Populate the EmployeeID attribute of a user, based on their security group membership in Active Directory

Similar Messages

• Getting list of all users and their group memberships from Active Directory

  Hi,
  I want to retrieve a list of all the users and their group memberships through JNDI from Active Directory. I am using the following code to achieve this:
  ==================
  import javax.naming.*;
  import java.util.Hashtable;
  import javax.naming.directory.*;
  public class GetUsersGroups{
       public static void main(String[] args){
            String[] attributeNames = {"memberOf"};
            //create an initial directory context
            Hashtable env = new Hashtable();
            env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
            env.put(Context.PROVIDER_URL, "ldap://172.19.1.32:389/");
            env.put(Context.SECURITY_AUTHENTICATION, "simple");
            env.put(Context.SECURITY_PRINCIPAL, "[email protected]");
            env.put(Context.SECURITY_CREDENTIALS, "p8admin");
            try {
                 // Create the initial directory context
                 DirContext ctx = new InitialDirContext(env);     
                 //get all the users list and their group memberships
                 NamingEnumeration contentsEnum = ctx.list("CN=Users,DC=filenetp8,DC=com");
                 while (contentsEnum.hasMore()){
                      NameClassPair ncp = (NameClassPair) contentsEnum.next();
                      String userName = ncp.getName();
                      System.out.println("User: "+userName);
                      try{
                           System.out.println("am here....1");
                           Attributes attrs = ctx.getAttributes(userName, attributeNames); // only asked for one attribute so only one should be returned
                           System.out.println("am here....2");
                           Attribute groupsAttribute = attrs.get(attributeNames[0]); // memberOf
                           System.out.println("-----"+groupsAttribute.size());
                           if (groupsAttribute != null){
                                // memberOf is a multi valued attribute
                                for (int i=0; i<groupsAttribute.size(); i++){
                                // print out each group that user belongs to
                                System.out.println("MemberOf: "+groupsAttribute.get(i));
                      }catch(NamingException ne){
                      // ignore for now
                 System.err.println("Problem encountered....0000:" + ne);
                 //get all the groups list
            } catch (NamingException e) {
            System.err.println("Problem encountered 1111:" + e);
  =================
  The following exception gets thrown at every user entry:
  User: CN=Administrator
  am here....1
  Problem encountered....0000:javax.naming.NamingException: [LDAP: error code 1 -
  000020D6: SvcErr: DSID-03100690, problem 5012 (DIR_ERROR), data 0
  ]; remaining name 'CN=Administrator'
  I think it gets thrown at this line in the code:
  Attributes attrs = ctx.getAttributes(userName, attributeNames);
  Any idea how to overcome this and where am I wrong?
  Thanks in advance,
  Regards.

  In this sentence:
  Attributes attrs = ctx.getAttributes(userName, attributeNames); // only asked for one attribute so only one should
  It seems Ok when I add "CN=Users,DC=filenetp8,DC=com" after userName, just as
  userName + ",CN=Users,DC=filenetp8,DC=com"
  But I still have some problem with it.
  Hope it will be useful for you.

• AD user script to populate the IPPHONE attribute with the last 4 digits of the Telephonenumber attribute

  Good Afternoon Scripting Guys. I have a script that I have been working with pretty much all day today and just cant quite get it to play nice. Our objective is to search AD for specific users (say filtering them out with a username that starts with a "T")
  and User account is "Enabled" then grab the last four digits of their phone number (phone number is set up as follows: (800) 123 456 ) then populate the IPPHONE attribute with the last four digits of their phone number. I have read a ton of online
  blogs with users successfully making this happen but it appears that they are all using Quest (as the commands are all Get-qaduser and Set-qaduser). I need something that runs strictly in native Active Directory Module PowerShell on a Windows Server 2008r2
  Domain Controller.  I am also trying to keep it as simple as possible by using a Get command, then piping a Set command.  I have saved the script into a .ps1 file with the logic as follows:
  $SelUsers = Get-ADUser -filter {(SamAccountName -like "t*")} -Properties ipphone,telephonenumber -searchbase "OU=Test Users,OU=Temporary Org,OU=Test_Domain Users,DC=mydomain,DC=com" | where {($_.enabled -eq $True)}
  foreach ($user in $SelUsers)
   {$user.ipphone = $user.telephonenumber(4,$User.telephonenumber.length-4)
   set-aduser -instance $user}
  What is happening is kind of funny, but aggravating at the same time.  When we run the script, it completes with no errors.  When I pull up the properties of a user in the OU, the IP Phone field is populated with the number 8.  If the User
  account did not have a telephone number, the IP Phone field is populated with a -4.  So, apparently, the script is somehow subtracting the "-4" from the number of all of the Telephone Number field's characters.  Basically 12-4 is 8. 
  If there is no telephone number, then 0-4 is -4.  I have run the Get-ADUser portion of the script independently so I know its getting the correct users.  I also know it is populating the IPPHONE attribute but not with the last 4 digits of the telephone
  number.  Can you guys help out and maybe get this to work correctly?  Also, can you add logic to it to the script to delete any value in the IPPHONE field first, then replace it with the last 4 digits of the telephone.
  Any help would be GREATLY appreciated!!!!!  Thanks Guys...
  Lee

