RBAC question

Similar Messages

• ISE RBAC question

  when configuring ISE administrator access and leveraging AD external identity source to authenticate users- Is there a way to define an identity source sequence so that if ISE loses connection to AD the user can still authenticate using a secondary method?
  the question is strictly related to RBAC. Thx

  You can't create/use an "identity store sequence" for the admin login. However, you don't really need to. At the login screen you can use the drop down menu and select "AD" or the "Internal Store" and either one would work. 
  Give it a try and let me know if you have any issues.
  Thank you for rating helpful posts!

• Questions before an internal lab POC (on old underperformant hardware)

  Hello VDI users,
  NB: I initially asked this list of questions to my friends at the
  SunRay-Users mailing list, but then I found this forum as a
  more relevant place.
  It's a bit long and I understand that many questions may have
  already been answered in detail on the forum or VDI wiki. If it's
  not too much a burden - please just reply with a link in this case.
  I'd like this thread to become a reference of sorts to point to our
  management and customers.
  I'm growing an interest to try out a Sun VDI POC in our lab
  with VirtualBox and Sunrays, so I have a number of questions
  popping up. Not all of them are sunray-specific (in fact, most
  are VirtualBox-related), but I humbly hope you won't all flame
  me for that?
  I think I can get most of the answers by experiment, but if
  anyone feels like sharing their experience on these matters
  so I can expect something a'priori - you're welcome to do so ;)
  Some questions involve best practices, however. I understand
  that all mileages vary, but perhaps you can warn me (and others)
  about some known-not-working configurations...
  1) VDI core involves a replicated database (such as MySQL)
  for redundant configuration of its working set storage...
  1.1) What is the typical load on this database? Should it
  just be "available", or should it also have a high mark
  in performance?
  For example, we have a number of old Sun Netra servers
  (UltraSPARC-II 450-650MHz) which even have a shared SCSI
  JBOD (Sun StorEdge S1 with up to 3 disks).
  Would these old horses plow the field well? (Some of them
  do run our SRSS/uttsc tasks okay)
  1.2) This idea seems crippled a bit anyway - if the database
  master node goes down, it seems (but I may be wrong) that
  one of the slave DB nodes should be promoted to a master
  status, and then when the master goes up, their statuses
  should be sorted out again.
  Or the master should be made HA in shared-storage cluster.
  (Wonder question) Why didn't they use Sun DSEE or OpenDS
  with built-in multimaster replication instead?
  2) The documentation I've seen refers to a specific version
  of VirtualBox - 2.0.8, as the supported platform for VDI3.
  It was implied that there were specific features in that
  build made for Sun VDI 3 to work with it. Or so I got it.
  2.1) A few versions rolled out since that one, 3.0 is out
  now. Will they work together okay, work but as unsupported
  config, not work at all?
  2.2) If specifically VirtualBox 2.0.8 is to be used, is there
  some secret build available, or the one from Old Versions
  download page will do?
  3) How much a bad idea is it to roll out a POC deployment
  (up to 10 virtual desktop machines) with VirtualBox VMs
  running on the same server which contains their data
  (such as Sun Fire X4500 with snv_114 or newer)?
  3.1) If this is possible at all, and if the VM data is a
  (cloned) ZFS dataset/volume, should a networked protocol
  (iSCSI) be used for VM data access anyway, or is it
  possible (better?) to use local disk access methods?
  3.2) Is it possible to do a POC deployment (forfeiting such
  features as failover, scalability, etc.) on a single
  machine alltogether?
  3.3) Is it feasible to extend a single-machine deployment
  to a multiple-machine deployment in the future (that
  is, without reinstalling/reconfiguring from scratch)?
  4) Does VBox RDP server and its VDI interaction with SRSS
  have any specific benefits to native Windows RDP, such
  as responsiveness, bandwidth, features (say, microphone
  input)?
  Am I correct to say that VBox RDP server enables the
  touted 3D acceleration (OpenGL 2.0 and DX8/9), and lets
  connections over RDP to any VM BIOS and OSes, not just
  Windows ones?
  4.1) Does the presence of a graphics accelerator card on
  the VirtualBox server matter for remote use of the VM's
  (such as through a Sun Ray and VDI)?
  4.2) Concerning the microphone input, as the question often
  asked for SRSS+uttsc and replied by RDP protocol limits...
  Is it possible to pass the audio over some virtualized
  device for the virtual machine? Is it (not) implemented
  already? ;)
  5) Are there known DO's and DONT's for VM desktop workloads?
  For example, simply office productivity software users
  and software developers with Java IDEs or ongoing C/C++
  compilations should have different RAM/disk footprints.
  Graphics designers heavy on Adobe Photoshop are another
  breed (which we've seen to crawl miserably in Windows
  RDP regardless of win/mstsc or srss/uttsc clients).
  Can it be predicted that some class of desktops can
  virtualize well and others should remain "physical"?
  NB: I guess this is a double-question - on virtualization
  of remote desktop tasks over X11/RDP/ALP (graphics bound),
  as well as a question on virtualization of whole desktop
  machines (IO/RAM/CPU bound).
  6) Are there any rule-of-thumb values for virtualized
  HDD and networking filesystems (NFS, CIFS) throughput?
  (I've seen the sizing guides on VDI Wiki; anything else
  to consider?)
  For example, the particular users' data (their roaming
  profiles, etc.) should be provisioned off the networked
  storage server, temporary files (browser caches, etc.)
  should only exist in the virtual machine, and home dirs
  with working files may better be served off the network
  share altogether.
  I wonder how well this idea works in real life?
  In particular, how well does a virtualized networked
  or "local" homedir work for typical software compile
  tasks (r/w access to many small files)?
  7) I'm also interested in the scenario of VMs spawned
  from "golden image" and destroyed after logout and/or
  manually (i.e. after "golden image"'s update/patching).
  It would be interesting to enable the cloned machine
  to get an individual hostname, join the Windows domain
  (if applicable), promote the user's login to the VM's
  local Administrators group or assign RBAC profiles or
  sudoer permissions, perhaps download the user's domain
  roaming profile - all prior to the first login on this
  VM...
  Is there a way to pass some specific parameters to the
  VM cloning method (i.e. the user's login name, machine's
  hostname and VM's OS)?
  If not, perhaps there are some best-practice suggestions
  on similar provisioning of cloned hosts during first boot
  (this problem is not as new as VDI, anyways)?
  8) How great is the overhead (quantitative or subjective)
  of VM desktops overall (if more specific than values in
  sizing guide on Wiki)? I've already asked on HDD/networking
  above. Other aspects involve:
  How much more RAM does a VM-executing process typically
  use than is configured for the VM? In the JavaOne demo
  webinar screenshots I think I've seen a Windows 7 host
  with 512Mb RAM, and a VM process sized about 575Mb.
  The Wiki suggests 1.2 times more. Is this a typical value?
  Are there "hidden costs" in other VBox processes?
  How efficiently is the CPU emulated/provided (if the VBox
  host has the relevant VT-x extensions), especially for
  such CPU-intensive tasks as compilation?
  *) Question from our bookkeeping team:
  Does creating such a POC lab and testing it in office's
  daily work (placing some employees or guests in front of
  virtual desktops instead of real computers or SR Solaris
  desktops) violate some licenses for Sun VDI, VirtualBox,
  Sun Rays, Sun SGD, Solaris, etc? (The SRSS and SSGD are
  licensed; Solaris is, I guess, licensed by the download
  form asking for how many hosts we have).
  Since all of the products involved (sans SGD) don't need
  a proof of license to install and run, and they can be
  downloaded somewhat freely (after quickly clicking thru
  the tomes of license agreements), it's hard for a mere
  admin to reply such questions ;)
  If there are some limits (# of users, connections, VMs,
  CPUs, days of use, whatever) which differentiate a legal
  deployment for demo (or even legal for day-to-day work)
  from a pirated abuse - please let me know.
  //Jim
  Edited by: JimKlimov on Jul 7, 2009 10:59 AM
  Added licensing question

