RBAC ISE 1.2 Data Access Permissions

Similar Messages

• Exchange 2010 Unable to Assign Full Access Permissions using a Security Group

  I've been running into this issue lately.  I cannot seem to use groups to allow full access to mailboxes.  When I add them from the EMC, it will show up when you go to "Manage Full Access Permission...".  After waiting a day and even restarting
  the Information Store service, the permissions do not take effect.  When I view the msExchDelegateListLink attribute of the mailbox account, the group is not listed.
  When I grant a user full permission, it works and updates the attribute.  However, on occasion when I revoke the full access permission for a user is doesn't always remove that user from the msExchDelegateListLink attribute.  So the mailbox
  will still appear in Outlook, but the user isn't able to see new emails.
  Any ideas on what may be going wrong?
  Environment:
  Exchange Server 2010 SP1 Standard
  Windows Server 2008 R2 Standard
  Outlook 2010 SP1 (tried without SP1 as well)
  I was looking over Add-MailboxPermission on Technet (http://technet.microsoft.com/en-us/library/bb124097.aspx) and I noticed that it doesn't mention adding groups.  Is this not possible?

  I never got a proper fix.
  I worked around it by creating a script which gets the members of an AD Mail Enabled security group, and updates the full access based on the groups members.
  Here's a script I'm running every hour which updates permissions. It's probably not the most efficient script ever, but it works. It has several benefits
  1. Managers of the distribution group can add/remove mailbox members using OWA or through the address list
  2. New members of groups are added to FULL Access Permissions
  3. Members removed from the groups are removed from FULL access permissions
  4. Automapping works :)
  5. Maintains a log of access added / removed / time taken etc.
  Obviously I have had to remove domain related information, replace with whatever your domain requirements are, and PLEASE debug it properly in your environent first, don't complain to me if it wipes out a load of access for you or something like that!
  It takes about 5 minutes to run in my environement. Some formatting seems to have got messed up on here, sorry. I hope it is of use!
  # Mailbox Permissions Setter for Exchange #
  # v1.1 #
  # This script will loop through all mailboxes in Exchange and find any where #
  # the type is 'SHARED'. These should be determined to be a GROUP/SHARED mailbox #
  # and access to these mailboxes are controlled by a single ACL, e.g. 'ACL_Shared_Mailbox'. #
  # This script will add any members of these ACLs directly to the Full Access Permissions #
  # of the mailbox and also remove them if they no longer need the access. #
  # Script created by Jon Read, Technical Administration
  # Recent Changes
  # 15/11/2012
  # 1.1 Added exclusions for ACLs that we don't want automapping to happen for
  # 12/11/2012
  # 1.0 Initial script
  #Do not change these values
  Add-PSSnapin *Ex*
  $starttime = Get-Date
  $logfile = "C:\accesslog.txt"
  $logfile2 = "C:\accesslog2.txt"
  $totaladditionstomailboxes = 0
  $totalremovalsfrommailboxes = 0
  $totalmailboxesprocessed = 0
  $totalmailboxesskipped = 0
  # Exclude any ACLs that shouldn't be processed here if they are used for a non-standard purpose and
  # we don't want FULL access mapping to happen. Seperate array values with commas
  $ExcludedACLArray = "DOMAIN\ACL_ExcludedExample"
  Write-Output " " >> $logfile
  Write-Output " " >> $logfile
  Write-Output "#----------------------------------------------------------------#" >> $logfile
  Write-Output "# Mailbox Permissions Setter for Exchange #" >> $logfile
  Write-Output "# v1.1 #" >> $logfile
  Write-Output "#----------------------------------------------------------------#" >> $logfile
  Write-Output " " >> $logfile
  Write-Output " " >> $logfile
  Write-output "Start time $starttime ">> $logfile
  Write-Output " " >> $logfile
  Write-Output " " >> $logfile
  # Set preferred DCs and GCs
  $preferredDC = "preferredDC.domain"
  $preferredGC = "preferredGC.domain"
  Write-Output " PreferredDC = $preferredDC ">> $logfile
  Write-Output " PreferredGC = $preferredGC " >> $logfile
  Set-ADServerSettings -PreferredGlobalCatalog $preferredGC -SetPreferredDomainControllers $preferredDC
  # The first part of this will ADD permissions to the mailbox, reading from an associated ACL.
  # Check for all mailboxes where the type is SHARED. These are the only ones we would
  # want to apply group mailbox permissions to.
  foreach ($mailbox in get-mailbox -resultsize "unlimited" | where-object {$_.RecipientTypeDetails -eq "SharedMailbox"})
  $totalmailboxesprocessed = $totalmailboxesprocessed + 1
  Write-Output " " >> $logfile
  Write-Output " " >> $logfile
  Write-Output "|-------------------------------------------------------" >> $logfile
  Write-Output "| MAILBOX ADDITIONS: $mailbox " >> $logfile
  Write-Output "|-------------------------------------------------------" >> $logfile
  $mailbox=$mailbox.ExchangeGuid.ToString()
  # For each of them, get the distribution list applied to the mailbox (Starting DOMAIN\ACL_)
  # We then need it to be turned into a string to use later.
  #Declared $changes as 0. if this is set to 0 at the end of the mailbox job, we know no changes were made.
  $changes = 0
  foreach ($distributiongroup in get-mailbox $mailbox | Get-MailboxPermission | Where-Object {$_.User -like "DOMAIN\ACL_*" })
  $skipACL = 0
  #Get the distribution group and put the name in a useable format
  $distributiongroup=$distributiongroup.user.tostring()
  Write-Output "Found ACL $distributiongroup" >> $logfile
  # Check if this distribution group needs to be excluded and if it shouldn't be processed
  # then move onto the next ACL. This will stop FULL access being granted if the mailbox is
  # used for a non-standard purpose. See the start of this script
  # for where these are excluded (ExcludedACLArray)
  foreach ($ACL in $ExcludedACLArray )
  if ($distributiongroup -eq $ACL)
  $skipACL = 1
  Write-Output "ACL $distributiongroup is excluded so skipping mailbox " >> $logfile