  First thing I would do is modify your filtering. This will remove the unneeded piping to the Where-Object cmdlet and also allow us to only return users who already have something in the telephoneNumber field. It is possible this could return all of your
  users, but if you have service accounts, etc. that do not have a telephoneNumber then they will not be included in your results. It's just a little cleaner.
  $SelUsers = Get-ADUser -filter {(SamAccountName -like 't*' -and Enabled -eq $True -and TelephoneNumber -like '*')}
  I suspect you may have a made a mistake when you entered what your phone numbers looks like. I assume that you forgot a final digit. If this is correct, and you have a space in the phone number between the three digits and the final four then you can use
  the split method to grab the last four digits.
  Foreach ($User in $SelUsers) {
  $Number = $User.telephoneNumber.split(' ')[-1]
  Set-ADUser -Identity $User -Replace @{ipPhone=$Number}
  There's no reason to delete what's in the field first because that's part of what the -Replace parameter will do anyway. This should help get you started!

• So Can I determine the business partners linked to user based on the assigned role and org. structure?

  Hello, I am working on a SAP CRM 7 Sales implementation and we are implementing leads and opportunity scenarios. The current business organization model is that there multiple vertical and horizontal departments. This is typical matrix structure. This organization has done the segregation of its clients based on the verticals so every clients belongs to at least one or more Vertical department but Horizontal departments can contact all the clients. In the same way sales executives are also either belonging to one or more Verticals or Horizontal departments? Horizontal sales executive can create leads for any clients available in the system but a Vertical sales executive can only create lead only for the client belongs to his vertical and assigned to him. This can be achieved by creating organization structure and business partner relationship.
  Now the problem statement is that few sales executives need work for both some Verticals and Horizontals at the same time. But requirement is that they should be able to do the both roles with single user id but multiple roles. So when sales executive is creating leads his vertical department, he should only be able to select clients assigned to his Vertical only but when he is creating lead for Horizontal department, he should be able to select any clients.
  So Can I determine the business partners linked to user based on the assigned role and org. structure?
  Please let me know if this is not clear also  note we are only using CRM WebUI no SAP ePortal.
  Thanks a lot your help in advance.
  Regards
  Sudesh Sharma

  Thanks, Tahir
  my problem has solved
  Kind Regards,
  Faisal

• How to change the groupType attribute of a user group object?

  I'm trying to change the "groupType" attribute, of a user group object, from 'Distribution' to 'Security' (and the group scope is set to 'Global').
  The CAD bit mask value needed would be: 0x80000002 (Decimal -2147483646).
  How to change/modify the "groupType" attribute for this user group object?
  Thanks,
  UD

  Attribute attr= new BasicAttribute("groupType", "-2147483646");
  items[0]=new ModificationItem(DirContext.REPLACE_ATTRIBUTE, attr);
  ctx.modifyAttributes(dn, items);
  --does not work.
  javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 00002141: SvcErr: DSID-031A0B56, problem 5003 (WILL_NOT_PERFORM)
  Is it possible to modify it?
  Thanks,
  UD.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               

• Shared Calendars / Room Lists and automatically forcing them to users based on Security Group Membership

  Good morning all,
  I need some help achieving the following in our Exchange 2013 Environment.  First off, we have Exchange 2013, but all our clients have Outlook 2010.
  Here's what I would like to be able to do:
  1) create/manage public calendars / rooms in exchange 2013
  2) force these shared public calendars / rooms to users' calendars who are members of particular security groups
  3) give edit permissions / "booking" permissions for the shared calendars so select users are able to make changes to the shared calendars, as well as accept/deny requests to "book" shared room calendars
  Any one got any resources they can give to point me in the right direction?
  I have already created two mailbox room resources, and have them set up in a room list in AD.  But need to know the above as far as creating a shared calendar for events, and forcing these calendars / room lists out to users based on security group
  membership.
  I don't want my users to have to know how to add a shared calendar...that would be a nightmare explaining.  I just want it to show up.
  Any help on this is greatly appreciated, thank you!