  Hello VDI users,
  NB: I initially asked this list of questions to my friends at the
  SunRay-Users mailing list, but then I found this forum as a
  more relevant place.
  It's a bit long and I understand that many questions may have
  already been answered in detail on the forum or VDI wiki. If it's
  not too much a burden - please just reply with a link in this case.
  I'd like this thread to become a reference of sorts to point to our
  management and customers.
  I'm growing an interest to try out a Sun VDI POC in our lab
  with VirtualBox and Sunrays, so I have a number of questions
  popping up. Not all of them are sunray-specific (in fact, most
  are VirtualBox-related), but I humbly hope you won't all flame
  me for that?
  I think I can get most of the answers by experiment, but if
  anyone feels like sharing their experience on these matters
  so I can expect something a'priori - you're welcome to do so ;)
  Some questions involve best practices, however. I understand
  that all mileages vary, but perhaps you can warn me (and others)
  about some known-not-working configurations...
  1) VDI core involves a replicated database (such as MySQL)
  for redundant configuration of its working set storage...
  1.1) What is the typical load on this database? Should it
  just be "available", or should it also have a high mark
  in performance?
  For example, we have a number of old Sun Netra servers
  (UltraSPARC-II 450-650MHz) which even have a shared SCSI
  JBOD (Sun StorEdge S1 with up to 3 disks).
  Would these old horses plow the field well? (Some of them
  do run our SRSS/uttsc tasks okay)
  1.2) This idea seems crippled a bit anyway - if the database
  master node goes down, it seems (but I may be wrong) that
  one of the slave DB nodes should be promoted to a master
  status, and then when the master goes up, their statuses
  should be sorted out again.
  Or the master should be made HA in shared-storage cluster.
  (Wonder question) Why didn't they use Sun DSEE or OpenDS
  with built-in multimaster replication instead?
  2) The documentation I've seen refers to a specific version
  of VirtualBox - 2.0.8, as the supported platform for VDI3.
  It was implied that there were specific features in that
  build made for Sun VDI 3 to work with it. Or so I got it.
  2.1) A few versions rolled out since that one, 3.0 is out
  now. Will they work together okay, work but as unsupported
  config, not work at all?
  2.2) If specifically VirtualBox 2.0.8 is to be used, is there
  some secret build available, or the one from Old Versions
  download page will do?
  3) How much a bad idea is it to roll out a POC deployment
  (up to 10 virtual desktop machines) with VirtualBox VMs
  running on the same server which contains their data
  (such as Sun Fire X4500 with snv_114 or newer)?
  3.1) If this is possible at all, and if the VM data is a
  (cloned) ZFS dataset/volume, should a networked protocol
  (iSCSI) be used for VM data access anyway, or is it
  possible (better?) to use local disk access methods?
  3.2) Is it possible to do a POC deployment (forfeiting such
  features as failover, scalability, etc.) on a single
  machine alltogether?
  3.3) Is it feasible to extend a single-machine deployment
  to a multiple-machine deployment in the future (that
  is, without reinstalling/reconfiguring from scratch)?
  4) Does VBox RDP server and its VDI interaction with SRSS
  have any specific benefits to native Windows RDP, such
  as responsiveness, bandwidth, features (say, microphone
  input)?
  Am I correct to say that VBox RDP server enables the
  touted 3D acceleration (OpenGL 2.0 and DX8/9), and lets
  connections over RDP to any VM BIOS and OSes, not just
  Windows ones?
  4.1) Does the presence of a graphics accelerator card on
  the VirtualBox server matter for remote use of the VM's
  (such as through a Sun Ray and VDI)?
  4.2) Concerning the microphone input, as the question often
  asked for SRSS+uttsc and replied by RDP protocol limits...
  Is it possible to pass the audio over some virtualized
  device for the virtual machine? Is it (not) implemented
  already? ;)
  5) Are there known DO's and DONT's for VM desktop workloads?
  For example, simply office productivity software users
  and software developers with Java IDEs or ongoing C/C++
  compilations should have different RAM/disk footprints.
  Graphics designers heavy on Adobe Photoshop are another
  breed (which we've seen to crawl miserably in Windows
  RDP regardless of win/mstsc or srss/uttsc clients).
  Can it be predicted that some class of desktops can
  virtualize well and others should remain "physical"?
  NB: I guess this is a double-question - on virtualization
  of remote desktop tasks over X11/RDP/ALP (graphics bound),
  as well as a question on virtualization of whole desktop
  machines (IO/RAM/CPU bound).
  6) Are there any rule-of-thumb values for virtualized
  HDD and networking filesystems (NFS, CIFS) throughput?
  (I've seen the sizing guides on VDI Wiki; anything else
  to consider?)
  For example, the particular users' data (their roaming
  profiles, etc.) should be provisioned off the networked
  storage server, temporary files (browser caches, etc.)
  should only exist in the virtual machine, and home dirs
  with working files may better be served off the network
  share altogether.
  I wonder how well this idea works in real life?
  In particular, how well does a virtualized networked
  or "local" homedir work for typical software compile
  tasks (r/w access to many small files)?
  7) I'm also interested in the scenario of VMs spawned
  from "golden image" and destroyed after logout and/or
  manually (i.e. after "golden image"'s update/patching).
  It would be interesting to enable the cloned machine
  to get an individual hostname, join the Windows domain
  (if applicable), promote the user's login to the VM's
  local Administrators group or assign RBAC profiles or
  sudoer permissions, perhaps download the user's domain
  roaming profile - all prior to the first login on this
  VM...
  Is there a way to pass some specific parameters to the
  VM cloning method (i.e. the user's login name, machine's
  hostname and VM's OS)?
  If not, perhaps there are some best-practice suggestions
  on similar provisioning of cloned hosts during first boot
  (this problem is not as new as VDI, anyways)?
  8) How great is the overhead (quantitative or subjective)
  of VM desktops overall (if more specific than values in
  sizing guide on Wiki)? I've already asked on HDD/networking
  above. Other aspects involve:
  How much more RAM does a VM-executing process typically
  use than is configured for the VM? In the JavaOne demo
  webinar screenshots I think I've seen a Windows 7 host
  with 512Mb RAM, and a VM process sized about 575Mb.
  The Wiki suggests 1.2 times more. Is this a typical value?
  Are there "hidden costs" in other VBox processes?
  How efficiently is the CPU emulated/provided (if the VBox
  host has the relevant VT-x extensions), especially for
  such CPU-intensive tasks as compilation?
  *) Question from our bookkeeping team:
  Does creating such a POC lab and testing it in office's
  daily work (placing some employees or guests in front of
  virtual desktops instead of real computers or SR Solaris
  desktops) violate some licenses for Sun VDI, VirtualBox,
  Sun Rays, Sun SGD, Solaris, etc? (The SRSS and SSGD are
  licensed; Solaris is, I guess, licensed by the download
  form asking for how many hosts we have).
  Since all of the products involved (sans SGD) don't need
  a proof of license to install and run, and they can be
  downloaded somewhat freely (after quickly clicking thru
  the tomes of license agreements), it's hard for a mere
  admin to reply such questions ;)
  If there are some limits (# of users, connections, VMs,
  CPUs, days of use, whatever) which differentiate a legal
  deployment for demo (or even legal for day-to-day work)
  from a pirated abuse - please let me know.
  //Jim
  Edited by: JimKlimov on Jul 7, 2009 10:59 AM
  Added licensing question

