RAC and Directory Objects

Dictionary objects (for bfile, external tables, etc) are stored in file system. In RAC, must all these filesystems be available to the same mount point in every node? And is there any requirement on the filesystem to store the files (e.g., ocfs / nfs / smb / ext2)?
This seems obvious but I want to see whether there is any standard solution or 'best practice'.
Thanks very much.

But I think ASM only support Oracle files. Then files used by external tables and bfiles (i.e., normal text or binary files) cannot be upload to ASM...
Therefore, if seems even if ASM is utilized, one more sharable storage strategy (nfs, ocfs, etc) is needed for bfiles / ext tables, etc.

Similar Messages

BFILENAME and Directory object

Hi, I have a question about BFILENAME function. I can't find any other multimedia related topic so I decide to post it here, please help if you know the answer.
I have following procedure:
PROCEDURE test
(name IN varchar2:= 'a.jpg' )
IS
v_pix_source BFILE;
BEGIN
v_pix_source := BFILENAME('C_TEMP', name);
IF DBMS_LOB.FILEEXISTS(v_pix_source) = 1
THEN
DBMS_OUTPUT.PUT_LINE('EXIST');
ELSE
DBMS_OUTPUT.PUT_LINE('NOT EXIST');
END IF;
END test;
C_TEMP IS A DIRECTORY object WITH PATH 'c:\temp\' .
I keep getting 'NOT EXIST' when I call this procedure while the jpg file is there. I have tried 'c:\temp' too but it didn't work either.
But this does work:
INSERT INTO lob_table
VALUES(1, bfilename('c:\temp\','a.jpg'));
So it seems that the directory object is giving me trouble. This has nothing to do with privileges because I am using a DBA account to run the procedure.
Any help will be appreciated!
null

I don't know if a DBA account has the read directory privilege for directories that he didn't create. Try grnting the read directory privilege to the user.
SQL> grant read on directory C_TEMP to my_user;
null

Transporting Integration Directory objects between N and N+1 landscapes

I have a question regarding the transport of Integration Directory objects.
We are implementing N+1 PI 7.3 (java only) Development and QA systems. The N+1 PI systems are a copy of the Production Support (N) PI Development and QA systems. As part of the N+1 build we will also configure the business systems in the SLD for this landscape. Is it possible to transport objects from the "N" landscape into the "N+1" landscape? These changes would only be new objects that would not overwrite anything in N+1. For anything that is also being changed in N+1 we would perform manually. Is there anything special needed when setting up the business system in the SLD for this scenario?
Thanks!

Thanks Barry
That menu option is available to me too but there is no option to use CTS+ in the pull down list.
I can't visit imageshack from work so I can't see your screenshot but I'd bet you have the option to export using "Open CTS+ Organizer" on the first menu too - I don't.
I've obviously got some config missing but, given I can transport ESR and SLD objects, I'm struggling to know what.
Edited by: Murray Nicholas on Sep 3, 2010 12:39 PM

Oracle DIRECTORY object and subdirectories

As you know, in 9i the use of the UTL_FILE_DIR is being deprecated in favour of Oracle DIRECTORY objects. This is fine for security reasons and administration but there seems to be a problem with subdirectories.
The situation: we are generating literally millions of files using UTL_FILE. These files are going to be stored in one of forty thousand directories (the precise directory is derived from parsing the file's key ID).
In the old days access could be granted simply by setting the UTL_FILE_DIR parameter to /<root>/dir/*
As far as I can see, the Oracle DIRECTORY does not support subdirectories. Is there any way of avoiding the creation of forty thousand CREATE DIRECTORY statements and a concommitant number of GRANT statements?
Oracle 9.2, any suggestions gratefully received.
Cheers, APC

Just curious Andrew-- are there things in the UTL_FILE package that you don't find implemented better in Java's I/O classes? I wouldn't claim to be the world's leading expert on Java I/O, so I won't comment on the specifics of this. Generally I think using Java to re-write a piece of existing native functionality is a hard one to sell:
(1) Java tends to run slower than native code
(2) It's a chunk of work, and my PM is already breathing down my neck.
However, I might do this as a hobby project. If I do, I'll let you know how it turns out :)
Cheers, APC

File (Directory) object problem?

Hi there. My problem is as follows. The method below is supposed to access an pre-existing directory with five previously saved test files, read in those files as account objects, add the objects to an ArrayList, then return the ArrayList. It seems to be able to create a file object representing the directory alright but it then insists that there are no files in the directory! Have I fouled up or is there some subtlety that I'm unware of? I was wondering if the fact that the account files have a .bac extenstion had something to do with it.
Here's the method, with the two lines of code where I think the problem might lie in bold print:
public ArrayList retrieveAccounts()throws IOException{
ArrayList accounts = new ArrayList();
File accDir = new File("C:" + File.separator + "accounts"); //creates a directory object
//The following S.o.p statements are for test and maintenance purposes rather than user feedback
System.out.println("Directory " + accDir.getCanonicalPath() + " opened");
System.out.println("Confirm Accounts directory exists: " + accDir.exists());
System.out.println("Directory: " + accDir.isDirectory());
String [] accFiles = accDir.list(); //gets a list of files in the directory and saves it as a String array
System.out.println("Number of files in directory: " + accDir.length());
while(i < accDir.length()){
filename = accFiles;
try{
//open layered input Streams to access the next account file in line
ObjectInputStream in = new ObjectInputStream(new FileInputStream("C:"+ File.separator + "accounts" + File.separator + filename));
account = (Account)in.readObject();
accounts.add(account);
in.close(); //closes Streams for that particular file
}catch(IOException e){System.out.println("Filing error as follows: " + e);
}catch(ClassNotFoundException e){System.out.println("Class not Found. Details: " + e); }
filename = null; //frees up reference for next file
i++;//counter increments by one
return accounts;