  $totalmailboxesskipped = $totalmailboxesskipped + 1
  if ($skipACL -eq 0)
  # Get each user in this group and for each of them, add try to add them to full access permissions.
  foreach ($user in Get-DistributionGroupMember -identity $distributiongroup)
  # Get the user to try, convert to DOMAIN\USER to use shortly
  $user="DOMAIN\" + $user.alias.ToString()
  # Check to see if the user we have chosen from the ACL group already exists in the full access
  # permissions. If they do, set $userexists to 1, if they do not, leave $userexists set to 0.
  # Set $userexists to 0 as the default
  $userexists = 0
  foreach ($fullaccessuser in get-mailbox $mailbox | Get-MailboxPermission)
  # See if the user exists in the mailbox access list.
  # Change $fullaccessuser to a useable string (matching $user)
  $fullaccessuser=$fullaccessuser.user.tostring()
  if ($fullaccessuser -eq $user)
  $userexists=1
  # Break out of foreach if the user exists so we don't unnecessarily loop
  break
  # Now we know if the user needs to be added or not, so run code (if needed) to add
  # the user to full access permissions
  if ($userexists -eq 0)
  Add-MailboxPermission $mailbox –user $user –accessrights "FullAccess"
  Write-Output "Added $user " >> $logfile
  $changes = 1
  $totaladditionstomailboxes = $totaladditionstomailboxes + 1
  #Now repeat for other users in the ACL
  #if changes were 0, then log that no changes were made
  if ($changes -eq 0)
  Write-Output "No changes were made." >> $logfile
  Write-Output " " >> $logfile
  Write-Output " " >> $logfile
  Write-Output "---------------------------------------------------------------------------------" >> $logfile
  Write-Output " FINISHED ADDING PERMISSIONS" >> $logfile
  Write-Output "---------------------------------------------------------------------------------" >> $logfile
  Write-Output " " >> $logfile
  # The second part of this will REMOVE permissions from the mailbox, reading from an associated ACL.
  ## Check for all mailboxes where the type is SHARED. These are the only ones we would
  ## want to apply group mailbox permissions to.
  foreach ($mailbox in get-mailbox -resultsize "unlimited" | where-object {$_.RecipientTypeDetails -eq "SharedMailbox"})
  Write-Output " " >> $logfile
  Write-Output " " >> $logfile
  Write-Output "|-------------------------------------------------------" >> $logfile
  Write-Output "| MAILBOX REMOVALS : $mailbox " >> $logfile
  Write-Output "|-------------------------------------------------------" >> $logfile
  $mailbox=$mailbox.ExchangeGuid.ToString()
  #Declared $changes as 0. if this is set to 0 at the end of the mailbox job, we know no changes were made.
  $changes = 0
  # For the current mailbox, get a list of all users with FULLACCESS, and then for each of them
  # check if they exist in the ACL
  foreach ($fullaccessuser in get-mailbox $mailbox | Get-MailboxPermission | Where-Object {$_.Accessrights -like "FullAccess" })
  # Get the security identifier (SSID) of the FULLACCESS user to store for later.
  $fullaccessuserSSID=$fullaccessuser.user.SecurityIdentifier.ToString()
  $fullaccessuser=$fullaccessuser.User.ToString()
  #If user needs to be excluded then skip this bit
  #Users added or removed will only start with 07 (07$, 07T, so only run if the user starts with this.
  #This stops it trying to remove NT AUTHORITY\SELF and other System entries
  if ($fullaccessuser -like "DOMAIN\07*")
  # Set $userexists to be 0. if we find the use user needs to remain, then change it to 1.
  $userexists=0
  # Check if this user exists in the ACL, if not, remove.
  foreach ($distributiongroup in get-mailbox $mailbox | Get-MailboxPermission | Where-Object {$_.User -like "DOMAIN\ACL_*" })
  $distributiongroup=$distributiongroup.user.tostring()
  #Write-Output "Found associated distribution group $distributiongroup" >> $logfile
  # Get each user in this group and for each of them, See if it matches the user in the mailbox.
  foreach ($user in Get-DistributionGroupMember -identity $distributiongroup)
  # Get the user to try, convert to DOMAIN\USER to use shortly
  $userguid = $user.Guid.ToString()
  $user="DOMAIN\" + $user.alias.ToString()
  if ($fullaccessuser -eq $user)
  $userexists=1
  #we have found the user exists so no need to continue
  break
  # If userexists = 0, then they are NOT in the ACL, and should be removed from
  # the full access permissions. Run the code to remove them from full access.
  #CONVERT FULLACCESSUSER TO GUID AND REMOVE $FULLACCESSUSERGUID NOT $USERGUID
  if ($userexists -eq 0)
  Remove-MailboxPermission -Identity $mailbox –user $fullaccessuserSSID –accessrights "FullAccess" -Confirm:$false
  Write-Output "Removed $fullaccessuser " >> $logfile
  $changes = 1
  $totalremovalsfrommailboxes = $totalremovalsfrommailboxes + 1
  # if changes = 0, no changes were made to this mailbox, so log this fact.
  if ($changes -eq 0)
  Write-Output "No changes were made." >> $logfile
  #Put the time in a displayable format
  $endtime = Get-Date
  $runtime = $endtime - $starttime
  $runtime = $runtime.ToString()
  $runtime1 = $runtime.split(".")
  $totaltime = $runtime1[0]
  Write-Output " " >> $logfile
  Write-Output " " >> $logfile
  Write-Output "|-------------------------------------------------------------------------------------- " >> $logfile
  Write-Output "| SCRIPT COMPLETE : STATS " >> $logfile
  Write-Output "|-------------------------------------------------------------------------------------- " >> $logfile
  Write-Output "| Total Mailboxes Processed : $totalmailboxesprocessed " >> $logfile
  Write-Output "| Total Additions : $totaladditionstomailboxes " >> $logfile
  Write-Output "| Total Removals : $totalremovalsfrommailboxes " >> $logfile
  Write-Output "| Total Mailboxes Skipped due to ACL : $totalmailboxesskipped " >> $logfile
  Write-output "| Start time : $starttime ">> $logfile
  Write-output "| End time : $endtime ">> $logfile
  Write-Output "| **END OF RUN** - Elapsed time : $totaltime " >> $logfile
  Write-Output "|---------------------------------------------------------------------------------------" >> $logfile
  Write-Output " " >> $logfile