• Some questions on 310-015

  hi can any1 pls ans these questions
  22. Which two statements about the functionality of the syslogd daemon are true? (Choose two)
  A. Error messages can only be logged locally in a system log.
  B. The kernel, daemons, and syslogd each write directly to a system log.
  C. Syslogd can write messages to the console as well as to a system log.
  D. The logger command communicates with syslogd which then logs the message
  according to its configuration file.
  given ans b,c
  my Answer: C,D pls confirm
  q 23 after modifying the profile file on jumpstart server what is the quickest way to check the behaviour of the modified profile file?
  a. run the check script
  b.run the pfinstall command
  c.run add_install_client commnd
  d. run modify_install_server commnd
  answer given option b
  my ans a pls confirm as i dont know what pfinstall means
  q 32 which files do RBAC uses ?
  a./etc/user_attr
  b. /etc/exec_attr
  c./etc/prof_attr
  d./etc/security/user_attr
  e./etc/security/exec_attr
  f./etc/security/prof_attr
  given ans is option a,e,f
  and b,e,f
  which is correct
  q 55 what is the max number of DNS servers that can b specified on clients configuration file?
  a.2
  b.3
  c.4
  d.5
  given ans b-3
  how is this i havent read this in the material sa299
  q 66
  u have two 50mb ufs filesysytems one located on a single disk other on RAID 1 mirror . both are full . RAID uses round robin read policy , statistically
  waht is true about RAID 1 mirror when reading data?
  a.mirror is faster
  b.mirror is slower
  c.round robin read policy is not allowed
  d.mirror and single disk exhibit the same performance
  answer is a
  my answer is b but mayb i m wrong pls help
  q 67
  u are using nis+ u want a solution with equivalent scalibility that will support a more hetrogenous environment what action provides the solution
  a.use nis
  b.use nfs
  c.use dns
  d.use ldap
  answer given d-ldap
  how is this ?
  q71. Which two must you complete when configuring an NIS slave server? (Choose two)
  A. You execute the domainname command to set the local NIS domain.
  B. You edit the /etc/inet/hosts file to include the NIS master server and NIS slave
  servers.
  C. You edit the slave server copies of the /etc/ethers file to identify MAC addresses of the
  NIS clients.
  D. You execute the ypbind command on the slave server to pull the NIS maps from the master
  server to the slave server.
  Answer: A, C is given
  my answer a.,b pls confirm
  90. You believe that you have a correctly configured boot server on the local network for the
  JumpStart client you are currently attempting to install. Jumpstart configuration is based on
  files only and does not use a naming service at any stage.
  Upon running the command:
  boot net � install
  The client repeatedly displays the message:
  Timeout waiting for ARP/RARP packet
  What are two possible causes for this? (Choose two)
  A. The in.rarpd daemon is not running on the boot server.
  B. The sysidcfg file for the client is missing an ether entry.
  C. The client does not exist in the rules.ok file on the boot server.
  D. The /etc/ethers file on the boot server does not have an entry for the client.
  E. The /etc/bootparams file on the boot server has duplicate entries for the client.
  answer given is a,e
  my answer is a,d
  102. You work as a network administrator for Certkiller .com. Given the line from the name service
  configuration file:
  hosts: nis [UNAVAIL=return] files
  Which two statements correctly describe the behavior of the name server switch? Choose two
  A. If NIS doe NOT find the appropriate entry in the ethers map , the attempt to locate would be abandonded without looking at the local files.
  B. If NIS does NOT respond , the attempt to locate would be abandonded without looking at the local files
  C. If NIS were does NOT find the entry in the approprite entry int he ethers map , the attempt to locate the host's address would be continued within
  the local file (/etc/inet/hosts).
  D. If NIS server does NOT respond , the search for the ethers entrywould be continued by searching for it in the local file (/etc/inet/hosts).
  Answer: a.b is the given answer
  my answer is b,c
  similar question
  156. You work as a network administrator for Certkiller .com. Given the line from the name service
  configuration file:
  hosts: nis [NOTFOUND=return] files
  Which two statements correctly describe the behavior of the name server switch? Choose two
  A. If NIS were unavailable, the attempt to locate a host's IP address would be abandonded.
  B. If NIS were available but a host IP address was not in the NIS map, the attempt to locate the
  host's address would be abandoned.
  C. If NIS were unavailable, the attempt to locate the host's address would be continued within
  the local file (/etc/inet/hosts).
  D. If NIS were available but a host IP address was not in the NIS tables, the attempt to locate the
  host's address would be continued by searching for it in the local file (/etc/inet/hosts).
  Answer: a,b
  my answer b,c
  110. Which two are functions of an NFS client? (Choose two)
  A. Runs the nfsd daemon.
  B. Makes resources available over the network.
  C. Mounts remote resources across the network.
  D. Is configured using the /etc/dfs/dfstab file.
  E. Mounts a remote resource and uses it as through it were local.
  Answer given a,e
  my answer c,e
  114. You work as a network administrator for Certkiller .com. You have a system used for
  application development. The process app-rev23 owner by user epiphylla terminates
  abnormally.
  Which two effects can the root user configure? (Choose two)
  A. The process app-rev23 produces no core file at all.
  B. The process app-rev23 produces a core file without the string "core" appearing
  anywhere within the file name.
  C. The process app-rev23 produces a global core file readable by any user in a global
  /var/corefiles directory.
  D. The process app-rev23 produces a total of three core files, one in the current directory of
  the process, one in epihylla's home directory, and one in a global /var/corefiles
  directory.
  Answer GIVEN : B, C
  my answer i dont know but i read this ans as B,D in this forum how is it
  q117 one benifit of of adjusting the automount behavior thru the use of the automount command ?
  a.it allows the server to manage the client automountd daemon
  b.it allows close sync between server and client
  c.it is possible for the automountd daemon to stop without affecting client automounting
  d.it is NOT always neccesary to stop and restart the daemon after changes to the AUTOFS map
  given ans b
  my answer confused over c and d both seem right
  155. Your boss at Certkiller .com is curios about Sun Solaris 9. Which two software configurations
  clusters, selected during the installation procedure for the Solaris 9 Operating Environment,
  contain all the files in /usr/lib/netsvc/yp needed to allow a host to function as an NIS server?
  Select two
  A. Core Solaris Software Group
  B. Entire Solaris Software Group
  C. End User Solaris Software Group
  D. Developer Solaris Software Group
  E. Entire Solaris Software Group Plus OEM
  Answer: B, C
  my answer is B,E got it in this forum seems right but donno pls confirm
  q 158 what name can b given to the direct automount map
  a.can be called anything
  b.can only be called auto.direct
  c.can only be called auto_direct
  d.can only be called auto_master
  e.can only be called anything as long as it is preceded by auto_.
  answer given a
  pls explain
  171. your boss at certkiller.com is curios about sun solaris9 .which three naming services that can
  be used to provide identification services to jumpstart clients?
  A. NIS
  B. AFS
  C. DNS
  D. NIS+
  E. WINS
  F. LDAP
  Answer: A, B,C is the given ans
  A,D,F is the answer given in this forum
  i know NIS,NIS+ for sure but why not DNS it can also be used so i am confused
  q175
  what information is passed by TFTP as part of the client boot sequence during jumpstart?
  a.client host name
  b.client (/) root file system
  c.client network boot image
  d.jumpstart config files
  given ans c
  pls confirm
  q 189
  which 3 processs & daemons are executed by the /usr/lib/netsvc/yp/ypstart script on the NIS master
  a.ypcat
  b.ypbind
  c.ypinit
  d.ypserv
  e.ypxfrd
  f.yprefont
  given ans a,d,e
  my ans b,d,e
  191. When you build NIS maps using the make command without any arguments, which three steps
  are necessary? (Choose three)
  A. You edit the source files with the necessary modifications.
  B. You execute a ypbind on the NIS master to bind it to itself.
  C. You change directory to the directory containing the Makefile.
  D. You edit the Makefile to point to the correct source file directory.
  E. You copy the source files into the directory where the Makefile is located.
  given answer A,B,C
  Answer: A, C, D given in the forum
  sorry if there are any typing errrors i couldnt cut and paste from the pdf can any1 tell how to do it
  but pls give ur answers i need them have exam next week
  thanku