This is what I was trying to do minus the comments and maintence and test code:
public ArrayList retrieveAccounts()throws IOException{
ArrayList accounts = new ArrayList();
File accDir = new File("C:" + File.separator + "accounts");
String [] accFiles = accDir.list();
while(i < accDir.length()){
filename = accFiles;
try{
ObjectInputStream in = new ObjectInputStream(new FileInputStream("C:"+ File.separator + "accounts" + File.separator + filename));
account = (Account)in.readObject();
accounts.add(account);
in.close();
}catch(IOException e){System.out.println("Filing error as follows: " + e);
}catch(ClassNotFoundException e){System.out.println("Class not Found. Details: " + e); }
filename = null;
i++;
return accounts;
By the way, your the first Java programmer that I've met that doesn't like comments! :)
NOTE: Think I may have spotted where I went wrong in my code.
filename = accFiles;
Forgot to point it at the specific element of the array, like so:
filename = accFiles[i];
Thanks for your help!

Cretaion of UTL.File in Oracle 10G and directory entry in Ora.ini file

Hi,
Kindly advise me if:
(!) we can create a directory and log file in this directory on some other server instead of creating it in the file system of the server where the Oracle 10G database is residing?
Created directory in Oracle using create or replace directory command.
My package will be creating a log file using UTL.File in the above directory.
I want to create this directory on some other server to save my log file/s. Is this possible?
(2) Also, let me know in Oracle 10G, do we need to add the directory entry (mention above in #1) in the Ora.ini file on the Oracle 10G server?

Hi,
1) utl_dir are different from directory object
2) you cannot create directory on remote server and there is no need to write directory entry on oracle init file (not ini..)
Acr

How to add buisness system in Integration directory -objects

Hi All,
I created the technical systems and buisness systems. then in the integration directory, i want to check whether my business system exixts are not.
so in the integration directory,
objects--->service without party >buisness system>
in the buisness system , whatever buisness system i created the is not found.
how to add buisness system into integration directory -- objects.
Regards,
vinoth.

Hi,
go to integration directory,
objects--->service without party >buisness system>
select the BS -> Right click the BS -> it show the number of BS select your business system and assign them next save.
If the your business system if it's not appear go to Environment menu -> Clear SLD Data cahce.
and do the same process again..
Regards,
Venu.

NMAS and ConsoleOne Objects

I'm having a bit of a problem with ConsoleOne snapins and RADIUS objects.
The Radius DAS object appears as unknown on all my systems running
ConsoleOne 1.3.6d. I have one system running v1.3.6 and the radius objects
appear fine. All consoleone installations have the same NMAS snapins
loaded (from the iChain CD). I recall having to copy radius.atr to the
consoleone/bin directory to get it working the first time but this doesn't
seem to do the trick on these other workstations.
Also, almost out of the blue, I don't see the my new (RSA) login process
listed under the login methods of the user object properties anymore. I'm
not sure what has changed as it's only been about two weeks since I've been
out to this site. It still works for the users that I previously setup but
I can't configure new users.
Does anyone have any thoughts?

I got the RSA login method to appear again. I had to reinstall the RSA
NMAS snapin that I downloaded from RSA. Something must have gotten corrupt.
However, I still can't see the properties of the Radius objects in
ConsoleOne. The only thing I can find is a potentially bad radius.atr
file. I've copied this file from a working system to the other systems but
its still missing something. Snap-ins are sooo much fun.
> I'm having a bit of a problem with ConsoleOne snapins and RADIUS objects.
> The Radius DAS object appears as unknown on all my systems running
> ConsoleOne 1.3.6d. I have one system running v1.3.6 and the radius objects
> appear fine. All consoleone installations have the same NMAS snapins
> loaded (from the iChain CD). I recall having to copy radius.atr to the
> consoleone/bin directory to get it working the first time but this doesn't
> seem to do the trick on these other workstations.
>
> Also, almost out of the blue, I don't see the my new (RSA) login process
> listed under the login methods of the user object properties anymore. I'm
> not sure what has changed as it's only been about two weeks since I've been
> out to this site. It still works for the users that I previously setup but
> I can't configure new users.
>
> Does anyone have any thoughts?

