People Picker Showing Users From Both Domains

Similar Messages

• How to grant access to sharepoint for the user from different Domain

  Hi All
      I need to grant access to user from different domain. 
      Where I can able to view the users in people picker (different domain).
  Thanks in Advance.
  Raj

   Hi
  Trevor Seward
  Sorry to disturb
  you again.
    I am trying to restrict user from search from other domain, say we have domain A and Domain B, where I am trying to restrict all the user from domain B (Search users)for a site collection. I have found couple of stsadmin command to do so. but none
  of them works. Below are the commands I have tried
  STSADM.exe -o setproperty -pn peoplepicker-searchadforests -pv "domain:<Name>.domain" -url "http://Site URL"
  stsadm -o setproperty -pn peoplepicker-searchadcustomquery -pv “(canonicalName=<Name>.domain*)” -url "Site URL"
  we have two way trust.
  Can you suggest any solution.
  Thanks 
  Raj

• Grant access to users from different Domains

  Hi,
  Recently my company was merged with another. All users from my company are setup in our Domain (DomainA). Sharepoint is able to see the users in this domain and grant access to the users as well. When the merger happened, we created a Group (Test - Sharepoint)
  in our AD to add groups from other companie's domain:DomainB, totally different Forest. There is a two way trust setup between these domains. The group Test-Sharepoint is "domain local" and it is able to see the groups/users from other domain: DomainB.
  The other users are now able to access our sharepoint environment once access is granted to DomainA\Test-Sharepoint.
  Problem came when we applied Audience targetting around few web parts. The users from DomainB who are added as object in DomainA\Test-Sharepoint (group in DomainA) are not able to see the web parts that have audience targeting for this group. Someone
  suggested that AD groups should be Global or Universal but that is not our case. Most of the groups in our AD are domain local and SP is able to see the users within it.
  Please suggest how we can resolve audience targeting issue?
  Regards, Kapil ***Please mark answer as Helpful or Answered after consideration***

  My apologies, yes that is correct you'll have to use Domain Local in this case. http://technet.microsoft.com/en-us/library/cc755692(v=WS.10).aspx
  Actually what you'll need to do is not use Groups in your domain at all, as the users are Foreign Security Principals. Instead, use a group in the trusted domain, or attributes of the users you intend to target directly.
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• BPM 11g workspace not show user from OVD - top most authentication provider

  Hi,
  We have added OVD which connected to LDAP as the top-most authentication provider for myrealm. The order of the providers are:
  (1) OVD (control Flag:SUFFICIENT)
  (2) DefaultAuthenticator(control Flag: REQUIRED)
  (3) DefaultIdentityAsserter
  The users and groups from the OVD are displayed in the weblogic console and are searchable in the OEM when I want to add the user/group to the application role but not in the BPM workspace. I find a related thread:
  Weblogic administrator account is inactive after enabling DB Authenticator
  It seems I did the same but I am still able to login bpm workspace with weblogic id. I guess my BPM does not use OVD for the Authenticator at all and it is still using DefaultAuthenticator. Can anyone please help and let me know what I missed for the setting? Should I put DefaultIdentityAsserter to the 2nd in the provider list to solve this?
  Thanks,
  Helen
  Edited by: Helen on Mar 22, 2011 7:31 AM

  Hi Helen
  Make sure that for the second Authenticator (DefaultAuthenticator) the required Flag is SUFFICIENT. From Weblogic point of view, if it is required, this means that user should and must exist in this provider also. Since you configured external LDAP and say you have something like "mytestuser" in LDAP. I guess you already added this user "mytestuser" to the BPMWorflowAdmin role as per the forum you listed below. But this user may not and will not exist in the default authenticator. So try making it sufficient and see if that works.
  As mentioned in my earlier post, I do have LDAP cconfigured to my BPM Domain and this is the first in the order of providers. I added a user from this LDAP into workflow admin role in em. I could login into bpm/workspace and see adminstrator link.
  Thanks
  Ravi Jegga

• Read group membership for a user object and populate every group with matching user from another domain

