RDBMSRealm and Group membership

Similar Messages

• Samba winbind and group membership.

  I have a Solaris 10 (update 4) box (x86) that is joined to an active directory via samba/winbind.
  The users are working fine however their group membership is not.
  Users that should be members of certain groups do not seem to be: in that if I run
  "groups" and check the group member ship for myself I am missing entry of some groups yet I can verify that I should be a member of that group by running getent group "domain\\group name" and seing my username entered.
  winbind has the following parameters set
  winbind enum users = yes
  winbind enum groups = yes
  winbind nested groups = yes
  I am at a loss as to why it picks up some groups and not others.
  Has anyone come across something similar or know how to solve this issue?
  Regards,
  James

  Hi,
  I know this thread is very old but unfortunately I'm facing exactly the same problem under Solaris 10 Sparc. Any ideas? Maybe this issue was solved?
  Regards,
  Oliver

• AD custom6 attribute and group memberships for shared mailboxes

  I have 900 shared mailboxes that are in Exchange 2007. These mailboxes have no owners and are provided access to the users threw AD groups. I need a script that will produce Each users custom6 attribute (SID is there) along with the shared mailboxes they
  have rights to (Full. send As etc...)
  This is a migration from 2007 to 2010 in different domains.
  [email protected]
  2142285476
  Charles B. Giles

  Deployment and upgrade questions should be asked in the forum for the product as there are tools available to automate 2007 to 2010 migrations.
  See:
  http://technet.microsoft.com/en-us/library/ee681665(v=exchg.141).aspx
  See:
  http://blogs.technet.com/b/exchange/archive/2012/05/23/exchange-server-deployment-assistant-update-for-exchange-2010-hybrid-deployments-with-office-365.aspx
  See:
  http://social.technet.microsoft.com/Forums/exchange/en-US/home?forum=exchange2010
  ¯\_(ツ)_/¯

• DFS folder visibility and group membership

  Hello
  I have a forest with multiple domain
  I have activated ABE on DFS
  My design is :
  \\contoso.com\DFS
  -Site1 -> \\site1.contoso.com\DFS (explicit permission : DL.folder1.site1)
  \\site1.contoso.com\DFS
  -Folder1 -> \\fileserver.site1.contoso.com\Folder1 (explicit permission : DL.folder1.site1)
  i have set explicit explicit authorization with Domain local group (Domain local groups contains Global Group which contain users)
  when my user  from site 1 connect to : \\site1.contoso.com\dfs  it's work they can see the folder1 only if they are in DL.folder1.site1
  But when there are connect to \\contoso.com\DFS then don't see ther folder site1. but they can't access it if put the full path ( \contoso.com\DFS\site1

  Hi,
  Do you mean that you have a Domain local group named DL.folder1.site1 and you give explicit permission on the group to access DFS share Folder1? You have enabled ABE. The use in the group can see the Folder1 using the DFS path
  \\site1.contoso.com\dfs. But the user cannot see the Folder1 using the DFS path
  \\contoso.com\DFS and the user cannot access the Folder1 using the full path
  \\contoso.com\DFS\Folder1?
  The DFS share is created on the domain or the forest? If on the forest, I think it is by design. As the DFS domain namespace is domain based, so we could not access it using forest name.
  Regards,
  Mandy
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Load balance and group membership

  I have 3 3030's that I load balance. Do any one know of any way I can create one group and spread them across the 3030's without creating them on each concentrator

  You could refer to the document "Configuring Load-Balancing on VPN 3000 Concentrators" at the URL:
  http://www.cisco.com/warp/public/471/ld_bl_vpn3000_7602.html

• How can I find the date modified and group membership in contacts?

  I used to have a smart group that could show the modification date, but those criteria don't exist in mountain lion (ML)
  i also had a script that would find any contact that was not a member of any group. It does not work any more in ML.