  1) I recommend using Room Mailboxes for resource calendars because it just works better.
  2) This is a standard feature of a Room Mailbox.
  3) You're pretty specific here, but I think this is also more or less available with a Room Mailbox combined with folder rights.
  I don't know any way to just make them "show up".  You'll have to teach them.  Well written instructions can work wonders.
  Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

• Impact on roaming profile accounts if we Change User logon Name to Employee Number format in Active Directory for all User accounts

  I want to understand if we change User logon Name to Employee Number format in Active Directory for all User accounts, then what would be the impact on existing profile. Whether we need to change it manualy or it will connect to same profiles in terminal
  session.
  As i observed it create new profile after logon name changed to employee number where existing users profile settings get fails to load and prompt for new settings (such as outlook reconfiguration, share drive mapping etc.).
  Kindly let me know the proper process to overcome with this, how to connect same existing roaming profile with employee number format change.

  Hi,
  What if we change the user name of user account, will it have impact on roaming profiles.
  Yes, it will affect roaming profiles. Please rename the roaming profile folder as the new user account name, in addition, change the profile path in ADUC.
  Here is an related article below for you:
  How to Rename a Windows 7 User Account and Related Profile Folder
  http://social.technet.microsoft.com/wiki/contents/articles/19834.how-to-rename-a-windows-7-user-account-and-related-profile-folder.aspx
  Best Regards,
  Amy

• I am getting messages that I can't download and read .pdf files since I have the wrong Adobe reader. I know about their security disasters of course, but I downloaded the latest version of Adobe Reader from the Adobe web site and I have other ,pdf file re

  I am getting messages that I can't download and read .pdf files since I have the wrong Adobe reader. I know about their security disasters of course, but I downloaded the latest version of Adobe Reader from the Adobe web site and I have other ,pdf file readers as well, and for some reason they won't work either. I have 5 computers running top end processors and RAM. By this I mean I have one, this one which I am using that has an AMD Phenom Black 3.2 Quad-core with 8 GBs of Corsair top DDR2 RAM, my other two AMD have either an Athlon II triple core with 4 GBs of DDR2 Corsair RAM, one with the Phenom X4 965 3.4 GHz Quad-core with 8 GBs of their best DDR2 RAM, and two Intels with the i7 920 Processors using the triple channel 1366 socket processors and one with 8 GBs of low latency DDR3 RAM and the other with 4 GBs of the same RAM. I am getting the message on this one, which has a fresh install of XP Pro X64 operating system, as do the other 4 as well. I have run Avast Business Pro Anti-virus on this one, which I am getting the message on with a single result which I deleted, and also both Spybot Search and Destroy, which came back clean as well as Malwarebytes Antimalware, which got a lot of tracing cookies now removed, and SuperAntiSpware which also found a few cookies also now deleted. Can you tell me what I need to do to get these files to show as .pdf files rather than as a clean blank page. One other issue is that I wish to know how to turn off my downloads so they are saved and Mozilla will give me the option of returning them instead of me losing them all together as it does now. Thanks for your assistance. If there is another Adobe reader I should download and install, could you provide me with the link to it? I appreciate your assistance here
  == When I download and try to read a .pdf file and when I am asked to turn off all Firefox files and if I do, I lose them since I need to know how to save them without rebooting my computer.

  Brilliant! Problem solved! Thanks so much.

• How to populate the enddate after change in user status

  Hi,
  I have created an entity adapter to populate start date and end date.
  I have a scheduler that disables user accounts based on following two conditions:
  1. The system date and end date are same.
  2. There is a predefined difference in number of days between start date and end date.
  Now the requirement is that the end date has to be populated with a new value when the user is enabled.
  I have created a process task adapter that computes the new end date.I have created a new task in Xellerate user process and attached this adapter to new task.I have mapped the output of adapter to User definition-End date.This new task has been added as a dependent task in the enable user task.Also in the USR_PROCESS_TRIGGER i have added USR_END_DATE and have provided the adapter name in decode column.
  Now when i try to enable user,the account gets enabled but end date is not populated with new value.
  I am not getting any errors on the either.
  Please let me know if my approach is right.Please guide me.
  Thanks in advance.