PowerShell script : Directory object not found error in Get-ADGroupMember

I am new in powershell scripting. I am writing a script to add users in different AD Groups. while doing so I do the following:
Check if the user already exist in the group:
$mbr_exist = Get-ADGroupMember $grpname | Where-Object {$_.SamAccountName -eq $sam}
If user does not exist then add the user to the group.
When I manually run the script its runs flawless, without any errors. But when I schedule the script to run it gives an error as follows:
3/30/2015 8:32:15 AM Directory object not foundAt + $mbr_exist = Get-ADGroupMember $grpname | Where-Object {$_.SamAc ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~ Error at Line:$mbr_exist = Get-ADGroupMember
$grpname | Where-Object {$_.SamAccountName -eq $sam}
The strange thing is the user for which it throws the error is present in the group.I am not sure why this error is occurring when scheduled. Can any one please help? All the suggestions will be appreciated
Note: (The script is scheduled using Windows Task Scheduler)
try
# # Initialize the variables we will use
$status = 'false'
$drivename = "H:"
$sysdate = Get-Date -UFormat "%m_%d_%Y"
$foldername = $drivename + "\Script_Result\PowershellData"+ $sysdate
$backup_folder = "$foldername\AD_Groups_Backup"
$updatedGroup = "$foldername\Updated_AD_Groups_LogFiles"
$LogFilePath = "$foldername\Log_Update_ADGroups"+$sysdate+".log"
# # Initialize the arrays we will use
$GroupArray = @()
# # maintain log of program startup
$logdate = get-date
$logdate.ToString() + "`tStarted script to Update AD user Groups..." | Out-File -FilePath $LogFilePath
# # Create a sub folder to store the backup files
$fileexist = Test-Path $backup_folder -PathType Container
if($fileexist -ne 'False')
New-Item -ItemType Directory $backup_folder
# # Create a sub folder to store Updated AD group Log files
$fileexist = Test-Path $updatedGroup -PathType Container
if($fileexist -ne 'False')
New-Item -ItemType Directory $updatedGroup
# # Take back up of the AD groups data
Get-ADGroupMember -Identity "Group1" | Export-csv "$backup_folder\Group1_BackUP$sysdate.csv"
Get-ADGroupMember -Identity "Group2" | Export-csv "$backup_folder\Group1_BackUP$sysdate.csv"
Get-ADGroupMember -Identity "Group3" | Export-csv "$backup_folder\Group1_BackUP$sysdate.csv"
Get-ADGroupMember -Identity "Group4" | Export-csv "$backup_folder\Group1_BackUP$sysdate.csv"
(an so on..... 11 such groups )
# # Fetch AD Users data
$ADusers = Get-ADUser -filter {(EmployeeNumber -gt 1) -and (EmployeeNumber -ne "N/A") -and (Enabled -eq $true)} -Properties * | Sort-Object -Property EmployeeNumber
$ADusers.Count
foreach($u in $ADusers)
$sam = $u.SamAccountName
$empnum = $u.EmployeeNumber
$mgr = $u.mgr
$fsal = $u.'fsalary-Hourly'
$comp = $u.Company
$ofc = $u.Office
Write-Host "$sam : $empnum : $mgr :$fsal : $comp : $ofc" -ForegroundColor Yellow
$GroupArray = @()
# # Check if the user fits in any of the 11 scenarios
if($comp -eq "US")
# scenario 7
write-host "7. Add to US Employees"
$GroupArray += "US Employees"
if($mgr -eq "Y")
Write-Host "1. ADD to US MAnagers"
$group = "US Managers"
$GroupArray += $group
if(($fsal -eq "Hourly") -and ($ofc -ne "Canton"))
Write-Host "3. Add to US Hourly (excluding Canton)"
$group = "US Hourly (excluding Canton)"
$GroupArray += $group
if(($fsal -eq "Hourly") -and ($ofc -eq "Canton"))
write-host "4. Add to US Canton Hourly"
$group = "US Canton Hourly"
$GroupArray += $group
if(($fsal -eq "Salaried") -and ($ofc -eq "Corporate" -or $ofc -eq "Landis Lakes 1" -or $ofc -eq "Landis Lakes 2"))
Write-Host "5. Add to US Salaried Corporate"
$group = "US Salaried Corporate"
$GroupArray += $group
if(($fsal -eq "Salaried") -and ($ofc -ne "Corporate" -and $ofc -ne "Landis Lakes 1" -and $ofc -ne "Landis Lakes 2"))
Write-Host "6. Add to US Salaried Plant"
$group = "US Salaried Plant"
$GroupArray +=$group
elseif($comp -eq "canada")
# scenario 9
write-host "9. Canada Employees"
$GroupArray += "Canada Employees"
if($mgr -eq "Y")
Write-Host "2. Add to Canada Managers"
$group = "Canada Managers"
$GroupArray += $group
if($fsal -eq "Hourly")
Write-Host "10. Add to Canada Hourly"
$group = "Canada Hourly"
$GroupArray += $group
if($fsal -eq "Salaried")
Write-Host "11. Add to Canada Salaried Plant"
$group = "Canada Salaried Plant"
$GroupArray += $group
elseif($ofc -eq "Corporate" -or $ofc -eq "Landis Lakes 1" -or $ofc -eq "Landis Lakes 2")
Write-Host "8. Add to Corporate Employees"
$GroupArray += "Corporate Employees"
write-host "Final Group List" -ForegroundColor Green
$grplen = $GroupArray.Length
#$GroupArray
$grplen
for($i= 0; $i -lt $grplen; $i++)
$grpname = $GroupArray[$i]
write-host "$sam will be added to Group : $grpname" -ForegroundColor Magenta
# # Check if the user is already present in the Group
$mbr_exist = Get-ADGroupMember $grpname | Where-Object {$_.SamAccountName -eq $sam}
if($mbr_exist -eq $null)
# #Add user to US Managers group
Add-ADGroupMember -Identity $grpname -Members $sam
Write-Host "1. User $sam is added to $grpname group" -ForegroundColor Green
# # documenting the user list that are added to this group
$grpmbr = New-Object PSObject
$grpmbr | Add-Member -MemberType NoteProperty -Name "EmployeeNumber" -Value $empnum
$grpmbr | Add-Member -MemberType NoteProperty -Name "SamAccountName" -Value $sam
$grpmbr | Add-Member -MemberType NoteProperty -Name "Name" -Value $u.Name
$grpmbr | Add-Member -MemberType NoteProperty -Name "DistinguishedName" -Value $u.DistinguishedName
$grpmbr | Add-Member -MemberType NoteProperty -Name "mgr" -Value $mgr
$grpmbr | Add-Member -MemberType NoteProperty -Name "Company" -Value $comp
$grpmbr | Add-Member -MemberType NoteProperty -Name "Salary/Hourly" -Value $fsal
$grpmbr | Add-Member -MemberType NoteProperty -Name "Office" -Value $ofc
$grpmbr | Add-Member -MemberType NoteProperty -Name "ADGroup" -Value $grpname
$grpmbr | Export-Csv "$updatedGroup\ADUsers_To_Group($grpname)_$sysdate.csv" -Append -NoTypeInformation
else
Write-Host "Member $sam already exist in $grpname group" -ForegroundColor Red
$logdate = get-date
$logdate.ToString() + "`tCompleted script to Update Update AD Groups..." | Out-File -FilePath $LogFilePath -Append
$status = 'true'
return $status
catch
$err_lineno = $error[0].InvocationInfo.ScriptLineNumber
$err_line = $error[0].InvocationInfo.Line
$ExceptionMessage = $_.Exception.Message
#$ExceptionMessage
$error_info = $error[0].ToString() + $error[0].InvocationInfo.PositionMessage
Write-Host "$error_info " -ForegroundColor Red
$FailedItem = $_.Exception.ItemName
if($ExceptionMessage)
$logdate.ToString() + "`t $error_info " | out-file "$foldername\ErrorLog_Update_AD_Groups$sysdate.log" -append
"Line Number: $err_lineno . `nError at Line: $err_line" | out-file "$foldername\ErrorLog_Update_AD_Groups$sysdate.log" -append
#Invoke-Item "C:\ErrorLog.log"
$status = 'false'
return $status