  still can't figure it out

• Group Memberships not Flowing into Metaverse

  Hello,
  I'm trying to figure out why the group member attributes in the CS are not flowing into the MV.  Here's what I have:
  An HR system running on SQL Server
  A staging database that extract data from the HR system
  The staging database has a table representing person object
  The stating database has a table representing person multi-valued attributes (i.e location, job code, etc)
  The staging database has a table representing group objects
  The staging database has a table representing group memberships (mult-valued)
  A SQLMA connected to the person and person multi tables
  A SQLMA connected to the group and group membership tables
  All group memberships are based on job codes and locations.  There are no approval process in place.  If they have this job code, they get certain groups.  That's all calculated in the staging database and the memberships are in the group membership
  table
  This system does connect to AD (and a few other things), but I'm not concerned with that, right now.
  I've read 100 articles on this, most of them over 5 years old, and tried the ones that made sense.  The flow from the database into the CS works well.  No issues there.
  But, a search of the metaverse for the group shows an empty member attribute.  The sync process is not throwing any errors.  At least they're not showing up in the sync service app or the event logs.
  Where allowed, I'm using rules extensions for everything.  I can't use a rules extension to set the member attribute because it's an rdn.
  I'm going to move forward with this by extending the metaverse schema and adding a multi-valued string attribute named "memberOf" to the person object.  Then, I'll modify my existing MA to use that attribute instead of the member attribute. 
  I'm not sure what kind of issues I'm going to run into when exporting that to AD.  I'll cross that bridge when I come to it.  I don't anticipate that being an issue as the dns for all these objects will be calculated by the ADMA based on locations,
  group functions and person types (bascially, I don't care about the MV rdn).
  Anyway, I'm looking for some real world insight on this.  This whole effort is to migrate off an existing IDM system that works very, very well but quite expensive to license.
  Thanks,
  Greg Wilkerson

  Hey Cameron,
  I have total control of all the DB tables FIM is accessing.  I build them up as part of IDM process.
  I've read this article, along the many others that address the "manager" scenario.  This really doesn't apply in this case as the user and group objects are loaded in separate MAs.  Getting reference values to flow with both object live in the
  same CS shouldn't be an issue. 
  I also saw a solution where the group and user objects were in the same table and differentiated by the "object_type" value (user, group).  That solution solved the issue of the groups and user being in the same CS.  As I grow tired of my daily
  FIM beatdown, that solution is growing more attractive.  That's a major DB redesign, and seems quite inefficient.
  The multi-value table for group memberships already exists in the DB.  For FIM purposes, I transferred that data into the user object multi-value table.  See screen shot.  I can certainly configure the group MA to access that multi-value table
  and load the group members as references.  But, because the group MA CS will not contain the user objects, I don't see how the references will be set.  If the reference value isn't set in the CS, it's not going to flow into the MV (at least I haven't
  figured out a way to set the an reference value for an object in the MV - my problem all along.
  This whole "setting a reference value" encompasses much more than just group memberships in my implementation.  Telephone resources and physical access (key cards, etc) are provisioned through the existing eDirectory system.  These objects exist
  in our current IDM system and are associated with users based on rules.  So, the reference value process is something I need to figure out, if I'm going to use this product.
  Maybe I could use a stripped down ECMA2 as a "staging" CS, export the users and groups into this CS and assign the reference values, then import the groups back into the MV, memberships intact.  I'm not sure that would get me where I want to go, and
  it seems like a lot of extra "stuff" to solve what should be a simple problem.  Hmmmmmm.  Or, connect the ECMA2 directly to my group membership multi-value table in the DB.  Hmmmmmm.  I'd still have to export the groups and users into that
  CS, but the import might be much more straight forward.  Hmmmmmm.
  The structure of my GroupMembership table (both columns are anchors or directly translatable to anchors):
  EmployeeGroups
      GroupName varchar(50) not null,
      EmployeeID nvarchar(50) not null,
      ID int identity(1,1) not null

• Populating users and groups - design considerations/best practice

  We are currently running a 4.5 Portal in production. We are doing requirements/design for the 5.0 upgrade.
  We currently have a stored procedure that assigns users to the appropriate groups based on the domain info and role info from an ERP database after they are imported and synched up by the authentication source.
  We need to migrate this functionality to the 5.0 portal. We are debating whether to provide this functionality by doing this process via a custom Profile Web service. It was recommended during ADC and other presentation that we should stay away from using the database security/membership tables in the database directy and use the EDK/PRC instead.
  Please advise on the best way to approach(With details) this issue. We need to finalize the best approach to take asap.
  Thanks.
  Vanita

  So the best way to do this is to write a custom Authentication Web Service.  Database customizations can do much more damage and the EDK/PRC/API are designed to prevent inconsistencies and problems.
  Along those lines they also make it really easy to rationalize data from multiple backend systems into an orgainzation you'd like for your portal.  For example you could write a Custom Authentication Source that would connect to your NT Domain and get all the users and groups, then connect to your ERP system and do the same work your stored procedure would do.  It can then present this information to the portal in the way that the portal expects and let the portal maintain its own database and information store.
  Another solution is to write an External Operation that encapsulates the logic in your stored procedure but uses the PRC/Server API to manipulate users and group memberships.  I suggest you use the PRC interface since the Server API may change in subtle ways from release to release and is not as well documented.
  Either of these solutions would be easier in the long term to maintain than a database stored procedure.
  Hope this helps,
  -Akash