  Hi,
  I created a trigger for USR_DISABLE insted of USR_END_DATE and added the process name for decode value in the lookup.When i do this the process to update the enddate is triggered while creating user also.Please find the stack trace :
  11:17:52,155 ERROR [SERVER] Class/Method: tcScheduleItem/checkMultiple Error : Invalid Duplicate in
  ScheduleItem.There are other instances of this milestone in this ORC.
  11:17:52,186 ERROR [ACCOUNTMANAGEMENT] Class/Method: tcUserOperationsBean/enableUser encounter some
  problems: maoRejections:Duplicate schedule item for a task that does not allow multiples.
  11:17:52,186 ERROR [WEBAPP] Class/Method: tcManageUserAction/enableUser encounter some problems: Dup
  licate schedule item for a task that does not allow multiples.
  Thor.API.Exceptions.tcAPIException: Duplicate schedule item for a task that does not allow multiples
  at com.thortech.xl.ejb.beansimpl.tcUserOperationsBean.enableUser(Unknown Source)
  at com.thortech.xl.ejb.beans.tcUserOperationsSession.enableUser(Unknown Source)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at org.jboss.invocation.Invocation.performCall(Invocation.java:359)
  at org.jboss.ejb.StatelessSessionContainer$ContainerInterceptor.invoke(StatelessSessionConta
  iner.java:237)
  at org.jboss.resource.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionI
  nterceptor.java:158)
  at org.jboss.ejb.plugins.StatelessSessionInstanceInterceptor.invoke(StatelessSessionInstance
  Interceptor.java:169)
  at org.jboss.ejb.plugins.CallValidationInterceptor.invoke(CallValidationInterceptor.java:63)
  at org.jboss.ejb.plugins.AbstractTxInterceptor.invokeNext(AbstractTxInterceptor.java:121)
  at org.jboss.ejb.plugins.TxInterceptorCMT.runWithTransactions(TxInterceptorCMT.java:350)
  at org.jboss.ejb.plugins.TxInterceptorCMT.invoke(TxInterceptorCMT.java:181)
  at org.jboss.ejb.plugins.SecurityInterceptor.invoke(SecurityInterceptor.java:168)
  at org.jboss.ejb.plugins.LogInterceptor.invoke(LogInterceptor.java:205)
  at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invoke(ProxyFactoryFinderInterceptor.
  java:138)
  at org.jboss.ejb.SessionContainer.internalInvoke(SessionContainer.java:648)
  at org.jboss.ejb.Container.invoke(Container.java:960)
  at sun.reflect.GeneratedMethodAccessor132.invoke(Unknown Source)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155)
  at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94)
  at org.jboss.mx.server.Invocation.invoke(Invocation.java:86)
  at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
  at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
  at org.jboss.invocation.local.LocalInvoker$MBeanServerAction.invoke(LocalInvoker.java:169)
  at org.jboss.invocation.local.LocalInvoker.invoke(LocalInvoker.java:118)
  at org.jboss.invocation.InvokerInterceptor.invokeLocal(InvokerInterceptor.java:209)
  at org.jboss.invocation.InvokerInterceptor.invoke(InvokerInterceptor.java:195)
  at org.jboss.proxy.TransactionInterceptor.invoke(TransactionInterceptor.java:61)
  at org.jboss.proxy.SecurityInterceptor.invoke(SecurityInterceptor.java:70)
  at org.jboss.proxy.ejb.StatelessSessionInterceptor.invoke(StatelessSessionInterceptor.java:1
  12)
  at org.jboss.proxy.ClientContainer.invoke(ClientContainer.java:100)
  at $Proxy734.enableUser(Unknown Source)
  at Thor.API.Operations.tcUserOperationsClient.enableUser(Unknown Source)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at Thor.API.Base.SecurityInvocationHandler$1.run(Unknown Source)
  at Thor.API.Security.LoginHandler.jbossLoginSession.runAs(Unknown Source)
  at Thor.API.Base.SecurityInvocationHandler.invoke(Unknown Source)
  at $Proxy786.enableUser(Unknown Source)
  at com.thortech.xl.webclient.actions.tcManageUserAction.enableUser(Unknown Source)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at org.apache.struts.actions.DispatchAction.dispatchMethod(DispatchAction.java:280)
  at com.thortech.xl.webclient.actions.tcLookupDispatchAction.execute(Unknown Source)
  at com.thortech.xl.webclient.actions.tcActionBase.execute(Unknown Source)
  at com.thortech.xl.webclient.actions.tcAction.execute(Unknown Source)
  at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:484)
  at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:274)
  at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1482)
  at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:525)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.j
  ava:290)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  at com.thortech.xl.webclient.security.SecurityFilter.doFilter(Unknown Source)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.j
  ava:235)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.j
  ava:235)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
  at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
  at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.ja
  va:182)
  at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
  at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
  at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
  at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:
  157)
  at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
  at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
  at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
  at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.ja
  va:583)
  at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
  at java.lang.Thread.run(Thread.java:619)
  Also tried with USR_STATUS.But this dosen't work.
  On the GUI i get the following message :
  DOBJ.SCHTM_INVALID_DUP
  Duplicate schedule item for a task that does not allow multiples.
  Please help.