Hi mdkelly, Sorry for such a late reply (due to credential issues).
I am using Windows task scheduler to schedule the task. I am given the administrator access to the server (Windows Server 2012). So I think I set to run the script under system account.
My apologies for asking this, am I missing something while scheduling the script through task scheduler? how to check if the scheduled task is running under who's credentials? How to pass my (admin) credentials, so that the script execution won't face
a problem? Any suggestion on the above questions will be helpful. (I tried to search on net for the questions but didn't get any conclusive answers)
Thanks in advance.

[Forum FAQ] Using PowerShell to assign permissions on Active Directory objects

As we all know, the
ActiveDirectoryAccessRule class is used to represent an access control entry (ACE) in the discretionary access control list (DACL) of an Active Directory Domain Services object.
To set the permissions on Active Directory objects, the relevant classes and their enumerations are listed as below:
System.DirectoryServices.ActiveDirectoryAccessRule class:
http://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectoryaccessrule(v=vs.110).aspx
System.DirectoryServices.ActiveDirectoryRights
class:
http://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectoryrights(v=vs.110).aspx
System.Security.AccessControl.AccessControlType class:
http://msdn.microsoft.com/en-us/library/w4ds5h86(v=vs.110).aspx
System.DirectoryServices.ActiveDirectorySecurityInheritance class:
http://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectorysecurityinheritance(v=vs.110).aspx
In this article, we introduce three ways to get and set the ACE on an Active Directory object. In general,
we use Active Directory Service Interfaces (ADSI) or
Active Directory module cmdlets
with the Get-Acl and Set-Acl cmdlets to assign simple permissions on Active Directory objects. In addition, we can use the extended rights and GUID settings to execute
more complex permission settings.
Method 1: Using ADSI
1. Get current permissions of an organization unit (OU)
We can use the PowerShell script below to get current permissions of an organization unit and you just need to define the name of the OU.
$Name = "OU=xxx,DC=com"
$ADObject = [ADSI]"LDAP://$Name"
$aclObject = $ADObject.psbase.ObjectSecurity
$aclList = $aclObject.GetAccessRules($true,$true,[System.Security.Principal.SecurityIdentifier])
$output=@()
foreach($acl in $aclList)
$objSID = New-Object System.Security.Principal.SecurityIdentifier($acl.IdentityReference)
     $info = @{
'ActiveDirectoryRights' = $acl.ActiveDirectoryRights;
'InheritanceType' = $acl.InheritanceType;
'ObjectType' = $acl.ObjectType;
'InheritedObjectType' = $acl.InheritedObjectType;
'ObjectFlags' = $acl.ObjectFlags;
'AccessControlType' = $acl.AccessControlType;
'IdentityReference' = $acl.IdentityReference;
'NTAccount' = $objSID.Translate( [System.Security.Principal.NTAccount] );
'IsInherited' = $acl.IsInherited;
'InheritanceFlags' = $acl.InheritanceFlags;
'PropagationFlags' = $acl.PropagationFlags;
$obj = New-Object -TypeName PSObject -Property $info
$output+=$obj}
$output
In the figure below, you can see the results of running the script above:
Figure 1．
2. Assign a computer object with Full Control permission on an OU
We can use the script below to delegate Full Control permission to the computer objects within an OU:
$SysManObj = [ADSI]("LDAP://OU=test….,DC=com") #get the OU object
$computer = get-adcomputer "COMPUTERNAME" #get the computer object which will be assigned with Full Control permission within an OU
$sid = [System.Security.Principal.SecurityIdentifier] $computer.SID
$identity = [System.Security.Principal.IdentityReference] $SID
$adRights = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll"
$type = [System.Security.AccessControl.AccessControlType] "Allow"
$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$inheritanceType #set permission
$SysManObj.psbase.ObjectSecurity.AddAccessRule($ACE)
$SysManObj.psbase.commitchanges()
After running the script above, you can check the computer object in Active Directory Users and Computers (ADUC) and it is under the Security tab in OU Properties.
Method 2: Using Active Directory module with the Get-Acl and Set-Acl cmdlets
You can use the script below to get and assign Full Control permission to a computer object on an OU:
$acl = get-acl "ad:OU=xxx,DC=com"