• Setting MS Access Permissions

  I have a MS Access 2013 web app hosted on the Microsoft Office Sharepoint 2013 site.  I want the team members to be able to add/modify/delete only within the web forms.  How do I set permissions so that other team members cannot delete or update
  the actual application and the application data outside of the web form?  What permissions should I use?  I tried to create a new group with custom permissions, for example group "XYZ".  When I tried to add permissions to group "XYZ",
  I was not given a choice of using the custom permissions that I set up.
  Thank you in advance.

  Hi,
  According to your post, my understanding is that you wanted to set Microsoft Access Permissions.
  If you already created an app and now you've decided you want your app to have unique permissions from the site where you created it, see Set
  permissions for an Access app on Office.com.
  More information:
  Set permissions on an Access Web App
  Set permissions for an Access App - SharePoint 2013
  Best Regards,
  Linda Li
  Linda Li
  TechNet Community Support

• An attempt was made to access a socket in a way forbidden by its access permissions -- this.RaiseExceptionIfNecessary();

  I'm relatively new to Azure websites...
  Have made a website that uses a proxy web service to retrieve data from another web service. When I publish the website to my Azure website I get the following error:
  An attempt was made to access a socket in a way forbidden by its access permissions 127.0.0.1:53775
  public string Result {
  Line 250:            get {
  Line 251:                this.RaiseExceptionIfNecessary();
  Line 252:                return ((string)(this.results[0]));
  Line 253:            }
  Probably a configuration issue, but I do not know what is missing. Have seen similar during my research for this but the issues have been more related to databases.
  Can anyone help me here?

  you cannot open new ports on the worker. Better reference the assembly that makes external call and use it directly instead using it as a proxy service
  Galin Iliev [MCSD.NET, MCPD], http://www.galcho.com

• "Custom Access" permissions are locking me out of my own computer!

  "Custom Access" permissions are locking me out of my own computer!
  I have a Mac Book Pro which I can no longer access, due, I believe, to a problem with disk and file permissions. When I attempt to open up the volume, which I am able to put in FireWire target mode and mount on the desktop of a nearby iMac G5, I get an error message saying: "The folder 'MacBook Pro' could not be opened because you do not have sufficient access privileges."
  When I select the 'MacBook Pro' volume and run the Get Info command, I learn that the system, admin, and everyone else groups now have "custom access." I suppose that this newly acquired "custom access" is the reason that the volume icon now appears on the desktop with a lock at its lower left corner! Unfortunately, that lock is keeping me out, so I need help in finding the key back in!
  How all this came about overnight is a mystery wrapped in a enigma similar to my getting pneumonia last summer. Coming down with both diseases would require telling long stories that would only have as their common objective the desire to be cured. I might have gotten the pneumonia at my college reunion; my laptop computer might have caught a cold last night when I ran TechTool Pro and optimized my volume prior to installing its eDrive today. Or, my laptop computer may have choked when I tried to add Disk Warrior to the TechTool Pro eDrive and inadvertently issued some command that resulted in my normal permission settings getting changed and rendering everything on the computer completely inaccessible to me. Who knows for sure? Right now, the cause doesn't matter: finding the solution does.
  I used TechTool Pro to run a series of tests before (and after) I got locked out of my own computer and the volume passed all the tests for volume integrity and file integrity. TechTool also rebuilt the directory, defragged all the files, and optimized the hard drive into one, large, well-organized segment of files --that I unfortunately can no longer access!
  *What I think I need now are some very explicit, error-free, Terminal (UNIX) instructions telling me how to change the permissions on an external FireWire volume called "MacBook Pro" containing Leopard Mac OS X 10.5.7 from its current custom access privileges back to my settings before my poor computer caught this disabling cold.*
  I do have a SuperDuper clone of this MacBook Pro computer on an external FireWire, which I could probably use to relieve me of my pain. But, if at all possible, I would like to call upon that option only as a last resort for two reasons:
  (1) I am not entirely comfortable that the clone is completely reliable at this moment. My last cloning operation last night (before this corrupted permissions problem occurred) did not complete itself, leaving the cloned volume in an unknown, or unstable, state. (2) I would like to use this problem as an opportunity to grow and learn more about the Terminal and UNIX commands.
  I have read the relevant sections in David Pogue's missing manual on Mac OS X Leopard, so I am familiar (in theory) with the concepts he explained regarding ownership, file permissions, the root, Terminal, the CHMOD command, and the SUDO command. It's just that, considering the awesome power of the SuperUser Do command, I'm not all that confident yet that I could write the command(s) that could affect the state of my entire computer hard drive. So, *I'm asking for guidance from a UNIX guru to guide my hand this first time out.*
  I know about the idea of safe booting up as a single user, but since I do have my laptop computer mounted on the desktop of my iMac as a Firewire volume, I would prefer to use Terminal on the iMac to fix the permissions on that mounted volume, called "MacBook Pro".
  *Experts only, please*. Theories about what might have caused this problem would be nice, but what I really need is explicit command line code to cure this one. Since other people may occasionally encounter this problem of being locked out of their own computer, it would be fine with me if some knowledgeable guru wants to use this as a springboard to write a detailed tutorial on the topic along the way to the solution. Thanks.
  bowlerboy_jmb