• Setting the logonHours attribute for a user in Active Directory

  Hi Anyone,
  I'm a brasilian guy and I need your help. How can I set the logonHours attribute on my Active Directory?
  I have this code but it doesn't works good:
      public void setLogonHours(boolean[] logonHoursBits){
          int i;
          int j;
          int k;
          int index21 = 0;
          int index24 = 0;
          byte[] byteLogonHour = new byte[21];
          byte byte8Hours = 0;
          for(i=0; i <= 6; i++){
              for(j=1; j <= 3; j++){
                  for(k=7; k >= 0; k--){
                      if (i < 6){
                          if (logonHoursBits[i] == (boolean)(index24 == 0) ? true : false){
                              byte8Hours += (byte)Math.pow(2,k);
                      else{
                          if (logonHoursBits[0] == (boolean)(index24 == 0) ? true : false){                           
                              byte8Hours += (byte)Math.pow(2,k);
                      index24++;
                  byteLogonHour[index21] = byte8Hours;
                  index21++;
              index24 = 0;
          try{
              String nome = "CN=Dryelle,OU=Pesquisa,DC=cifya,DC=com,DC=br";
              ctx = new InitialLdapContext(env,null);
              ModificationItem logonHours[] = new ModificationItem[1];
              logonHours[0]= new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("logonHours",byteLogonHour));
              ctx.modifyAttributes(name,logonHours);
              System.out.println("Atributo logonHours alterado com sucesso.");
          catch (NamingException e) {
             System.err.println("Problema na altera??o " + e);
      }the code set the attribute but wrong. Can anyone help-me? It's making me crazy.
  Sorry about my poor english.
  Tks.
  Edited by: th_slopes on Aug 15, 2008 5:50 PM

  DirContext ctx = new InitialDirContext(pr);
            BasicAttributes entry = new BasicAttributes(true);
            String entryDN = "cn=CharbelHad,ou=test users,dc=test,dc=dev";
            Attribute cn = new BasicAttribute("cn", "ChHad");
            Attribute street = (new BasicAttribute("streetAddress", "Ach"));
            Attribute loginPreW2k = (new BasicAttribute("sAMAccountName", "[email protected]"));
            Attribute login = (new BasicAttribute("userPrincipalName", "[email protected]"));
            Attribute sn = (new BasicAttribute("sn", "Chl"));
            Attribute pwd = new BasicAttribute("unicodePwd", "\"Ch@341\"".getBytes("UTF-8"));
  Attribute userAccountControl = new BasicAttribute("userAccountControl", "512");
            Attribute oc = new BasicAttribute("objectClass");
            oc.add("top");
            oc.add("person");
            oc.add("organizationalPerson");
            oc.add("user");
            // build the entry
            entry.put(cn);
            entry.put(street);
            entry.put(sn);
            entry.put(userAccountControl);
            entry.put(pwd);
            entry.put(login);
            entry.put(loginPreW2k);
            entry.put(oc);
            ctx.createSubcontext(entryDN, entry);