$acl.access #to get access right of the OU
$computer = get-adcomputer "COMPUTERNAME"
$sid = [System.Security.Principal.SecurityIdentifier] $computer.SID
# Create a new access control entry to allow access to the OU
$identity = [System.Security.Principal.IdentityReference] $SID
$adRights = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll"
$type = [System.Security.AccessControl.AccessControlType] "Allow"
$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$inheritanceType
# Add the ACE to the ACL, then set the ACL to save the changes
$acl.AddAccessRule($ace)
Set-acl -aclobject $acl "ad:OU=xxx,DC=com"
Method 3: Using GUID setting
The scripts above can only help us to complete simple tasks, however, we may want to execute more complex permission settings. In this scenario, we can use GUID settings to achieve
that.
The specific ACEs allow an administrator to delegate Active Directory specific rights (i.e. extended rights) or read/write access to a property set (i.e. a named collection of attributes) by
setting ObjectType field in an object specific ACE to the
rightsGuid of the extended right or property set. The delegation can also be created to target child objects of a specific class by setting the
InheritedObjectType field to the schemaIDGuid of the class.
We choose to use this pattern: ActiveDirectoryAccessRule(IdentityReference, ActiveDirectoryRights, AccessControlType, Guid, ActiveDirectorySecurityInheritance, Guid)
You can use the script below to
assign the group object with the permission to change user password on all user objects within an OU.
$acl = get-acl "ad:OU=xxx,DC=com"
$group = Get-ADgroup xxx
$sid = new-object System.Security.Principal.SecurityIdentifier $group.SID
# The following object specific ACE is to grant Group permission to change user password on all user objects under OU
$objectguid = new-object Guid
00299570-246d-11d0-a768-00aa006e0529 # is the rightsGuid for the extended right User-Force-Change-Password (“Reset Password”)
class
$inheritedobjectguid = new-object Guid
bf967aba-0de6-11d0-a285-00aa003049e2 # is the schemaIDGuid for the user
$identity = [System.Security.Principal.IdentityReference] $SID
$adRights = [System.DirectoryServices.ActiveDirectoryRights] "ExtendedRight"
$type = [System.Security.AccessControl.AccessControlType]
"Allow"
$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "Descendents"
$ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$objectGuid,$inheritanceType,$inheritedobjectguid
$acl.AddAccessRule($ace)
Set-acl -aclobject $acl "ad:OU=xxx,DC=com"
The figure below shows the result of running the script above:
Figure 2．
In addition, if you want to assign other permissions, you can change the GUID values in the script above. The common GUID values are listed as below:
$guidChangePassword
= new-object Guid ab721a53-1e2f-11d0-9819-00aa0040529b
$guidLockoutTime
= new-object Guid 28630ebf-41d5-11d1-a9c1-0000f80367c1
$guidPwdLastSet
= new-object Guid bf967a0a-0de6-11d0-a285-00aa003049e2
$guidComputerObject
= new-object Guid bf967a86-0de6-11d0-a285-00aa003049e2
$guidUserObject
= new-object Guid bf967aba-0de6-11d0-a285-00aa003049e2
$guidLinkGroupPolicy
= new-object Guid f30e3bbe-9ff0-11d1-b603-0000f80367c1
$guidGroupPolicyOptions
= new-object Guid f30e3bbf-9ff0-11d1-b603-0000f80367c1
$guidResetPassword
= new-object Guid 00299570-246d-11d0-a768-00aa006e0529
$guidGroupObject
= new-object Guid BF967A9C-0DE6-11D0-A285-00AA003049E2
$guidContactObject
= new-object Guid 5CB41ED0-0E4C-11D0-A286-00AA003049E2
$guidOUObject
= new-object Guid BF967AA5-0DE6-11D0-A285-00AA003049E2
$guidPrinterObject
= new-object Guid BF967AA8-0DE6-11D0-A285-00AA003049E2
$guidWriteMembers
    = new-object Guid bf9679c0-0de6-11d0-a285-00aa003049e2
$guidNull
= new-object Guid 00000000-0000-0000-0000-000000000000
$guidPublicInformation
= new-object Guid e48d0154-bcf8-11d1-8702-00c04fb96050
$guidGeneralInformation
= new-object Guid 59ba2f42-79a2-11d0-9020-00c04fc2d3cf
$guidPersonalInformation = new-object Guid 77B5B886-944A-11d1-AEBD-0000F80367C1
$guidGroupMembership
= new-object Guid bc0ac240-79a9-11d0-9020-00c04fc2d4cf
More information:
Add Object Specific ACEs using Active Directory Powershell
http://blogs.msdn.com/b/adpowershell/archive/2009/10/13/add-object-specific-aces-using-active-directory-powershell.aspx
Please click to vote if the post helps you. This can be beneficial to other community members reading the thread.