  I have LON\JSmith in LON domain and DEL\JimSmith in DEL domain
  I would like to extract group memberships of LON\JSmith in LON domain and append matching by email (i.e. DEL\JimSmith) user object in every group in LON domain.
  for instance
  LON\JSmith and DEL\JimSmith is the same person and has same email address [email protected]
  LON\JSmith belongs to 3 groups - LON\localadmingroup;LON\univdesktop;LON\globalsurvey
  The outcome of the script should be
  LON\JSmith; DEL\JimSmith    should be in 3 groups - LON\localadmingroup;LON\univdesktop;LON\globalsurvey.
  How can i do it?
  Navgup

  Hi Navgup,
  Please refer to the script below, to query users in other domain by specifying the parameter "-Server" in the cmdlet "get-aduser", and also note I haven't tested the script below:
  import-module activedirectory
  get-adgroupmember "group"|foreach{
  $email=(get-aduser $_.samaccountname -properties *).EmailAddress#get the user email
  Get-ADUser -filter {EmailAddress -eq $email} -properties * -server DomainB.company.com|select samaccountname, memberof}#filter user name and group with the email in other domain
  To get users across domain, please also refer this blog:
  Adding/removing members from another forest or domain to groups in Active Directory:
  http://blogs.msdn.com/b/adpowershell/archive/2010/01/20/adding-removing-members-from-another-forest-or-domain-to-groups-in-active-directory.aspx?Redirected=true
  I hope this helps.

• Issue using ADSI in powershell to load users from another domain into a group

  I am trying to load users into a domain local security group from another domain using ADSI and powershell. For users who have an existing foreign security principal I can load that without issue, but the users who do not have a foreign security principal
  I am unable to load.
  These work fine, assuming the group domain is fabrikam:
  $Group.psbase.invoke("Add",[ADSI]"LDAP://CN=$external_user_sid_who_has_a_FPN,CN=ForeignSecurityPrincipals,DC=fabrikam,DC=com")
  $Group.psbase.invoke("Add",[ADSI]"LDAP://$userDN,DC=fabrikam,DC=com")
  These does not:
  $Group.psbase.invoke("Add",[ADSI]"LDAP://CN=$externaluser_sid_who_does_not_have_a_FPN,CN=ForeignSecurityPrincipals,DC=fabrikam,DC=com")
  $Group.psbase.invoke("Add",[ADSI]"LDAP://<SID=$external_user_sid_who_does_not_have_a_FPN>")
  $Group.psbase.invoke("Add",[ADSI]"LDAP://<SID=$external_user_hex_sid_who_does_not_have_a_FPN>")
  Any help would be greatly appreciated.
  Thank you

  Thank you for your reply,
  I started with that thread and it ultimately recommends using the [ADSI]"LDAP://<SID=$hexsid>, this bind is not working for me. The page it points to for conversion of sid to hexsid is in VBS, but I have used the below powershell to duplicate its function.
  $sid = "S-1-5-21-2127521184-1604012920-1887927527-72713"
  $parts = $sid.Remove(0,6).Split("-")
  foreach ($part in $parts)
  $hex = ([Convert]::ToString($part, 16)).ToUpper()
  While ($hex.length -lt 8)
  $hex = "0" + $hex
  for ($i=1; $i -lt 5; $i++)
  $reverseEndian = $reverseEndian + $hex.substring($hex.length -2, 2)
  $hex = $hex.Remove($hex.length -2, 2)
  $hexSid = "0105000000000005" + $reverseEndian
  For example SID S-1-5-21-2127521184-1604012920-1887927527-72713 needs
  to be turned into raw hex sid 010500000000000515000000A065CF7E784B9B5FE77C8770091C0100 according to that article and
  then put in the ADSI bind like this: [ADSI ]"LDAP://<SID=010500000000000515000000A065CF7E784B9B5FE77C8770091C0100>". 
  When I put that bind in (with an actual sid and not an example sid) I get the following error:
  format-default : The following exception occurred while retrieving member "PSComputerName": "There is no such object on
  the server.
  + CategoryInfo : NotSpecified: (:) [format-default], ExtendedTypeSystemException
  + FullyQualifiedErrorId : CatchFromBaseGetMember,Microsoft.PowerShell.Commands.FormatDefaultCommand
  For users who are on another domain but already have a foreign principal name created, I can add them easily enough by converting their sid to the appropriate foreign principal name format. I haven't yet had any success adding someone who doesn't have a
  foreign principal name though, even after trying the solution referenced in the article.
  Thank you in advance for any help.

