade Mgmt Tool fails with an Active Directory Error message similar to the one below:
    Active Directory Authentication failed to get the Active Directory groups for account with ID <insert really long alpha numeric string here>; CN=<insert name of employee no longer working for the company>.  Please make sure this account is valid and belongs to an accessible domain.
    Well, the account is not valid because this executive no longer works here.  Most likely within Active Directory all groups owned by this person were transferred over to his replacement.  Is there an way to have the upgrade mgmt tool bypass this validation check?  Or does anyone have any other suggestions how to get around this error?  Once this error occurs I can't upgrade.  I guess the alternative is to do an incremental upgrade, group by group, until I find the offending group but I was wondering if there was an easier way as that will be very time consuming.

    @JRKPrasad  Thank your for your thoughtful and accurate response.  It took less than 2 minutes to update AD in BI 3.1.x and the UMT tool is off and running migrating content from BI 3.1 to our new BI 4.1 environment. 
    Again, thank you very much for reading my post and responding.  It was a huge timesaver.

  • LDAP realm with Active Directory

    Hello,
    In the sun one app server admin console i have set the security role to LDAP.
    I have set up security roles in my web.xml such as this:
    <security-role>
    <description>This role represents administrators of the system, see actor administrators</description>
    <role-name>administrators</role-name>
    </security-role>
    ..and mapped the roles to groups in sun-application as follows:
    <security-role-mapping>
    <role-name>administrators</role-name>
    <group-name>CMS_PM</group-name>
    <principal-name>rlancett</principal-name>
    </security-role-mapping>
    My user and group information is stored in Active Directory so I have tried to configure the ldap realm in the admin console to get it working. These are the settings i have put in:
    directory: ldap://earth.tier2consulting.com:389
    base-dn: cn=Users,dc=tier2consulting,dc=com
    jaas-context: ldapRealm
    search-bind-dn: cn=administrator,cn=Users,dc=domain,dc=com
    search-bind-password: ******
    search-filter: sAMAccountName=%s
    I get the error message :javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893
    WARNING: va:850)
    FINEST: JAAS authentication aborted.
    INFO: SEC5046: Audit: Authentication refused for [administrator].
    I am pretty stuck on this having looked arounds all the forums:
    Has anyone got sun one app server using Active Directory to get user/group information for security roles?
    Thanks.

    Howdy,
    I don't have a solution to your problem, but maybe this tid-bit will help in debugging with Active Directory error messages. I'm new to AD, so excuse me if everyone already knows this, but...
    The error message you get back from the directory contains an error code in hexidecimal:
    LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893
    If you translate '525' from hex to decimal you get '1317' which is the error message you can look up here:
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/debug/base/system_error_codes.asp
    1317 - ERROR_NO_SUCH_USER - The specified user does not exist.
    It took me a while to find this tip, so I thought I'd share it. Oh, and the easy way to get decimal from hexidecimal is:
    System.out.println( "Here is 525 in decimal: " + Integer.parseInt("525", 16));
    Okay, hope this helps somebody.
    Now it's up to you to find out why it can't find the administrator!
    Craig

Maybe you are looking for