The ActiveDirectoryAccessRule has more than one constructor, but yes, you've interpreted the one that takes six arguments correctly.
Those GUIDs are different (check just before the first dash). Creating that ACE will create an empty GUID for InheritedObjectType, though, because you're telling it to apply to the Object only ([System.DirectoryServices.ActiveDirectorySecurityInheritance]::None).
Since the ACE will only apply to the object, there's no need to worry about what types of objects will inherit it.
If you've got time, check out
this module. It will let you view the security descriptors in a much friendlier format. Try both version 3.0 and the version 4.0 preview:
Sample version 3.0:
# This is going to be kind of slow, and it will take a few seconds the first time
# you run it because it has to build the list of GUID <--> Property/Class/etc objects
Get-ADGroup GroupY |
Get-AccessControlEntry -ObjectAceType member -InheritedObjectAceType group -ActiveDirectoryRights WriteProperty
# Same as the previous command, except limit it to access granted to GroupX
Get-ADGroup GroupY |
Get-AccessControlEntry -ObjectAceType member -InheritedObjectAceType group -ActiveDirectoryRights WriteProperty -Principal GroupX
Here's version 4.0. It's way faster than 3.0, but it's missing the -ObjectAceType and -InheritedObjectAceType parameters on Get-AccessControlEntry (don't worry, when they come back they'll be better than in 3.0):
Get-ADGroup GroupY |
Get-AccessControlEntry
Get-ADGroup GroupY |
Get-AccessControlEntry -ActiveDirectoryRights WriteProperty
Get-ADGroup GroupY |
Get-AccessControlEntry -ActiveDirectoryRights WriteProperty -Principal GroupX
# You can do a Where-Object filter until the parameters are added back to Get-AccessControlEntry:
Get-ADGroup GroupY |
Get-AccessControlEntry -ActiveDirectoryRights WriteProperty |
where { $_.AccessMask -match "All Prop|member Prop" }
Get-ADGroup GroupY |
Get-AccessControlEntry -ActiveDirectoryRights WriteProperty |
where { $_.ObjectAceType -in ($null, [guid]::Empty, "bf9679c0-0de6-11d0-a285-00aa003049e2") }
Get-ADGroup GroupY |
Get-AccessControlEntry -ActiveDirectoryRights WriteProperty |
where { $_.AccessMask -match "All Prop|member Prop" -and $_.AppliesTo -match "group"}
That's just for viewing. Version 3.0 can add and remove access, or you can use New-AccessControlEntry to replace your call to New-Object, and you can still use Get-Acl and Set-Acl. The benefit to New-AccessControlEntry is that you can do something like this:
New-AccessControlEntry -Principal GroupX -ActiveDirectoryRights WriteProperty -ObjectAceType member -InheritedObjectAceType group #-AppliesTo Object

Use Oracle directory object in SQL*loader?