• UnLock Ad user from all Domain controllers

  We have 13 domain controllers in  5 Active directory sites, Unlock status is not updating in All DC's immediately. please help me to unlock Ad user from all the Domain controllers.
  Below is the script to unlock Ad account from one domain controller:
  Clear-Host
  $luser = Read-Host “Input the name (Last name, First name) of the locked user”
  $lockstatus = Get-ADUser "$luser" –Properties lockedout -Server DC10
  if ($lockstatus.lockedout –eq $True)
  $nul = Get-ADUser "$luser" | Unlock-ADaccount
  $nul = Get-ADUser "$luser" | Set-ADAccountPassword -NewPassword “password”
  Write-Host "Account unlocked and password reset"
  if ($lockstatus.lockedout –eq $false)
  Write-Host "Account is not locked"
  Raj

  we have remote site users are facing problems.
  Our L1 agents will unlock User ID in Primary site, replication taking time to replicate to remote DC.
  So need a script to unlock USer ID in all Dcs
  Raj
  Replication of unlocks is faster than you can  do it in script.  It is pushed immediately.  It does not wait fro replication. If thisis not happening then you need to find the problem and fix it.
  You need to fix your problem.  A script will not fix it.
  IF you insist on doing it manually then just run the script one time for each DC.
  If you still do not know what to do you must contact a consultant or your network vendor and have them assist you with this.   We are not a custom solution provider or a free script writing forum.  Doing this would keep you from fixing a problem
  which could lead to other bad things.  Please take the time to take the correct technical steps.
  One thing that might help is to NOT select a DC for the reset.  The DC you are selecting is probably not replicating.  Let Windows choose a DC for you.
  You must run diagnostics on your network to find out what is happening.  Contact you network administrator to do this.  If you do not have a trined network administrator then please contact a consultant or your vendor.
  ¯\_(ツ)_/¯

• Problem in Jsp page it  doesnt shows users from database

  hi dear all...
  in my project i am creating new user by user registration(filling all details UserId,Passwd,retypepwd,name,emailid,dob,mob.no.,images-browse) so it will stored in my backend database oracle which is shown by using sql commands i.e.select * from userdetails until its ok BUT I FACE PROBLEM WHEN I CLICK VIEWUSERS IN MY JSP PAGE IT DOESNOT SHOW THE USERS...IN ECLIPSE10 I GOT ERRRO AS BELOW..
  log4j:WARN No appenders could be found for logger (org.apache.commons.beanutils.BeanUtils).
  log4j:WARN Please initialize the log4j system properly.
  in registerDAO connection is .oracle.jdbc.driver.T4CConnection@15c998a
  in dao dob5-Mar-2013
  qqqloginid
  photo=C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg
  fole=105542
  java.lang.NullPointerException
       at com.multistep.action.RegisterAction.doPost(RegisterAction.java:76)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
       at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
       at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
       at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
       at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
       at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:261)
       at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
       at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:581)
       at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
       at java.lang.Thread.run(Thread.java:619)
  ANY HELP APPRICIATED.....
  -AVINASH

  You should format that date. See SimpleDateFormat in Java API.

• Migrate existing users from local domains to Open Directory.