• Setting Application Context Attributes for Enterprise Users Based on Roles

  Hello,
  We have an Oracle 11g database with a table containing data from multiple sites (a SiteID field identifies the site for a record). Since application users can have access to different subsets of sites, we would like to use Oracle's Virtual Private Database feature to enforce row-level security on the table.
  I did a successful proof-of-concept with database users. I created a role for each site (example: USER_SITE_A, USER_SITE_B, ...), and then assigned the appropriate site roles to each database user. I then created a package (run via a logon trigger) which set application context attributes for each site. If the current database user has been assigned a role for a given site, then the corresponding attribute named "SITE_PRIVILEGE_SiteID" is set to 'Y'... otherwise, it is set to 'N'. Here is the code which worked to set application context attributes for database users:
  -- For each record in my RoleSitePrivileges table, set
  --   an attribute named 'SITE_PRIVILEGE_<SiteID>'.
  --   If the current user has been assigned a role matching
  --   the value in the 'RoleName' field, set the corresponding
  --   attribute to 'Y'... otherwise, set it to 'N'.
  FOR iPrivRec IN (SELECT RoleName, SiteID
                     FROM RoleSitePrivileges
                     ORDER BY SiteID)
     LOOP
        SELECT COUNT(*)
          INTO roleExists
          FROM dba_role_privs
          WHERE granted_role = UPPER(iPrivRec.RoleName)
            AND grantee = USER;
        IF roleExists > 0 THEN
           DBMS_SESSION.set_context(
                       namespace   => 'my_ctx',
                       attribute   => 'SITE_PRIVILEGE_' || iPrivRec.SiteID,
                       value       => 'Y');
        ELSE
           DBMS_SESSION.set_context(
                       namespace   => 'my_ctx',
                       attribute   => 'SITE_PRIVILEGE_' || iPrivRec.SiteID,
                       value       => 'N');
        END IF;
     END LOOP;To finish things off, I created a security policy function for the table which returns the following:
  RETURN 'SiteID IN (SELECT TO_NUMBER(SUBSTR(attribute, 15))
                       FROM session_context
                       WHERE attribute LIKE ''SITE_PRIVILEGE_%''
                          AND value = ''Y'')';This setup worked great for database users. I am now working to do a comparable proof-of-concept for enterprise users created in Oracle Internet Directory (OiD). I have Enterprise User Security (EUS) up and running with OiD, global roles created in the database, enterprise roles defined in EUS with global role assignments, and enterprise roles assigned to OiD users. The enterprise users are able to successfully login to the database, and I can see the appropriate global role assignments when I query the session_roles view.
  I tried using the same application context package, logon trigger, and security policy function with the enterprise users that I had used with the database users. Unfortunately, I found that the application context attributes are not being set correctly. As you can see from the code above, the applicaiton context package was referencing the dba_role_privs view. Apparently, although this view is populated for database users, it is not populated for enterprise users.
  I tried changing the application context package to use invoker's rights and to query the session_roles view instead of the dba_role_privs view. Although this package sets the attributes correctly when called manually, it does not work when called from the logon trigger. That was an oops on my part, as I didn't realize initially that a PL/SQL procedure cannot be called with invoker's rights from a trigger.
  So, I am now wondering, is there another view that I could use in code called from a logon trigger to access the roles assigned to the enterprise user ? If not, is there a better way for me to approach this problem? From a maintenance standpoint, I like the idea of controlling site access from the LDAP directory service via role assignments. But, I am open to other ideas as well.
  Thank you!