  hi can any1 pls ans these questions
  22. Which two statements about the functionality of the syslogd daemon are true? (Choose two)
  A. Error messages can only be logged locally in a system log.
  B. The kernel, daemons, and syslogd each write directly to a system log.
  C. Syslogd can write messages to the console as well as to a system log.
  D. The logger command communicates with syslogd which then logs the message
  according to its configuration file.
  given ans b,c
  my Answer: C,D pls confirm
  q 23 after modifying the profile file on jumpstart server what is the quickest way to check the behaviour of the modified profile file?
  a. run the check script
  b.run the pfinstall command
  c.run add_install_client commnd
  d. run modify_install_server commnd
  answer given option b
  my ans a pls confirm as i dont know what pfinstall means
  q 32 which files do RBAC uses ?
  a./etc/user_attr
  b. /etc/exec_attr
  c./etc/prof_attr
  d./etc/security/user_attr
  e./etc/security/exec_attr
  f./etc/security/prof_attr
  given ans is option a,e,f
  and b,e,f
  which is correct
  q 55 what is the max number of DNS servers that can b specified on clients configuration file?
  a.2
  b.3
  c.4
  d.5
  given ans b-3
  how is this i havent read this in the material sa299
  q 66
  u have two 50mb ufs filesysytems one located on a single disk other on RAID 1 mirror . both are full . RAID uses round robin read policy , statistically
  waht is true about RAID 1 mirror when reading data?
  a.mirror is faster
  b.mirror is slower
  c.round robin read policy is not allowed
  d.mirror and single disk exhibit the same performance
  answer is a
  my answer is b but mayb i m wrong pls help
  q 67
  u are using nis+ u want a solution with equivalent scalibility that will support a more hetrogenous environment what action provides the solution
  a.use nis
  b.use nfs
  c.use dns
  d.use ldap
  answer given d-ldap
  how is this ?
  q71. Which two must you complete when configuring an NIS slave server? (Choose two)
  A. You execute the domainname command to set the local NIS domain.
  B. You edit the /etc/inet/hosts file to include the NIS master server and NIS slave
  servers.
  C. You edit the slave server copies of the /etc/ethers file to identify MAC addresses of the
  NIS clients.
  D. You execute the ypbind command on the slave server to pull the NIS maps from the master
  server to the slave server.
  Answer: A, C is given
  my answer a.,b pls confirm
  90. You believe that you have a correctly configured boot server on the local network for the
  JumpStart client you are currently attempting to install. Jumpstart configuration is based on
  files only and does not use a naming service at any stage.
  Upon running the command:
  boot net � install
  The client repeatedly displays the message:
  Timeout waiting for ARP/RARP packet
  What are two possible causes for this? (Choose two)
  A. The in.rarpd daemon is not running on the boot server.
  B. The sysidcfg file for the client is missing an ether entry.
  C. The client does not exist in the rules.ok file on the boot server.
  D. The /etc/ethers file on the boot server does not have an entry for the client.
  E. The /etc/bootparams file on the boot server has duplicate entries for the client.
  answer given is a,e
  my answer is a,d
  102. You work as a network administrator for Certkiller .com. Given the line from the name service
  configuration file:
  hosts: nis [UNAVAIL=return] files
  Which two statements correctly describe the behavior of the name server switch? Choose two
  A. If NIS doe NOT find the appropriate entry in the ethers map , the attempt to locate would be abandonded without looking at the local files.
  B. If NIS does NOT respond , the attempt to locate would be abandonded without looking at the local files
  C. If NIS were does NOT find the entry in the approprite entry int he ethers map , the attempt to locate the host's address would be continued within
  the local file (/etc/inet/hosts).
  D. If NIS server does NOT respond , the search for the ethers entrywould be continued by searching for it in the local file (/etc/inet/hosts).
  Answer: a.b is the given answer
  my answer is b,c
  similar question
  156. You work as a network administrator for Certkiller .com. Given the line from the name service
  configuration file:
  hosts: nis [NOTFOUND=return] files
  Which two statements correctly describe the behavior of the name server switch? Choose two
  A. If NIS were unavailable, the attempt to locate a host's IP address would be abandonded.
  B. If NIS were available but a host IP address was not in the NIS map, the attempt to locate the
  host's address would be abandoned.
  C. If NIS were unavailable, the attempt to locate the host's address would be continued within
  the local file (/etc/inet/hosts).
  D. If NIS were available but a host IP address was not in the NIS tables, the attempt to locate the
  host's address would be continued by searching for it in the local file (/etc/inet/hosts).
  Answer: a,b
  my answer b,c
  110. Which two are functions of an NFS client? (Choose two)
  A. Runs the nfsd daemon.
  B. Makes resources available over the network.
  C. Mounts remote resources across the network.
  D. Is configured using the /etc/dfs/dfstab file.