  Here is the environment I'm working with:
  Small local environment (8-10) users. Everyone is on their own laptop, everyone is authenticating to their local directories. Network files are stored on a server, with everyone using a single shared user ID to authenticate and access the files.
  I have just installed a Xserve, and it is now serving DNS, DHCP, NTP, WWW. I want to setup Open Directory in Master mode, create user IDs for everyone, and then assign permissions to the shared files area.
  The one part that I'm not sure how to approach is the local laptops. If user "John Doe" has a local ID "jdoe" that he has been using on his local laptop, how does he migrate over to being "jdoe" in the OD domain, while reatining his "local" home directory and files? The problem I think I'll have is that when I create "jdoe" on the domain, he will have a UID of (say) 10001, but his local UID is 501 (as is the UID of all the other employees since they are all the first user on each of their respective laptops.) so when he logs back into his laptop after it has been attached to the OD domain, I assume that the laptop will see "jdoe" from the OD domain as a new user and create a new home for him (with the UID:10001), so now John cannot see any of his old files and such.
  Also, as a side question: I've worked with Windows ID before, and I know once you join a windows computer to a domain and then login to it, it creates a new user and caches the authentication info, so that when the laptop is not connected to the corporate network, the user can still login and work. Does Open Directory do the same on the laptops?
  Thanks for any help.

  Retaining password is a manual process of asking the user what his or her password is and then creating it in OD.
  As for migration of account, it is rather simple, provided the short name of the user remains consistent across directory systems. For example, if you have a user named Joe User and his short name is juser with a home folder in /Users/juser. And you create the same account in OD. You can do these few short actions.
  1: Bind system to the domain
  2: From the Admin account, and using Terminal from root, navigate to /var/db/dslocal/nodes/Default/users and find the plist file for the user (in our example, juser.plist).
  3: Delete the file using rm
  4: Restart the machine or restart Open Directory
  5: Log in as the admin user and change ownership of the users home folder. Recall that when the user is in the local domain, the UID was likely 502, 503, etc (you do have a standard local admin at 501 right?) Now that the user is in OD, the UID will be 4 digits, something like 1027. So understanding that user attributes and user data are independent, you now have a folder in /Users titled juser and owned by uid 50x. You need to make it owned by juser from the OD domain. User this:
  sudo chown -R juser /Users/juser
  6: Log out of the admin account
  7: Log in as the user after choosing Other at login window.
  Assuming you have your OD account set up properly, you will likely be asked to confirm the caching of the users credentials. This will path you right back into the user's home folder and all will be right with the world.
  This is simple and quick. If the shortnames are different, throw an mv into the mix to rename the home folder to match the domain shortname. If you have no local admin, then you will need to reset DSLocal and start again.

• Migrating users from one domain to another(Interforest)

  Scenario- Two Domains A & B in two different forests.
  A - holds exchange server in DMZ and 2 domain controllers in A used by exchange also in DMZ
  B holds all users and computers and 2 Domain controllers used for authentication .
  Now I want to migrate all users and computers  in B domain to A domain using ADMT
  My question here is
  1. Can I use the DCs used by exchange to authenticate if I migrate users and computers from B to A.
  2. If not what is the work around here. I want to build  an action plan on this.

  After the migration users will be in Domain A.  Authentication will happen locally in Domain A using Domain A DCs.   Make sure you have correct DNS server (DNS from domain A) for these workstations. 
  Santhosh Sivarajan | Houston, TX | www.sivarajan.com
  ITIL,MCITP,MCTS,MCSE (W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),Network+,CCNA
  Windows Server 2012 Book - Migrating from 2008 to Windows Server 2012
  Blogs: Blogs
  Twitter: Twitter
  LinkedIn: LinkedIn
  Facebook: Facebook
  Microsoft Virtual Academy:
  Microsoft Virtual Academy
  This posting is provided AS IS with no warranties, and confers no rights.

• 802.1x - Authenticating users from two domains on one switch

  Hi
  Trying to figure out if there is a way to have a switch authenticate devices from two different domains
  For example   Computer A is in Domain A  Computer B is Domain B
  Computer A is connected to f0/1 computer B is connected to F0/2
  I am thinking that i have to configure multiple Radius server entries  One for domain A and one for domain B and reduce the timeout if possible
  Any ideas or solutions?
  Thank you for your help..