  {I read that article you sent me to, Baltwo, but it does not seem appropriate, because the disk is not invisible. It's locked! I also went through all the discussions on flag changing you directed to me to look up, and I tried to apply something from there to my situation. But that's not working for me yet either. The topics there seem to be close enough to be relevant to my case, but none are exactly on the mark, and so far they deliver no cigar. Maybe I missed the one thread you had in mind from among the twenty I looked through: I can't be sure. You point it out, if you have one in mind. Anyway, in the absence of anyone providing me with specific Unix code or suggestions about my particular situation, I plunged ahead on my own, and I attempted to write some Unix code that might fix my problem. So far, I've had no success. This posting intersperses my comments along with the lines of Unix code which were displayed on my MacBook Pro during my recent attempts to tinker under the hood. My remarks are contained inside of curly brackets like { and } while the results of my Unix experimenting in Single User Mode on the laptop are presented without curly brackets. These were initially notes to myself, so I'm creating a post around my Unix dabbling to see if it triggers any feedback, corrections, and guidance for moving ahead. I'm stuck right now.}
  date
  Fri Jun 19 17:52:25 EDT 2009
  :/ root# sudo chflags nouchg /
  sudo: can't open /private/etc/sudoers: Permission denied
  :/ root# sendmail: warning: valid_hostname: empty hostname
  sendmail: fatal: unable to use my own hostname
  :/ root# ls -l
  {The screen filled up with rows of file names and their permissions, like...}
  drwxrwxr-x+ 43 root admin 1462 Jun 16 04:36 Applications
  :/ root# exit
  {Nothing happens for quite a while, then...}
  jettisoning kernel linker.
  {...and then several lines of replies fill up the screen, ending in that same loop regarding no such file or directory found, in regards to mDNSResponder. I had tried the {chmod 775 > solution recommended by a user at a web site I Googled to deal with the mDNSResponder problem he had. The chmod 775 / command worked for him, he reported, but it does not succeed for me. The mDNSResponderline continues to repeat itself ad infinitum, so I must force the Mac to turn off by holding down the power button for several seconds. Upon restart in Single User mode, I observe that, as before, "Root device is mounted read-only," so this time I try to amend permissions at the root level with...}
  :/ root# sudo chmod 755 /
  {If I understand what I've just learned about Unix, this tells the Mac to give me permission to do anything, but to give all others permission only to read and execute. Unfortunately, the command fails. The computer again responded with the same lines that it gave me when I had issued the command regarding no user flags, namely:}
  sudo: can't open /private/etc/sudoers: Permission denied
  :/ root# sendmail: warning: valid_hostname: empty hostname
  sendmail: fatal: unable to use my own hostname
  {So, to summarize, I have a MacBook Pro which I am apparently locked out of and cannot change. The hard disk is not invisible: it will appear as an external drive when placed in Target Mode and connected via a Firewire cable to an iMac. I tried to use Terminal on that iMac to change permissions on the MacBook Pro, but permission was denied.
  {So, I have tried to make changes on the MacBook Pro directly. I learned that it will neither start-up under normal circumstances nor via Safe Boot mode. It will, however, start-up under Single User mode. Based on my bleary-eyed crash course in Unix throughout all of last night and early this morning, I did gain some additional understanding about UNIX from some [free online books|http://www.scribd.com/doc/12747795/Made-Easy-Unix-for-Beginners] and articles, especially from a thorough and lucidly written article at Indiana University called [In Unix, how do I change the permissions for a file?|http://kb.iu.edu/data/data/abdb.html]
  {Also, I followed the links to the Apple discussions on user flags, and I cherry picked the most appropriate solutions suggested there to see if they will apply to my situation. However, none quite fit. None have thus far succeeded. I think I now know how to formulate the syntax of Unix commands in regards to modifying permissions, and I'm willing to plow ahead and try things out. But I'm only a rank beginner in this Unix realm, so maybe I'm doing something wrong in that department.
  {It just boggles my mind that someone can inadvertently be locked out of their computer without a way back in, so all I'm asking for is some trouble-shooting guidance to find the key back in. Anyone got it? Is this a problem that can be cured by writing some Unix commands to the system? Or, does the solution lie elsewhere?}
  bowlerboy_jmb

• I am trying to import developed images from LightRoom 5 in o Photoshop 6.  I am receiving this message and the images will not open.....'Could not open scratch file because the file is locked, you do not have necessary access permissions or another progra

  I am trying to import developed images from LightRoom 5 Photoshop 6 for further editing.  I am receiving this message and the images will not open.....'Could not open scratch file because the file is locked, or you do not have necessary access permissions or another program is using the file.  Use the 'Properties' command in the Windows Explorer to unlock the file. How do I fix this?  I would greatly appreciate it if you would respond with terms and procedures that a computer ignorant user, such as me, will understand.   Thanks.