  E. Mounts a remote resource and uses it as through it were local.
  Answer given a,e
  my answer c,e
  114. You work as a network administrator for Certkiller .com. You have a system used for
  application development. The process app-rev23 owner by user epiphylla terminates
  abnormally.
  Which two effects can the root user configure? (Choose two)
  A. The process app-rev23 produces no core file at all.
  B. The process app-rev23 produces a core file without the string "core" appearing
  anywhere within the file name.
  C. The process app-rev23 produces a global core file readable by any user in a global
  /var/corefiles directory.
  D. The process app-rev23 produces a total of three core files, one in the current directory of
  the process, one in epihylla's home directory, and one in a global /var/corefiles
  directory.
  Answer GIVEN : B, C
  my answer i dont know but i read this ans as B,D in this forum how is it
  q117 one benifit of of adjusting the automount behavior thru the use of the automount command ?
  a.it allows the server to manage the client automountd daemon
  b.it allows close sync between server and client
  c.it is possible for the automountd daemon to stop without affecting client automounting
  d.it is NOT always neccesary to stop and restart the daemon after changes to the AUTOFS map
  given ans b
  my answer confused over c and d both seem right
  155. Your boss at Certkiller .com is curios about Sun Solaris 9. Which two software configurations
  clusters, selected during the installation procedure for the Solaris 9 Operating Environment,
  contain all the files in /usr/lib/netsvc/yp needed to allow a host to function as an NIS server?
  Select two
  A. Core Solaris Software Group
  B. Entire Solaris Software Group
  C. End User Solaris Software Group
  D. Developer Solaris Software Group
  E. Entire Solaris Software Group Plus OEM
  Answer: B, C
  my answer is B,E got it in this forum seems right but donno pls confirm
  q 158 what name can b given to the direct automount map
  a.can be called anything
  b.can only be called auto.direct
  c.can only be called auto_direct
  d.can only be called auto_master
  e.can only be called anything as long as it is preceded by auto_.
  answer given a
  pls explain
  171. your boss at certkiller.com is curios about sun solaris9 .which three naming services that can
  be used to provide identification services to jumpstart clients?
  A. NIS
  B. AFS
  C. DNS
  D. NIS+
  E. WINS
  F. LDAP
  Answer: A, B,C is the given ans
  A,D,F is the answer given in this forum
  i know NIS,NIS+ for sure but why not DNS it can also be used so i am confused
  q175
  what information is passed by TFTP as part of the client boot sequence during jumpstart?
  a.client host name
  b.client (/) root file system
  c.client network boot image
  d.jumpstart config files
  given ans c
  pls confirm
  q 189
  which 3 processs & daemons are executed by the /usr/lib/netsvc/yp/ypstart script on the NIS master
  a.ypcat
  b.ypbind
  c.ypinit
  d.ypserv
  e.ypxfrd
  f.yprefont
  given ans a,d,e
  my ans b,d,e
  191. When you build NIS maps using the make command without any arguments, which three steps
  are necessary? (Choose three)
  A. You edit the source files with the necessary modifications.
  B. You execute a ypbind on the NIS master to bind it to itself.
  C. You change directory to the directory containing the Makefile.
  D. You edit the Makefile to point to the correct source file directory.
  E. You copy the source files into the directory where the Makefile is located.
  given answer A,B,C
  Answer: A, C, D given in the forum
  sorry if there are any typing errrors i couldnt cut and paste from the pdf can any1 tell how to do it
  but pls give ur answers i need them have exam next week
  thanku

• RBAC and zlogin, zpool, zfs commands - doesn't work

  Question about RBAC and the zlogin, zpool, and zfs commands. If you go into SMC and look at the rights being assigned to a user, on the left side you have a long list of commands that are denied to the user. Not listed in /usr/bin or /usr/sbin are the zpool and zfs commands. I can assign a user a very limited set of commands, and ones that remain in the left column (such as lustatus or format, for example) remain forbidden and cannot be used. However, commands like zfs create will still work, even though explicitly not granted through RBAC. There is a link in /usr/sbin for zfs to /sbin, and I added the /sbin directory to the list of commands denied, but with the link in place, the command still works for the user. When I logout of the session then go back into SMC after logging back in, the /sbin directory I added is gone again and the commands still work. I tried creating a new right but the same thing happens. Similar things happen with commands located in /usr/ucb which are all allowable since they cannot be explicitly denied. How to deal with this situation?
  thanks
  mc

  If zfs believes there is an active pool using the disk, then even the -f flag will not work. What is the output of 'zpool status'? If it shows disk11 as a hot spare, and you don't want it as a hot spare, then use 'zpool remove'. Note that 'remove' will only work if it is in AVAIL state and not INUSE state.