Hi All,
We have a bunch of flatfiles that need to be read on a daily basis. We are using SQL*loader to read these files into Oracle.
The files arrive into a different directory every day ( /filesDDMMYY/ ). We now manually copy these files into the static directory which is pointed to in our ctl file. I was wondering if it's possible to use an Oracle Directory object to point to these data files, in stead of the pysical directory we use now?
Now we use: INFILE './sources/mydata.txt' , but I would like to make this a dynamic refrence to a directory with a different name
I searched the documentation and the internet quite extensively, but can not get an answer if it's possible to use directory objects in conjunction with sql loader.
Any help or suggestions would be appriciated.
Greetz,
Toin.
Message was edited by:
Toin ~ corrected typo

you can remove the INFILE parameter from the CTL files, and instead specify it on the command line (DATA=./sources...).
obviously this would still require changing every ctl file, but you would only need to do it once, not everytime you change a directory.
of course, the shell script which runs sqlldr would need to change. however, you could make the shell script more robust, by having it connect to sqlplus to look up the actual directory path from ALL_DIRECTORIES, and then use that when calling sqlldr.

Full database exp/imp between RAC and single database

Hi Experts,
we have a RAC database oracle 10GR2 with 4 node in linux. i try to duplicate rac database into single instance window database.
there are same version both database. during importing, I need to create 4 undo tablespace to keep imp processing.
How to keep one undo tablespace in single instance database?
any experience of exp/imp RAC database into single instance database to share with me?
Thanks
Jim
Edited by: user589812 on Nov 13, 2009 10:35 AM

JIm,
I also want to know can we add the exclude=tablespace on the impdp command for full database exp/imp?You can't use exclude=tablespace on exp/imp. It is for datapump expdp/impdp only.
I am very insteresting in your recommadition.
But for a full database impdp, how to exclude a table during full database imp? May I have a example for this case?
I used a expdp for full database exp. but I got a exp error in expdp log as ORA-31679: Table data object "SALE"."TOAD_PLAN_TABLE" has long columns, and longs can not >be loaded/unloaded using a network linkHaving long columns in a table means that it can't be exported/imported over a network link. To exclude this, you can use the exclude expression:
expdp user/password exclude=TABLE:"= 'SALES'" ...
This will exclude all tables named sales. If you have that table in schema scott and then in schema blake, it will exclude both of them. The error that you are getting is not a fatal error, but that table will not be exported/imported.
the final message as
Master table "SYSTEM"."SYS_EXPORT_FULL_01" successfully loaded/unloaded
Dump file set for SYSTEM.SYS_EXPORT_FULL_01 is:
F:\ORACLEBACKUP\SALEFULL091113.DMP
Job "SYSTEM"."SYS_EXPORT_FULL_01" completed with 1 error(s) at 16:50:26Yes, the fact that it did not export one table does not make the job fail, it will continue on exporting all other objects.
. I drop database that gerenated a expdp dump file.
and recreate blank database and then impdp again.
But I got lots of error as
ORA-39151: Table "SYSMAN"."MGMT_ARU_OUI_COMPONENTS" exists. All dependent metadata and data will be skipped due to table_exists_action of skip
ORA-39151: Table "SYSMAN"."MGMT_BUG_ADVISORY" exists. All dependent metadata and data will be skipped due to table_exists_action of skip
......ORA-31684: Object type TYPE_BODY:"SYSMAN"."MGMT_THRESHOLD" already exists
ORA-39111: Dependent object type TRIGGER:"SYSMAN"."SEV_ANNOTATION_INSERT_TR" skipped, base object type VIEW:"SYSMAN"."MGMT_SEVERITY_ANNOTATION" >already exists
and last line as
Job "SYSTEM"."SYS_IMPORT_FULL_01" completed with 2581 error(s) at 11:54:57Yes, even though you think you have an empty database, if you have installed any apps or anything, it may create tables that could exist in your dumpfile. If you know that you want the tables from the dumpfile and not the existing ones in the database, then you can use this on the impdp command:
impdp user/password table_exists_action=replace ...
If a table that is being imported exists, DataPump will detect this, drop the table, then create the table. Then all of the dependent objects will be created. If you don't then the table and all of it's dependent objects will be skipped, (which is the default).
There are 4 options with table_exists_action
replace - I described above
skip - default, means skip the table and dependent objects like indexes, index statistics, table statistics, etc
append - keep the existing table and append the data to it, but skip dependent objects
truncate - truncate the existing table and add the data from the dumpfile, but skip dependent objects.
Hope this helps.
Dean

Incomplete Directory Objects import

Hi All,
We are trying to import a TPZ file (for a whole scenario).Not all objects in the scenarios are changed.Both export and the import of the TPZ files are without any error.
However,in the target directory under the imported scenario, some (random) objects are missing.
When the missing objects are seperately put into a TPZ file,the import into the target directory is successfull.
Does anyone know why this is happenning and how to fix it.
Regards,
Bikram

Hi Paul,
Plese follow the below steps while transporting objects from IR & ID.
Before exporting make sure that the objects are activated.
Perform the following to import/export ID objects.
1. To export or import directory objects, call the configuration maintenance screen of the Integration Builder.
2. Call the context menu for an object in a collaboration profile in the Integration Builder navigation tree and choose Export.or choose Tools ® Export Configuration Objects
3. Select the Transport Using File System mode and follow the wizards instructions. When selecting individual objects, you can use drag and drop to drag the objects from the navigation tree and drop them in the object selection field.
The Integration Builder saves a binary export file with the suffix tpz in the export directory of the directory server
Do not change the file name of the export file. If you do, the Integration Builder will not accept it as the appropriate file when you import.
4. To import the export file(s) to another Integration Directory, first copy or move it to the import directory of the target directory.
5. Call the configuration maintenance screen of the Integration Builder for the target directory. Choose Tools ® Import Configuration Objects...
6. Select the export file saved in the import directory by using the dialog box that appears.
If the import is successful, the export file is moved to the subdirectory /xi/directory_server/importedFiles. The objects are not activated when they are imported into the target directory. They are visible in the change list of the user who imported them.
7. Check the imported objects in the change list and adjust the configuration data to match your system landscape, if necessary.
8. Activate the change list that contains the imported objects.