  What's your RADIUS server?
  ISE 1.3 allows you to join it to multiple domains.
  Even with ISE 1.2, you could join one AD domain and also use the identities from a second one via LDAP.
  Multiple RADIUS server entries won't normally try the second one as long as the primary is responsive - a failed authentication counts as a legitimate response. You can setup round robin or least outstanding methods but that still doesn't give you the "check both to see if one gives me a good authentication" result.

• Error trying to import users from NT Domain Auth source

  Hi all,We cannot login to the portal using Auth source after NT administrator changed administrative password.We are trying to run NT Domain auth source in 5.0.3. Getting following error. It was working before. Any clue?? Thanks for any help.
  5/10/05 12:06:30- Starting to run operations (1 total) for job 'NT User Import Job - Run Once (2)'. Will stop on errors. (PID=3596) 5/10/05 12:06:48- *** Job Operation #1 of 1: Authentication source (for synching users and groups) 'BWSC' [Run as owner 'Administrator'] 5/10/05 12:06:48- Creating the Everyone In Auth Source group (if one doesn't already exist). 5/10/05 12:06:48- Need to create an Everyone Group for this auth source. 5/10/05 12:06:48- Error IDispatch error #16132 (0x80044104): SQL Execute Error (0x80004005): DELETE FROM PTOBJECTSECURITY WHERE OBJECTID=? AND CLASSID=?
  ADO Error: count = 1, return code = 0x80004005
  Unspecified error (SQL State (null)) 5/10/05 12:06:48- *** Job Operation #1 failed: Error IDispatch error #16132 (0x80044104): SQL Execute Error (0x80004005): DELETE FROM PTOBJECTSECURITY WHERE OBJECTID=? AND CLASSID=?
  ADO Error: count = 1, return code = 0x80004005
  Unspecified error (SQL State (null)) (0x4) 5/10/05 12:06:48- Done with job operations. 5/10/05 12:06:48- Error IDispatch error #16132 (0x80044104): SQL Execute Error (0x80004005): DELETE FROM PTOBJECTSECURITY WHERE OBJECTID=? AND CLASSID=?
  ADO Error: count = 1, return code = 0x80004005
  Unspecified error (SQL State (null))

  Yes. Other instrinsic jobs are failed too. Does this related to Job Dispatcher service? Thank you for your help.

• How to create user from one domain to remote domain

  Hi All,
  I want to create user in Security Realm from my own domain to a remote domain programatically. Can you suggest the entire process.
  Thanks in Advance.