• Exchange 2007/2010 Console doesn't show up Exchange 2007 Databases after RBAC Implementation

  I have implemented a RBAC model after which Exchange 2010/2007 Console won't show up Exchange 2007 Mailbox Databases.
  Everything was working fine up until the Users were members of "Exchange Recipient Administrators" Group.
  I have created Custom Roles based on PArent Roles, Mail Recipients, Mail Recipient Creation, Distribution Groups & Public Folders and assigned that to a universal security group "Helpdesk operations". I removed membership for Helpdesk operations
  from "Exchange Recipient Administrators" Group and assigned the Custom Roles to "Helpdesk Operations" using the cmdlet below:
  New-ManagementRoleAssignment "Custom Role" -SecurityGroup "HelpDesk Operations"
  Exchange 2010 console shows Exchange 2010 Databases but not Exchange 2007 DAtabases. Exchange 2007 console doesn't show up any databases on New-Mailbox and simply displays a message "No Objects Found".
  Even Get-MailboxDatabase REturns blank output on Exchange 2007 SHell. Please help me with this and let me know in case if there is something that i need to be looking at!
  any help on this is much appreciated.
  M.P.K ~ ( Exchange | 2003/2007/2010/E15(2013)) ~~ Please remember to click “Vote As Helpful" if it really helps and "Mark as Answer” if it answers your question, “Unmark as Answer” if a marked post does not actually answer your question. ~~ This
  Information is provided is "AS IS" and confers NO Rights!!

  Hi,
  I recommend you use the following cmdlet and check the result.
  Get-MailboxDatabase -Server "Exchange 2007 server name"
  In my environment, if I don't specify the Server parameter on Exchange 2010 Management Shell, Exchange 2007 mailbox database can't be displayed. If I specify the Server parameter, Exchange 2007 mailbox database will be displayed.
  What's more, please check if the account you use has been delegated the Exchange View-Only Administrator role.
  Here is a thread for your reference.
  Get-MailboxDatabase
  http://technet.microsoft.com/en-us/library/bb676367(v=exchg.80).aspx
  Hope it helps.
  Best regards,
  Amy
  Amy Wang
  TechNet Community Support

• Questions in setting up Security group policies for Lync 2013 Users

  Hi Team,
  One of our customer looking for the below requirements:
  ü 
  B>>> Being able to split users in to groups. Would like to be able to split in to Departmental groups, the groups will be Service Delivery, Finance, Business Development, Clinical Services, Radiologists,
  SLA Team, Call Handlers.
  ü 
  B>>> Being able to control which users are able to contact or see other users. For example Limit Radiologists to only be able to see Service Delivery and Call Handlers
  We know that RBAC policies can be used by Administrator or Technicians who works remotely. However, a user sitting at a server running Lync Server is not restricted by RBAC.
  Question:
  Is there a way we can fulfill the above customer requirements in Lync 2013 environment?

  Hi,
  On Lync Server side, what you can do is to change the AD attribute msRTCSIP-GroupingID. You can set different value for different groups. Then each group will not able to search the users in other groups with user name. However, they can still search the
  users in other groups with the sip address.
  More details:
  http://blogs.msdn.com/b/jcalev/archive/2012/06/07/partitioning-lync-address-book-using-msrtcsip-groupingid.aspx
  Best Regards,
  Eason Huang
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Eason Huang
  TechNet Community Support

• Need Help: Identifying RBAC Job Roles

  Hi,
  My company has developed a solution that helps the deployment of RBAC in Enterprise User Administation systems, i.e., the kind of software that would allow you to centally control, and automate the provisioning of privileges to users across the enterprise.
  The solution esemtially reverse engineers the existing (legacy) privileges, identifying groups of users that have a common subset of privileges. These become role candidates, which are then refined and edited using another set of tools. It is a breakthrough in this area because otherwise it is intractable (or at least prohibitively expensive) to identify what the roles should be. (if the roles were not defined to begin with, then the only alternative is really to re-engineer IT privileges across the organization).
  My question is whether a variation on this software can be useful for deployments of (1) Directories; (2) Portals; (3) ID Mgmt, etc.? If so, how would you envision this working?
  Thanks so much,
  Dr. Ron Rymon
  Eurekify Ltd.
  [email protected]
  http://www.eurekify.com

  Hi,
  You can view the OCS accounts for each Server with the following steps:
  Open the Office Communications Server 2007 R2 snap-in.
  In the console tree, expand the forest node, and then navigate to the Standard Edition server or Enterprise pool.
  Expand the pool name for the Enterprise pool or the Standard Edition server, and then expand Users.
  If you want to migration from OCS 2007 R2 to Lync Server 2013, you can refer to the link below:
  http://technet.microsoft.com/en-us/library/jj205375.aspx
  Best Regards,
  Eason Huang
  Eason Huang
  TechNet Community Support

• Sun Identity Compliance Manager Questions

  Hi Everyone,
  We are looking for a complete list of supported managed resources for the Sun Identity Compliance Manager (SICM) tool.
  Also we have the following specific questions:
  1.     Does SICM have connectors/adapters to Solaris 8/9/10 and Oracle EBS (as managed resources) to perform access certification of user accounts and associated entitlements/privileges/roles.
  For example: Can SICM be used to analyze/report on the status of current and newly provisioned Solaris unix-level accounts and associated RBAC roles (say) -or- Oracle EBS accounts and associated roles /responsibilities to identify if they have been certified or have any SOD conflicts?
  2.     Can SICM be implemented as a fully functional stand-alone product as opposed to it being integrated with Sun Identity Manager (SIM) ?
  3.     In a scenario where SIM and SICM are integrated, can SIM do a hand-off to SICM for SOD analysis and checking as part of it account provisioning workflows?
  Any insight and/or pointers will be greatly appreciated!
  Thanks in advance and please let me know if there is a more relevant forum to post this question.
  -TS

  I have resolved the problem, the problem is because of the idmmanager attribute. In onsite they are using some other idm 6.0 with some patch, so they are getting the idm manager attribute but in offshore we dont have any patch installed for getting the idm manager attribute. Do you have any idea about how to get the idm manager attribute in the idm 6.0 with some patch? Thanks for your help ya.