  Have you tried restoring the Preferences yet?

• I am trying to import developed images from LightRoom 5 into Photoshop 6.  I am receiving this message and the images will not open.....'Could not open scratch file because the file is locked, you do not have necessary access permissions or another progra

  I am trying to import developed images from LightRoom 5 into Photoshop 6.  I am receiving this message and the images will not open.....'Could not open scratch file because the file is locked, you do not have necessary access permissions or another program is using the file.  Use the 'properties' command in the Windows Explorer to unlock the file'.  This has not happened before.  How do I change this?

  Could not open a scratch file because the file is locked or you do not have the necessary access privileges. (…) | Mylen…
  Mylenium

• I have PS 6 and just purchased an iMac and am running OS 10.10.1 (Yosemite).  When i try to Save or Save As a file I get the following message:  Could not save as "Whatever.psd" because this file is locked, you do not have necessary access permissions, or

  I have PS 6 and just purchased an iMac and am running OS 10.10.1 (Yosemite).  When i try to Save or Save As a file I get the following message:  Could not save as "Whatever.psd" because this file is locked, you do not have necessary access permissions, or another program is using the file.  Use the Get Info command in the Finder to ensure the file is unlocked and you have permission to access the file.  If the problem persists, save the document to a different file or duplicate it in the Finder.  Any suggestions?  Thanks.

  Photoshop: Basic Troubleshooting steps to fix most issues
  Look under Troubleshoot User Permissions.
  Gene

• When I close Photoshop CS6, the following message appears: "Could not save Preferences because the file is locked, you do not have necessary access permissions, or another program is using the file.

  When I quit Photoshop CS6, the following message appears:
  " Could not save Preferences because the file is locked, you do not have necessary access permissions, or another program is using the file. Use the ‘Get Info’ command in the Finder to ensure the file is unlocked and you have permission to access the file. If the problem persists, save the document to a different file or duplicate it in the Finder."
  If I try to change the Workspace in PS6 from Essentials to any other Workspace, the following messsage appears:
  "Could not apply the workspace because the file is locked, you do not have necessary access permissions, or another program is using the file. Use the ‘Get Info’ command in the Finder to ensure the file is unlocked and you have permission to access the file. If the problem persists, save the document to a different file or duplicate it in the Finder."
  I have checked the Sharing and Permissions section of the "Get Info" panel accessed from the Finder and I have set Read and Write Privileges for my user account for Photoshop CS6. System and Admin are also set to Read and Write.
  I have a MacBook Pro with OS X Version 10.9.5 and have all available updates for Photoshop CS6, Lightroom 5 and Bridge CS6.
  I tried uninstalling the program and downloading it again and reinstalling, but nothing changed.
  Can you help?
  Thanks,
  cjpnm

  You may get better help in Photoshop General Discussion
  The Cloud forum is not about using individual programs
  The Cloud forum is about the Cloud as a delivery & install process
  If you will start at the Forums Index https://forums.adobe.com/welcome
  You will be able to select a forum for the specific Adobe product(s) you use
  Click the "down arrow" symbol on the right (where it says All communities) to open the drop down list and scroll
  If FINDER means Mac, read below (and try to give more information when asking a question)
  Mac 10.9.3 workaround https://forums.adobe.com/thread/1489922
  Enable Mac Root User https://forums.adobe.com/thread/1156604
  -more Root User http://forums.adobe.com/thread/879931
  -and more root user http://forums.adobe.com/thread/940869?tstart=0

• Photoshop won't start: Could not open a scratch file because the file is locked, you do not have necessary access permissions, or another program is using the file.

  Adobe Photoshop CS6 Extended
  "Could not open a scratch file because the file is locked, you do not have necessary access permissions, or another program is using the file."
  I've tried finding and checking and fixing permissions but no success.
  This happened from one day to the next. I think it has to do with the sn attached to the disk rather then the motherboard. I have the suite co-installed with Symphony 5.05. I've tried reinstalling.
  What's to b done? The rest of the Creative Suite 6 (AE, AI etc.) works fine.
  Anyone...?
  Loui

  Have you tried restoring the Preferences yet?