  Hello,
  We have an Oracle 11g database with a table containing data from multiple sites (a SiteID field identifies the site for a record). Since application users can have access to different subsets of sites, we would like to use Oracle's Virtual Private Database feature to enforce row-level security on the table.
  I did a successful proof-of-concept with database users. I created a role for each site (example: USER_SITE_A, USER_SITE_B, ...), and then assigned the appropriate site roles to each database user. I then created a package (run via a logon trigger) which set application context attributes for each site. If the current database user has been assigned a role for a given site, then the corresponding attribute named "SITE_PRIVILEGE_SiteID" is set to 'Y'... otherwise, it is set to 'N'. Here is the code which worked to set application context attributes for database users:
  -- For each record in my RoleSitePrivileges table, set
  --   an attribute named 'SITE_PRIVILEGE_<SiteID>'.
  --   If the current user has been assigned a role matching
  --   the value in the 'RoleName' field, set the corresponding
  --   attribute to 'Y'... otherwise, set it to 'N'.
  FOR iPrivRec IN (SELECT RoleName, SiteID
                     FROM RoleSitePrivileges
                     ORDER BY SiteID)
     LOOP
        SELECT COUNT(*)
          INTO roleExists
          FROM dba_role_privs
          WHERE granted_role = UPPER(iPrivRec.RoleName)
            AND grantee = USER;
        IF roleExists > 0 THEN
           DBMS_SESSION.set_context(
                       namespace   => 'my_ctx',
                       attribute   => 'SITE_PRIVILEGE_' || iPrivRec.SiteID,
                       value       => 'Y');
        ELSE
           DBMS_SESSION.set_context(
                       namespace   => 'my_ctx',
                       attribute   => 'SITE_PRIVILEGE_' || iPrivRec.SiteID,
                       value       => 'N');
        END IF;
     END LOOP;To finish things off, I created a security policy function for the table which returns the following:
  RETURN 'SiteID IN (SELECT TO_NUMBER(SUBSTR(attribute, 15))
                       FROM session_context
                       WHERE attribute LIKE ''SITE_PRIVILEGE_%''
                          AND value = ''Y'')';This setup worked great for database users. I am now working to do a comparable proof-of-concept for enterprise users created in Oracle Internet Directory (OiD). I have Enterprise User Security (EUS) up and running with OiD, global roles created in the database, enterprise roles defined in EUS with global role assignments, and enterprise roles assigned to OiD users. The enterprise users are able to successfully login to the database, and I can see the appropriate global role assignments when I query the session_roles view.
  I tried using the same application context package, logon trigger, and security policy function with the enterprise users that I had used with the database users. Unfortunately, I found that the application context attributes are not being set correctly. As you can see from the code above, the applicaiton context package was referencing the dba_role_privs view. Apparently, although this view is populated for database users, it is not populated for enterprise users.
  I tried changing the application context package to use invoker's rights and to query the session_roles view instead of the dba_role_privs view. Although this package sets the attributes correctly when called manually, it does not work when called from the logon trigger. That was an oops on my part, as I didn't realize initially that a PL/SQL procedure cannot be called with invoker's rights from a trigger.
  So, I am now wondering, is there another view that I could use in code called from a logon trigger to access the roles assigned to the enterprise user ? If not, is there a better way for me to approach this problem? From a maintenance standpoint, I like the idea of controlling site access from the LDAP directory service via role assignments. But, I am open to other ideas as well.
  Thank you!

• How to create User in the specific group in Microsoft Active Directory

  Hi,
  I am using Nestcape LDAP, and want to create user in the user defined group. I have created a new user group "TestUsers" in the "Users" container of Active Directory, I want to add the new user to Test Users group But my problem is that whenever I create a new user
  it get added to Domain Users group.
  I tried adding memberOf attribute with value "TestUsers"
  attr = new LDAPAttribute("memberOf", "TestUsers");          
  attrs.add(attr);
  It gives me following error :
  code= 53 Exception 0000209A: SvcErr: DSID-031A0D6F, problem 5003 (WILL_NOT_PERFORM), data 0
  Following is the code I am using.
  public LDAPResult createUserID(
  String userId,
  String pwd,
  String pId,
  boolean resetonLogOn,
  LDAPConnection ldCon) {
  boolean flag = false;
  int code=0;
  try {
  String pwdLastSetVal;
  String desName;
  String desc;
  /* Specify the DN of the new entry. */
  String dn =
  "CN=" + userId + ",CN=" + this.container + "," + this.baseDN; // container = "Users"
  /* Create and add attributes to the attribute set. */
  String objectclass_values[] =
  { "top", "person", "organizationalPerson", "user" };
  // LDAPEntry findEntry=null;
  /* Create a new attribute set for the entry. */
  LDAPAttributeSet attrs = new LDAPAttributeSet();
  /* Attribute sAMAccountName */
  LDAPAttribute attr = new LDAPAttribute(LDAP_SAM_KEY, userId);
  attrs.add(attr);
  /* Attribute unicodePwd */ // LDAP_PASSWORD_KEY = "unicodePwd"
  attr =
  new LDAPAttribute(
  LDAP_PASSWORD_KEY,
  (byte[]) this.encodePassword(pwd));
  attrs.add(attr);
  /* Attribute Display Name */
  desName = userId + ":" + pId;
  //desName = userId ;
  attr = new LDAPAttribute(LDAP_DIS_NAME_KEY, desName);
  attrs.add(attr);
  /** Attribute userAccountControl to enable the userid.
  attr = new LDAPAttribute(LDAP_ACCOUNT_KEY, LDAP_ACCOUNT_EN_VAL); // LDAP_ACCOUNT_EN_VAL= "548"
  attrs.add(attr);
  /* Attribute pwdLastSet to reset the password on first logon*/
  if (resetonLogOn == true) {
  pwdLastSetVal = "0";
  } else {
  pwdLastSetVal = "-1";
  attr = new LDAPAttribute(LDAP_RESET_KEY, pwdLastSetVal);
  attrs.add(attr);
  /* Attribute Description */
  desc = " Account Created by HelpNow App";
  attr = new LDAPAttribute(LDAP_DESC_KEY, desc);
  attrs.add(attr);
  /* Attribute objectclass */
  attr = new LDAPAttribute("objectclass", objectclass_values);
  attrs.add(attr);
  attr = new LDAPAttribute("memberOf", "TestUsers");          
  attrs.add(attr);
  /* Create an entry with this DN and these attributes . */
  LDAPEntry myEntry = new LDAPEntry(dn, attrs);
  /* Add the entry to the directory. */
  ldCon.add(myEntry);
  flag = true;
  }catch (LDAPException e) {
  flag = false;
  code=e.getLDAPResultCode();
  }catch (Exception e) {
  flag = false;
  code=LDAPException.OTHER;
  }finally {
  ldaprs.flag=flag;
  ldaprs.code=code;
  return ldaprs;
  }