• Configuring our RAC environment Questions

  The environment consists of Sun Solaris 10, Veritas, and 10g RAC:
  Questions:
  I need to know the settings and configuration of the entire software stack that will be the foundation of the oracle RAC environment....Network configurations, settings and requirements for any networks including the rac network between servers
  How to set up the solaris 10k structures: what goes into the global zones, the containers, the resource groups, RBAC roles, SMF configuration, schedulers?
  Can we use zfs, and if so, what configuration, and what settings?
  In addition, these questions I need answers to:
  What I am looking for is:
  -- special hardware configuration issues, in particular the server rac interconnect. Do we need a hub, switch or crossover cables configured how.
  -- Operating System versions and configuration. If it is Solaris 10, then there are more specific requirements: how to handle smf, containers, kernel settings, IPMP, NTP, RBAC, SSH, etc.
  -- Disk layout on SAN, including a design for growth several years out: what are the file systems with the most contention, most use, command tag depth issues etc. (can send my questionnaire)
  -- Configuration settings\ best practices for Foundation suite for RAC and Volume manager
  -- How to test and Tune the Foundation suite settings for thru-put optimization. I can provide stats from the server and the san, but how do we coordinate that with the database.
  -- How to test RAC failover -- what items will be monitored for failover that need to be considered from the server perspective.
  -- How to test data guard failures and failover -- does system administration have to be prepared to help out at all?
  -- How to configure Netbackup --- backups

  Answering all these questions accurately and correctly for you implementation might be a bit much for a forum posting.
  First I'd recommend accessing the Oracle documentation on otn.oracle.com. This should get you the basics about what is supported for the environment your looking to set up, and go a long way to answering your detailed questions.
  Then I'd break this down into smaller sets of specific questions and try and get the RAC axters on the RAC forum to help out.
  See: Community Discussion Forums » Grid Computing » Real Application Clusters
  Finally Oracle Support via Metalink should be able to fill in any gaps int he documentation.
  Good luck on your project,
  Tony

• RBAC (Roles Based Access Control) "Broken" in WCS

  In my opinion, RBAC in WCS is broken. They have taken a good concept and implemented it wrong. The way it is currently working is as follows. Roles are defined in WCS. In ACS (or whatever Radius server you want to use), you have to first set up a new "Service" in the TACACS "Interface" configuration called "Wireless-WCS". All this is good. In WCS you then have to go to the "role" or Group that you want, click on task list and it will give you both a TACACs and Radius output that you have to take and then paste into the "Wireless-WCS" custom attribute box in ACS. An example for "SuperUser" role would be a list like below, note the real list is 48 different "tasks", I shortened it here.
  role0=SuperUsers
  task0=Users and Groups
  task46=Auto Provisioning
  task47=Voice Audit Report
  Here is the problem. Why, if you have the role defined in WCS, do you have to repeat its definition in ACS? Why can't you simply pass the first line ("role0=SuperUsers") and have it use the defined role in WCS? This just seems silly. They changed the role of the "SuperUser" in the new 5.0 code too, which means if you assigned these at the user level, you would have to potentially go update a ton of User accounts in ACS so people would have access to their appropriate roles.
  The last time I complained I was told that the reason for it was "The reason it had to be done that way is b/c WCS is not IOS based and the code dictates that it must be done that way.". Seems like a silly reason for not doing things in a good way...
  Just letting everyone know so they can complain when they come across it. Maybe with enough complaints they'll fix it.. 8-)

  Hi,
  I believe all your questions are answered in "System Administrator's Guide - Security" manual.
  Applications Releases 11i and 12
  http://www.oracle.com/technology/documentation/applications.html
  You may also review this document.
  Note: 753979.1 - E-Business Suite Diagnostics RBAC Basics
  https://metalink2.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=753979.1
  Regards,
  Hussein

• Trying to make sense on how and if RBAC and MOAC could work together

  Hi All,
  We upgraded from 11.5.9 to R12.1.1 in Nov-2009.
  Since the time we have upgraded to R12, we are trying to make sense as to how and if RBAC and MOAC could work together.
  The use case is as below:
  *11i Days*
  US Accountant - accesses ‘AR superuser US’
  Canada Accountant - accesses ‘AR superuser Canada’
  France Accountant - accesses ‘AR superuser France’
  Spain Accountant - accesses ‘AR superuser Spain’
  North America Financial controller - Switches between 'AR superuser US' and 'AR superuser Canada'
  European Financial controller - Switches between 'AR superuser France' and 'AR superuser Spain'
  CFO - Switches amongst 'AR superuser US','AR superuser Canada', 'AR superuser France' and 'AR superuser Spain'
  Now in R12- (Wow there is MOAC!)
  US Accountant - accesses ‘AR superuser US’
  Canada Accountant - accesses ‘AR superuser Canada’
  France Accountant - accesses ‘AR superuser France’
  Spain Accountant - accesses ‘AR superuser Spain’
  North America Financial controller - accesses 'AR superuser North America'
  European Financial controller - accesses 'AR superuser Europe'
  CFO - accesses 'AR superuser Global'
  With R12 now there are 3 additional responsibilities.
  We have (like most of the other EBS customers) custom responsibilities and so there is maintenance.
  More the responsibilities more the maintenance...More the SOD issues.
  To prevent creating new responsibilities, we could use the ‘MO: Security Profile’ at the user level BUT that would mean that now these users would have access to multiple OUs for all the responsibilities...that is not good.
  What-If: There is only 1 responsibility 'AR SuperUser' and somehow using RBAC, roles are created and assigned to users so that they only have access to specific OUs.
  Apparently, MOAC works based on MO:Security Profile that is something that RBAC cannot control.
  Am I missing something...RBAC seems to be no good?
  In PROD(R12.1.1)- We are expecting that we would end up creating 100+ new responsibilities since we have many shared services users and they all want to benefit from MOAC...Appreciate, if you could please help us understand how we can prevent these 100+ new responsibilities from getting created?
  Thanks
  Rahul Gupta