Directory object on $APPLCSF/$APPLOUT

Hi,
My requirement is to fetch a xml file from concurrent program output directory $APPLCSF/$APPLOUT and update some tables based on it.
In order to read the file I need to have a directory object created on the same.
Can I create a directory object on $APPLCSF/$APPLOUT?
Is this not recommended?
I just need to read it from a job submitted thru dbms_job.
Please let me know your views.
Thanks.
Edited by: Chit on Mar 15, 2012 2:10 AM

Chit wrote:
Okay. Here is my requirement.
I am in Oracle apps R12 and db 11g.
I have a concurrent program with no mandatory parameters.
I need to email POs to suppliers. I am using BIPublisher for it. I should not email POs twice.
For this I have done the following:
Written a PLSQL code which will
1. Generate xml for bursting
2. Launch bursting program
So far so good. Now when it comes to duplicate email handling part, the complexity comes in.
I need to do the following for it.
1. Generate xml for bursting - parent request
2. Launch bursting program - child request
3. Wait for bursting program to complete - parent request
4. Fetch the xml status file generated by bursting report, and update the POs with bursting report status. - parent request
Since step3 waits for step2 to complete, step2 always fails with 'File o1234.out is not accessible'. I can understand that since parent is not complete (and whose out file is locked) and child is requesting for parent's out file, it errors.
So I thought of handling step 3 and 4 thru dbms_job, so that step2 completes successfully.
For step4, I need to access the out file of step2, for which I need a directory object created on $APPLCSF/$APPLOUT which will allow me to read that file and update the status back.
Please let me know if you need more info.Why is your directory name specified with environment variables?

Transport SLDm repository, directory objects from Dev to Prod

Hi Forum,
I heve a development XI system and a production XI system,
and seperate SLD for each of them,
In development SLD i have created,
1 business system (third party)
1 product and software component
in Repository of Development XI,
i have a file to file scenario,
in directory of Development XI,
i have configured the scenario,
Now i want to transport everything (as explained above) from Development to Production XI system ....including SLD things ...
please tell me the procedure and sequence
Edited by: rana brata de on Jan 18, 2008 9:16 AM

Hi,
Check the links below for transporting the Objects from DEV to PRD.
How to handle SLD for Tranporting Dev to Quality ser
https://service.sap.com/~sapdownload/011000358700001684302005E/HowToSLDandXI.pdf
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/0fa2c490-0201-0010-61b4-df12869c4753
Transporting XI from DEV to QA
Transporting XI from DEV to QA
using CMS system. in XI
1. /people/sap.india5/blog/2005/11/03/xi-software-logistics-1-sld-preparation
2. /people/sap.india5/blog/2005/11/09/xi-software-logistics-ii-overview
3. /people/sap.india5/blog/2005/11/28/xi-software-logistics-solution-iii-cms
4. /people/sravya.talanki2/blog/2005/11/02/overview-of-transition-from-dev-to-qa-in-xi --> Overview of Transition from Dev to QA in XI
5. /people/sravya.talanki2/blog/2005/12/20/inconsistencies-while-transporting-rfc-objects-from-dev-to-qa-150-sp12
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/9e76e511-0d01-0010-5c9d-9f768d644808
http://help.sap.com/saphelp_nw2004s/helpdata/en/93/a3a74046033913e10000000a155106/content.htm --> Transporting XI Objects
http://help.sap.com/saphelp_nw04/helpdata/en/ef/a21e3e0987760be10000000a114084/content .htm --> Configuring Groups and Transport Targets
Look into this blog for how to export / improt IR and ID objects,
/people/sap.india5/blog/2005/11/09/xi-software-logistics-ii-overview
/people/sap.india5/blog/2005/11/03/xi-software-logistics-1-sld-preparation
Please go through these links which actualy show you how to configure CMS and also gives you all information regarding it.
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/43f5d790-0201-0010-2984-ff72d822b109
http://help.sap.com/saphelp_nw04/helpdata/en/de/a4214174abef23e10000000a155106/content.htm
/people/daniel.wirbser/blog/2005/10/27/tcsfilecreateexception--error-while-assembly-of-software-components-in-nwdi
http://help.sap.com/saphelp_nw04/helpdata/en/f6/719a2172f74b67b150612a7cd3b7df/content.htm
http://www.sap-hefte.de/download/dateien/964/074_lesesprobe.pdf
Regards,
Phani
Reward points if helpful

RAC and Directory Objects

Similar Messages

Maybe you are looking for