  Refer to the post titled "JNDI, Active Directory and Group Memberships" available at http://forum.java.sun.com/thread.jspa?threadID=581444&tstart=150

• Wants delete user based on their last login details...

  Hi All,
  I have one question regarding oracle database user management. I have approx 300 users in my each Database and I know many of them are not actively used. I want to generate users report based on their last login information. I want to fetch list of users who is not logged in database since last 4 months and are eligible for delete operation.  Please guide me how to find this details.
  Thanks in advance...

  user12115, but really even if the logon time was not present and you only had the logoff time you know when the customer last used the system and relistically you could work with that.  Rather than audit user session connection due to the large number of connections/disconnects we have per day we created a database logon event trigger that updates an IOT for the username, logon_date of the OS user connecting.  If no row is updated we insert the username.
  Also keep in mind that many web based applications connect to the Oracle rdbms using an application username as not as the real end user.  In such a case auditing will not catch the real end user nor will the logon trigger unless the application uses dbms_application_info to post the real end username to Oracle.  If this is not true in your shop today it might be tomorrow so keep this potential issue in mind.
  HTH -- Mark D Powell -- 

• Users assigned directly to a SharePoint group can access a site if a user is in a security group that is a member of the SharePoint group, it doesn't work

  I recently installed SharePoint 2013 SP1 and thus far all seems to be going well. I do have one issue concerning permissions to a team site I have created:
  1. If  add a user User1 only to a SharePoint group that has edit permissions to the site, that user can log in successfully.
  2. If  add a user User1 only to a security group that is a member of the aforementioned SharePoint group, the  user gets "the site has not been shared with you. The security group is a global SG, though I tried changing it to universal 
  but that did not help
   I have tried updating the SPSecurityTokenServiceConfig  as briefly described at this link:
  http://macaalay.com/2014/05/27/active-directory-groups-and-access-denied-in-sharepoint-2013/.  I performed the steps and it did not work. I also
  tried rebooting the server after that, and that did not work either.  any thoughts?
  Thanks in advance for your help

  Hi,
  I tested the issue on SharePoint server 2013 without sp installed. It worked and I used global security group. I will test the issue on SharePoint 2013 sp1 later, and please provide more information to narrow down the issue.
  Please go to site settings > site permissions > check permission, type in domain\user1, and post the result here.
  If the user has been granted permission, please try logging on another machine to test if Windows credential casues the issue.
  Did the issue occur to one site collection? Please test on other sites or web applications?
  Please create new user to test the issue again.
  Regards,
  Rebecca Tu
  TechNet Community Support

• Disable the link respective of my users role in ADF Security

  Hi,
  Am using jdeveloper 11.1.1.6.0.,
  In my jspx page i have two links like Employees and Departments. The Departments button should be enabled only to the Managers role.
  I have also implemented ADF Security in my project.
  Regards,
  Prasad K T,

  Hi,
  Check out this blog : ADF Code Bits: Bit #17 - Using the securityContext bean in a JSF page
  -Arun