  Hi Rahul,
  your question is quite interesting. I did a lot in the area of RBAC to understand the background.
  RBAC mainly allows you to
  - group responsibilities
  - build hierarchies
  - manage low level data access (via VPD)
  - Grant permissions (new with R12)
  Unfortunately you can't control profile options via RBAC. Therefore, the MO:Sec Profile has to stay on responsibility level. I was playing with the alternative to put this profile option on user level, but also in this case the number of maintenance steps will stay the same.
  I would like to share a document with you, what's your email (or search my name in linkedin)?
  kr
  Volker Eckardt

• Emulating RBAC using FIM Service and Portal

  Hi!
  I am trying to create a simple RBAC using standard objects of FIM Service. So i am associating type "Set" with role, expanding it with multivalue reference attribute "ListOfPermissions". I want to achieve the next behavior: when user dynamically
  join to the set the MPR is executing custom workflow that adds this user to the members of according permission object. Rather simple, BUT is there a way not to specify MPR for every set manualy, but specify it ones with next logic for example: when someone
  join to any set with IsRole flag set to 1 the MPR is executed and etc... as described above? The straight-line methods have not yielded results.
  Need any help, thanks in advance!

  is there a way (...) to specify it ones with next logic for example: when someone join to any set with IsRole flag set to 1 the MPR is executed and etc... as described above?
  Yes, there is - you have to create a Set that have members of other sets inside it. Let's say "Master Set". So you can create MPR that runs a MasterWorkflow after entering Master Set.
  But here is some tricky part - if you have multiple sets with IsRole flag and each set gives different roles assignment, in workflow you have to check where user belongs (to which set) and based on that calculate his membership.
  So I am not really sure if it would be easier. Even if it would look cleaner in FIM Portal, it would be harder to check what gone wrong in case of any failure. And it would be harder to add new roles/sets as you would have to rebuild such workflow.
  If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

• Minimal RBAC Permission for Connecting a mailbox

  Proper permission play an important role in Exchange administration. One of my customers came across an issue on permission. He would like to know the minimal permission when connecting to a mailbox.
  1. If you just want administrators to connect mailbox through PowerShell, follow the steps below.
  a. Create new management role.
  New-ManagementRole -Name “connect-mailbox test1” -Parent “Mail Recipients”
  From the picture below, we can see, there are too many role entries about this management role.
  b. Use the following cmdlet to remove other role entries except the connect-mailbox role entry.
  Get-ManagementRoleEntry "connect-mailbox test1\*" | Where {$_.name -ne "Connect-Mailbox"} | Remove-ManagementRoleEntry
  c. Then you can use the following cmdlet to check the result.
  d. New role group
  e. Add the user you want to grant this connect-mailbox permission to this role group through EAC.
  f. Here is result when I logon to connect the mailbox.
  Note: Using the above permission, you only can connect mailbox using PowerShell.
  2. If you want to connect mailbox via EAC, you need more permissions:
  Get-user, Get-recipient, Get-mailbox and Get-MailboxStatistics role entries in the View-Only Recipients role; Get-MailboxServer role entry in the View-only Configuration role; Connect-Mailbox role entry in the
  Mail recipients role. Here are the detailed steps to assign it.
  a. Create New Management Role named View-Only Recipients test.
  New-ManagementRole -Name “View-Only Recipients test” -Parent “View-Only Recipients”
  b. Also, there are too many role entries of the View-Only Recipients role. Here are some of these role entries.
  c. Remove other entries except the Get-Mailbox role entry.
  Get-ManagementRoleEntry "View-Only Recipients test\*" | Where {$_.name -ne "Get-Mailbox"} | Remove-ManagementRoleEntry
  d. Add Get-User, Get-recipient, Get-Mailboxstatistics role entries to this role.
  Add-ManagementRoleEntry "View-Only Recipients test\Get-User"
  Add-ManagementRoleEntry "View-Only Recipients test\Get-recipient"
  Add-ManagementRoleEntry "View-Only Recipients test\Get-Mailboxstatistics"
  e. All the role entries of View-Only Recipients test role are listed here.
  f. Create a new management role named View-Only Configuration test.
  New-ManagementRole -Name “View-Only Configuration test” -Parent “View-Only Configuration”
  g. Remove all but one Get-MailboxServer role entry from the role.
  Get-ManagementRoleEntry "View-Only Configuration test\*" | Where {$_.name -ne "Get-MailboxServer"} | Remove-ManagementRoleEntry
  h. New Role Group named connect mailbox via EAC.
  New-RoleGroup -Name “connect mailbox via EAC”
  i. Add the above three custom role to this role group, and then add amy01 as the member of the connect mailbox via EAC role group.
  j. Logon to EAC to connect mailbox.
  References:
  http://social.technet.microsoft.com/Forums/office/en-US/0518655e-7d88-4260-9d93-81261785fe3e/rbac-role-needed-for-connectmailbox-cmdlet?forum=exchangesvradmin
  http://blogs.technet.com/b/agobbi/archive/2009/12/11/understanding-and-implementing-rbac.aspx
  Please click to vote if the post helps you. This can be beneficial to other community members reading the thread.

  Thanks for putting it all together as a working example.
  Regards,
  Satyajit
  Please “Vote As Helpful”
  if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

• RBAC or Mailbox impersonation setting

  We use a product from Sherpa Software called Archive Attender to archive message content off to a different server and leave a stub in the message that allows the user to retrieve that content.  I have a user called Super that is a member of the domain
  admins group that is setup to access the users mailbox when the archive policy is being processed and perform the duties of extracting the message contents and creating the message stub. 
  The process has been working without any issues up to about a week ago when I started to receive an error “ERROR: Unable to open the MAPI store”.  On the server that runs this process Outlook 2010 is installed and I can send and receive messages so
  I doubt it is a corrupt mapi file.  If in Exchange I right click on a mailbox and run the Manage Full Access Permissions” for that mailbox and add the user Super the archive process works.  The only side effect that I see is in the Outlook Client
  I also see that users mailbox listed.
  My question is can I assign the user Super to a RBAC role that allows read / write access to all messages in all users mailboxes or should I be looking at some form of mailbox impersonation setting for the user.

  How to configure Exchange Impersonation to enable a service account to impersonate all other users in an organization: 
  New-ManagementRoleAssignment -Name <impersonationAssigmentName> -Role applicationImpersonation -User <serviceAccount>
  http://www.3cx.com/blog/docs/how-to-create-impersonated-user/
  Cheers,
  Gulab Prasad
  Technology Consultant
  Blog:
  http://www.exchangeranger.com    Twitter:
    LinkedIn:
     Check out CodeTwo’s tools for Exchange admins
  Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.