• Failed to open the console and System Center Data Access Service wont start - SCOM 2012

  Log Name: Operations Manager
  Source: Data AccessLayer
  Event ID: 33333
  Data Access Layer rejected retry on SqlError:
   Request: ManagementGroupInfo
   Class: 16
   Number: 208
   Message: Invalid object name 'dbo.__MOMManagementGroupInfo__'.
  =============================================================
  Log Name: Operations Manager
  Source: OpsMgr SDK Service
  Event ID: 26380
  The System Center Data Access service failed due to an unhandled exception.  
  The service will attempt to restart.
  Exception:
  Microsoft.EnterpriseManagement.Common.SdkServiceNotInitializedException: The Data Access service has not yet initialized. Please try again.
     at Microsoft.EnterpriseManagement.ServiceDataLayer.DispatcherService.get_Container()
     at Microsoft.EnterpriseManagement.Mom.Sdk.Service.SdkSubService.SdkChannel.Start()
     at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
     at System.Threading._ThreadPoolWaitCallback.PerformWaitCallbackInternal(_ThreadPoolWaitCallback tpWaitCallBack)
     at System.Threading._ThreadPoolWaitCallback.PerformWaitCallback(Object state)
  =============================================================
  Failed to connect to server ' xxxxx'
  Date: 16/09/2013 20:36:16
  Application: Operations Manager
  Application Version: 7.0.8560.0
  Severity: Error
  Message: Failed to connect to server 'xxxxxx'
  Microsoft.EnterpriseManagement.Common.ServiceNotRunningException: The Data Access service is either not running or not yet initialized. Check the event log for more information. ---> System.ServiceModel.EndpointNotFoundException: Could not connect to net.tcp://xxxxx:5724/DispatcherService.
  The connection attempt lasted for a time span of 00:00:02.0020300. TCP error code 10061: No connection could be made because the target machine actively refused it xxx.xxx.xxx.xxx:5724.  ---> System.Net.Sockets.SocketException: No connection could
  be made because the target machine actively refused it xxx.xxx.xxx.xxx:5724
     at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
     at System.Net.Sockets.Socket.Connect(EndPoint remoteEP)
     at System.ServiceModel.Channels.SocketConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
     --- End of inner exception stack trace ---
  Server stack trace:
     at System.ServiceModel.Channels.SocketConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
     at System.ServiceModel.Channels.BufferedConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
     at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)
     at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)
     at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
     at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
     at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
     at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
     at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
     at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
     at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
     at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
     at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
  Exception rethrown at [0]:
     at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
     at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
     at Microsoft.EnterpriseManagement.Common.Internal.IDispatcherService.Connect(SdkClientConnectionOptions connectionOptions)
     at Microsoft.EnterpriseManagement.Common.Internal.SdkDataLayerProxyCore.Initialize(EnterpriseManagementConnectionSettings connectionSettings, SdkChannelObject`1 channelObjectDispatcherService)
     at Microsoft.EnterpriseManagement.Common.Internal.SdkDataLayerProxyCore.CreateEndpoint[T](EnterpriseManagementConnectionSettings connectionSettings, SdkChannelObject`1 channelObjectDispatcherService)
     --- End of inner exception stack trace ---
     at Microsoft.EnterpriseManagement.Common.Internal.ExceptionHandlers.HandleChannelExceptions(Exception ex)
     at Microsoft.EnterpriseManagement.Common.Internal.SdkDataLayerProxyCore.CreateEndpoint[T](EnterpriseManagementConnectionSettings connectionSettings, SdkChannelObject`1 channelObjectDispatcherService)
     at Microsoft.EnterpriseManagement.Common.Internal.SdkDataLayerProxyCore.ConstructEnterpriseManagementGroupInternal[T,P](EnterpriseManagementConnectionSettings connectionSettings, ClientDataAccessCore clientCallback)
     at Microsoft.EnterpriseManagement.Common.Internal.SdkDataLayerProxyCore.RetrieveEnterpriseManagementGroupInternal[T,P](EnterpriseManagementConnectionSettings connectionSettings, ClientDataAccessCore callbackDispatcherService)
     at Microsoft.EnterpriseManagement.Common.Internal.SdkDataLayerProxyCore.Connect[T,P](EnterpriseManagementConnectionSettings connectionSettings, ClientDataAccessCore callbackDispatcherService)
     at Microsoft.EnterpriseManagement.ManagementGroup.InternalInitialize(EnterpriseManagementConnectionSettings connectionSettings, ManagementGroupInternal internals)
     at Microsoft.EnterpriseManagement.Mom.Internal.UI.Common.ManagementGroupSessionManager.Connect(String server)
     at Microsoft.EnterpriseManagement.Monitoring.Console.Internal.ConsoleWindowBase.TryConnectToManagementGroupJob(Object sender, ConsoleJobEventArgs args)
  System.ServiceModel.EndpointNotFoundException: Could not connect to net.tcp://xxxxx:5724/DispatcherService. The connection attempt lasted for a time span of 00:00:02.0020300. TCP error code 10061: No connection could be made because the target machine actively
  refused it xxx.xxx.xxx.xxx:5724.  ---> System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it xxx.xxx.xxx.xxx:5724
     at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
     at System.Net.Sockets.Socket.Connect(EndPoint remoteEP)
     at System.ServiceModel.Channels.SocketConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
     --- End of inner exception stack trace ---
  Server stack trace:
     at System.ServiceModel.Channels.SocketConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
     at System.ServiceModel.Channels.BufferedConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
     at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)
     at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)
     at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
     at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
     at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
     at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
     at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
     at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
     at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
     at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
     at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
  Exception rethrown at [0]:
     at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
     at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
     at Microsoft.EnterpriseManagement.Common.Internal.IDispatcherService.Connect(SdkClientConnectionOptions connectionOptions)
     at Microsoft.EnterpriseManagement.Common.Internal.SdkDataLayerProxyCore.Initialize(EnterpriseManagementConnectionSettings connectionSettings, SdkChannelObject`1 channelObjectDispatcherService)
     at Microsoft.EnterpriseManagement.Common.Internal.SdkDataLayerProxyCore.CreateEndpoint[T](EnterpriseManagementConnectionSettings connectionSettings, SdkChannelObject`1 channelObjectDispatcherService)
  System.Net.Sockets.SocketException (0x80004005): No connection could be made because the target machine actively refused it xxx.xxx.xxx.xxx:5724
     at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
     at System.Net.Sockets.Socket.Connect(EndPoint remoteEP)
     at System.ServiceModel.Channels.SocketConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
  =============================================================
  Log Name: Operations Manager
  Source: OpsMgr Root Connector
  Event ID: 28001
  The Root connector received an exception from the Config Service on StateSyncRequest:
  System.Runtime.Remoting.RemotingException: Failed to connect to an IPC Port: The system cannot find the file specified.
  Server stack trace:
     at System.Runtime.Remoting.Channels.Ipc.IpcPort.Connect(String portName, Boolean secure, TokenImpersonationLevel impersonationLevel, Int32 timeout)
     at System.Runtime.Remoting.Channels.Ipc.ConnectionCache.GetConnection(String portName, Boolean secure, TokenImpersonationLevel level, Int32 timeout)
     at System.Runtime.Remoting.Channels.Ipc.IpcClientTransportSink.ProcessMessage(IMessage msg, ITransportHeaders requestHeaders, Stream requestStream, ITransportHeaders& responseHeaders, Stream& responseStream)
     at System.Runtime.Remoting.Channels.BinaryClientFormatterSink.SyncProcessMessage(IMessage msg)
  Exception rethrown at [0]:
     at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
     at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
     at Microsoft.EnterpriseManagement.Mom.Internal.IConfigService.OnStateSyncRequest(Guid source, UInt64 messageIdentifier, String cookie)
     at Microsoft.Mom.Connectors.Root.RootConnector.OnStateSyncRequest(Guid source, UInt64 messageIdentifier, String cookie)
  ================================================================
  Log Name: Operations Manager
  Source: OpsMgr Management Configuration
  Event ID: 29105
   The management group is not yet fully upgraded. OpsMgr Management Configuration Service will idle until upgrade is completed.
   Operations Manager database version: 1.0.0.0
   Minimum required version: 7.0.0.0