  Not sure why but for me all the errors were resolved .
  import java.util.Hashtable;
  import javax.management.AttributeNotFoundException;
  import javax.management.InstanceNotFoundException;
  import javax.management.IntrospectionException;
  import javax.management.MBeanException;
  import javax.management.MBeanServer;
  import javax.management.MalformedObjectNameException;
  import javax.management.ObjectName;
  import javax.management.ReflectionException;
  import javax.management.modelmbean.ModelMBeanInfo;
  import javax.naming.Context;
  import javax.naming.InitialContext;
  import javax.naming.NamingException;
  public class Test {
       * @param args
       * @throws NamingException
       * @throws NullPointerException
       * @throws MalformedObjectNameException
       * @throws ReflectionException
       * @throws MBeanException
       * @throws InstanceNotFoundException
       * @throws AttributeNotFoundException
       * @throws IntrospectionException
       public static void main(String[] args) throws NamingException, MalformedObjectNameException, NullPointerException, AttributeNotFoundException, InstanceNotFoundException, MBeanException, ReflectionException, IntrospectionException {
            // TODO Auto-generated method stub
            Hashtable env = new Hashtable();
            env.put(Context.INITIAL_CONTEXT_FACTORY,"weblogic.jndi.WLInitialContextFactory");
            env.put(Context.SECURITY_PRINCIPAL, "weblogic");
            env.put(Context.SECURITY_CREDENTIALS, "weblogic1");
            env.put(Context.PROVIDER_URL, "t3://localhost:7001");
            InitialContext ctx = new InitialContext(env);
            MBeanServer wls = (MBeanServer) ctx.lookup("java:comp/env/jmx/runtime");
            ObjectName userEditor = null;
            ObjectName MBTservice = new ObjectName("com.bea:Name=MBeanTypeService," + "Type=weblogic.management.mbeanservers.MBeanTypeService");
            ObjectName rs = new ObjectName("com.bea:Name=RuntimeService,"+"Type=weblogic.management.mbeanservers.runtime.RuntimeServiceMBean");
            ObjectName domainMBean = (ObjectName) wls.getAttribute(rs,"DomainConfiguration");
            ObjectName securityConfig = (ObjectName) wls.getAttribute(domainMBean,"SecurityConfiguration");
            ObjectName defaultRealm = (ObjectName) wls.getAttribute(securityConfig,"DefaultRealm");
            ObjectName[] atnProviders = (ObjectName[]) wls.getAttribute(defaultRealm,"AuthenticationProviders");
            for (ObjectName providerName : atnProviders) {
            if (userEditor == null) {
            ModelMBeanInfo info = (ModelMBeanInfo) wls.getMBeanInfo(providerName);
            String className = (String) info.getMBeanDescriptor().getFieldValue("interfaceClassName");
            if (className != null) {
            String[] mba = (String[]) wls.invoke( MBTservice, "getSubtypes", new Object[] {"weblogic.management.security.authentication.UserEditorMBean" }, new String[] { "java.lang.String" });
            for (String mb : mba)
            if (className.equals(mb)) userEditor = providerName;
            if (userEditor == null) throw new RuntimeException("Could not retrieve user editor");
            try{
            System.out.println("Creating User : testuser");
            wls.invoke(userEditor,"createUser",new Object[] {"testuser","password","test user"},new String[] {"java.lang.String", "java.lang.String","java.lang.String"});
            System.out.println("Created User : testuser");
            catch(Exception e){
            e.printStackTrace();
            ctx.close();
  }

• Why do we need a disabled AD object prior to migrating user from one domain to another.

  Say i am migrating a user 'Mr.A' mailbox from abc.com to xyz.com in exchange 2010 environemnt, why do i need a disabled AD object for Mr. A in xyz.com prior to migrating  ? please suggest.
  Aditya Mediratta

  Hi ,
  To be frank i am not aware of quest but i can suggest you in ADMT and also in exchange cross forest migration.
  I hope you are doing the cross forest migration from exchange forest to exchange forest , so on such case by using the prepare-moverequest.ps1  we can have
  only have the disabled MEU on the target exchange forest until the remaining attributes of the user object was migrated from ADMT.
  While running the prepare-moverequest.ps1  it will not completely move all the active directory user attributes from the source forest to the target forest
  but it will move all the exchange attributes to the target forest and finally it will make the MEU object in the disabled state. Since
  all the exchange attributes are already migrated to the target forest ,so prior to use ADMT user account migration we need to exclude the exchange attributes
  by running the script on the ADMT server .After doing so exchange attributes will not be migrated but the required user attributes will be migrated to make the MEU to the enabled state.
  Reference Link for types of exchange migration between the forest :
  http://blogs.technet.com/b/exchange/archive/2010/08/10/3410619.aspx
  Thanks & Regards S.Nithyanandham

• Need to pick up user from the position

  Hi All,
  In my workflow i have prepared the rule for agent determination , Here users are assigned to a positions , So when i call the rule from my workflow it is giving the postitions,But i need the User Id's which are already assigned to this positions,so please any one could give your ideas to get the user id's from position,
  Just a thought Any how Here i am getting the postion ID, So is there any Function module exist to get the user ID' s based on this Position Id ?  then i can use that FM.
  So please could any one help me to solve this issue..
  Thanks in Advance..
  Srihasa...

  Hi Soumya,
  I Thank you for giving this FM to me, My Problem was solved..
  Thanks again for your valueble information..
  Srihasa...