  Yes, i change the credentials, but doesnt work.
  Yes, i put the events in the
  main question!
  Events Logs:
  =======================================================
  Log Name: Operations Manager
  Source: Data AccessLayer
  Event ID: 33333
  Data Access Layer rejected retry on SqlError:
   Request: ManagementGroupInfo
   Class: 16
   Number: 208
   Message: Invalid object name 'dbo.__MOMManagementGroupInfo__'.
  =======================================================
  Log Name: Operations Manager
  Source: OpsMgr SDK Service
  Event ID: 26380
  The System Center Data Access service failed due to an unhandled exception.  
  The service will attempt to restart.
  Exception:
  Microsoft.EnterpriseManagement.Common.SdkServiceNotInitializedException: The Data Access service has not yet initialized. Please try again.
     at Microsoft.EnterpriseManagement.ServiceDataLayer.DispatcherService.get_Container()
     at Microsoft.EnterpriseManagement.Mom.Sdk.Service.SdkSubService.SdkChannel.Start()
     at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
     at System.Threading._ThreadPoolWaitCallback.PerformWaitCallbackInternal(_ThreadPoolWaitCallback tpWaitCallBack)
     at System.Threading._ThreadPoolWaitCallback.PerformWaitCallback(Object state)
  =======================================================
  Log Name: Operations Manager
  Source: OpsMgr Root Connector
  Event ID: 28001
  The Root connector received an exception from the Config Service on StateSyncRequest:
  System.Runtime.Remoting.RemotingException: Failed to connect to an IPC Port: The system cannot find the file specified.
  Server stack trace:
     at System.Runtime.Remoting.Channels.Ipc.IpcPort.Connect(String portName, Boolean secure, TokenImpersonationLevel impersonationLevel, Int32 timeout)
     at System.Runtime.Remoting.Channels.Ipc.ConnectionCache.GetConnection(String portName, Boolean secure, TokenImpersonationLevel level, Int32 timeout)
     at System.Runtime.Remoting.Channels.Ipc.IpcClientTransportSink.ProcessMessage(IMessage msg, ITransportHeaders requestHeaders, Stream requestStream, ITransportHeaders& responseHeaders, Stream& responseStream)
     at System.Runtime.Remoting.Channels.BinaryClientFormatterSink.SyncProcessMessage(IMessage msg)
  Exception rethrown at [0]:
     at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
     at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
     at Microsoft.EnterpriseManagement.Mom.Internal.IConfigService.OnStateSyncRequest(Guid source, UInt64 messageIdentifier, String cookie)
     at Microsoft.Mom.Connectors.Root.RootConnector.OnStateSyncRequest(Guid source, UInt64 messageIdentifier, String cookie)
  =======================================================
  Log Name: Operations Manager
  Source: OpsMgr Management Configuration
  Event ID: 29105
   The management group is not yet fully upgraded. OpsMgr Management Configuration Service will idle until upgrade is completed.
   Operations Manager database version: 1.0.0.0
   Minimum required version: 7.0.0.0

• I have a production mobile Flex app that uses RemoteObject calls for all data access, and it's working well, except for a new remote call I just added that only fails when running with a release build.  The same call works fine when running on the device

  I have a production mobile Flex app that uses RemoteObject calls for all data access, and it's working well, except for a new remote call I just added that only fails when running with a release build. The same call works fine when running on the device (iPhone) using debug build. When running with a release build, the result handler is never called (nor is the fault handler called). Viewing the BlazeDS logs in debug mode, the call is received and send back with data. I've narrowed it down to what seems to be a data size issue.
  I have targeted one specific data call that returns in the String value a string length of 44kb, which fails in the release build (result or fault handler never called), but the result handler is called as expected in debug build. When I do not populate the String value (in server side Java code) on the object (just set it empty string), the result handler is then called, and the object is returned (release build).
  The custom object being returned in the call is a very a simple object, with getters/setters for simple types boolean, int, String, and one org.23c.dom.Document type. This same object type is used on other other RemoteObject calls (different data) and works fine (release and debug builds). I originally was returning as a Document, but, just to make sure this wasn't the problem, changed the value to be returned to a String, just to rule out XML/Dom issues in serialization.
  I don't understand 1) why the release build vs. debug build behavior is different for a RemoteObject call, 2) why the calls work in debug build when sending over a somewhat large (but, not unreasonable) amount of data in a String object, but not in release build.
  I have't tried to find out exactly where the failure point in size is, but, not sure that's even relevant, since 44kb isn't an unreasonable size to expect.
  By turning on the Debug mode in BlazeDS, I can see the object and it's attributes being serialized and everything looks good there. The calls are received and processed appropriately in BlazeDS for both debug and release build testing.
  Anyone have an idea on other things to try to debug/resolve this?
  Platform testing is BlazeDS 4, Flashbuilder 4.7, Websphere 8 server, iPhone (iOS 7.1.2). Tried using multiple Flex SDK's 4.12 to the latest 4.13, with no change in behavior.
  Thanks!

  After a week's worth of debugging, I found the issue.
  The Java type returned from the call was defined as ArrayList.  Changing it to List resolved the problem.
  I'm not sure why ArrayList isn't a valid return type, I've been looking at the Adobe docs, and still can't see why this isn't valid.  And, why it works in Debug mode and not in Release build is even stranger.  Maybe someone can shed some light on the logic here to me.

• How can I disable data access on C1-01 ?

  I have a C1-01, for emergency use only.  Today it displayed an unsolicited "Download Failed", message, and sure enough, my paygo account had been emptied.  How can I prevent all data access, ie attempts to update firmware, internet access, etc?
  TIA, Richard
  Solved!
  Go to Solution.

  easiest way is to contact your network operator and ask them to disable your data plan and all internet access on your device. there are also a few miscellaneous settings in your phone, so you can try deleting access points if they are displayed in the Settings. i would check the phone Settings menu and the Web browser settings for items that you can turn off / disable.

• How to get Current Log in BO user name in data access driver

  In universe, to get the current log in user is via @Variable('BOUSER').
  Right now, I need to be able to get the user name in the data access driver. I am writing a customized data access driver because we need to patch some where clause on the the query generated by the universe based on the logged-in user info. I only think of using end_sql parameter or adding an universe level filter to patch the @Variable('BOUSER') to the query, which would not work if user want to use customized query.
  Can anyone tell me how to get currentBO user name from connection server ? or how @Variable('BOUSER') is translated into the logged-in user name in the universe?

  Shweta,
  The link you provided was the Auditor guide for BO 6.x, I'm not sure it that is going to help Karen or not.
  Karen,
  There is function called connection
  (usage:  =connection([Query Name]), where [Query Name]
  denotes the name of the tab for the query under Edit Query)
  Here is some of the output from connection:
  4;ODBC18;MS SQL Server 2000166; VERSION=7; USER=xxxxx;
  PASSWORD=; DBTYPE=Relational; DATABASE=xxx_xxxx;
  ODBC_USER=xxxxxx; ODBC_PASSWORD=; BO_DSN=xxxx_xxxx;
  BO_DRV_CONNECT_MODE=0; 224; VERSION=6; Name=xxxxx; Shared=4;
  LoginTimeout=600; Timeout=600; Pool Time=60; Array Fetch Size=10;
  Array Bind Size=5; RecommendedLenTransfert=1000; Password_Encryption=x;
  AliasTable=; MeasureDimension=; Hint=; ConnectInit=; ArrayFetch=1;
  I'm not sure if this info helps out either, being that connection provides info on a post-processing basis and it sounds like you need to get out ahead of the SQL generation.  The @variable('bouser') would seem like the place to be, however, in allowing custom SQL to take place you loose the bouser due to an individual could customize the SQL to the point that it gets unwantingly yanked out.  The end_sql might be your answer...
  Thanks,
  John

• How to get current logged-in user name in data access driver or in universe

  In universe, to get the current log in user is via @Variable('BOUSER').
  Right now, I need to be able to get the user name in the data access driver. I am writing a customized data access driver because we need to patch some where clause on the the query generated by the universe based on the logged-in user info. I only think of using end_sql parameter or adding an universe level filter to patch the @Variable('BOUSER') to the query, which would not work if user want to use customized query.
  Can anyone tell me how to get currentBO user name from connection server ? or how @Variable('BOUSER') is translated into the logged-in user name in the universe?

  I do not know your EJB Service. But you should pass the credentials of the current logged on portal user to your service. That's not by default I think.
  I had a similar problem with CAF developed webservices. I had to turn on permission checks in my web service and passed the credentials via logon ticket.
  Regards, Bernd