• Getting list of all users and their group memberships from Active Directory

  Hi,
  I want to retrieve a list of all the users and their group memberships through JNDI from Active Directory. I am using the following code to achieve this:
  ==================
  import javax.naming.*;
  import java.util.Hashtable;
  import javax.naming.directory.*;
  public class GetUsersGroups{
       public static void main(String[] args){
            String[] attributeNames = {"memberOf"};
            //create an initial directory context
            Hashtable env = new Hashtable();
            env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
            env.put(Context.PROVIDER_URL, "ldap://172.19.1.32:389/");
            env.put(Context.SECURITY_AUTHENTICATION, "simple");
            env.put(Context.SECURITY_PRINCIPAL, "[email protected]");
            env.put(Context.SECURITY_CREDENTIALS, "p8admin");
            try {
                 // Create the initial directory context
                 DirContext ctx = new InitialDirContext(env);     
                 //get all the users list and their group memberships
                 NamingEnumeration contentsEnum = ctx.list("CN=Users,DC=filenetp8,DC=com");
                 while (contentsEnum.hasMore()){
                      NameClassPair ncp = (NameClassPair) contentsEnum.next();
                      String userName = ncp.getName();
                      System.out.println("User: "+userName);
                      try{
                           System.out.println("am here....1");
                           Attributes attrs = ctx.getAttributes(userName, attributeNames); // only asked for one attribute so only one should be returned
                           System.out.println("am here....2");
                           Attribute groupsAttribute = attrs.get(attributeNames[0]); // memberOf
                           System.out.println("-----"+groupsAttribute.size());
                           if (groupsAttribute != null){
                                // memberOf is a multi valued attribute
                                for (int i=0; i<groupsAttribute.size(); i++){
                                // print out each group that user belongs to
                                System.out.println("MemberOf: "+groupsAttribute.get(i));
                      }catch(NamingException ne){
                      // ignore for now
                 System.err.println("Problem encountered....0000:" + ne);
                 //get all the groups list
            } catch (NamingException e) {
            System.err.println("Problem encountered 1111:" + e);
  =================
  The following exception gets thrown at every user entry:
  User: CN=Administrator
  am here....1
  Problem encountered....0000:javax.naming.NamingException: [LDAP: error code 1 -
  000020D6: SvcErr: DSID-03100690, problem 5012 (DIR_ERROR), data 0
  ]; remaining name 'CN=Administrator'
  I think it gets thrown at this line in the code:
  Attributes attrs = ctx.getAttributes(userName, attributeNames);
  Any idea how to overcome this and where am I wrong?
  Thanks in advance,
  Regards.

  In this sentence:
  Attributes attrs = ctx.getAttributes(userName, attributeNames); // only asked for one attribute so only one should
  It seems Ok when I add "CN=Users,DC=filenetp8,DC=com" after userName, just as
  userName + ",CN=Users,DC=filenetp8,DC=com"
  But I still have some problem with it.
  Hope it will be useful for you.

• Shared Calendars / Room Lists and automatically forcing them to users based on Security Group Membership

  Good morning all,
  I need some help achieving the following in our Exchange 2013 Environment.  First off, we have Exchange 2013, but all our clients have Outlook 2010.
  Here's what I would like to be able to do:
  1) create/manage public calendars / rooms in exchange 2013
  2) force these shared public calendars / rooms to users' calendars who are members of particular security groups
  3) give edit permissions / "booking" permissions for the shared calendars so select users are able to make changes to the shared calendars, as well as accept/deny requests to "book" shared room calendars
  Any one got any resources they can give to point me in the right direction?
  I have already created two mailbox room resources, and have them set up in a room list in AD.  But need to know the above as far as creating a shared calendar for events, and forcing these calendars / room lists out to users based on security group
  membership.
  I don't want my users to have to know how to add a shared calendar...that would be a nightmare explaining.  I just want it to show up.
  Any help on this is greatly appreciated, thank you!

  1) I recommend using Room Mailboxes for resource calendars because it just works better.
  2) This is a standard feature of a Room Mailbox.
  3) You're pretty specific here, but I think this is also more or less available with a Room Mailbox combined with folder rights.
  I don't know any way to just make them "show up".  You'll have to teach them.  Well written instructions can work wonders.
  Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

• Changed group membership in WGM 10.6.3 from the 10.6 server. The change takes overnight to work. Formerly ran WGM from my 10.6.8 mac (worked perfectly)  but now I am at 10.7.5 and must use WGM on the server. Has anyone else seen this behavior?

  Changed group membership in WGM 10.6.3 from the 10.6 server. The change takes overnight to work. Formerly ran WGM from my 10.6.8 mac (worked perfectly)  but now I am at 10.7.5 and must use WGM on the server. Has anyone else seen this behavior?

  Hi
  "Changed group membership in WGM 10.6.3 from the 10.6 server. The change takes overnight to work"
  If I've understood you correctly I've never known this or anything else to take that long? What were you trying to do exactly?
  "Formerly ran WGM from my 10.6.8 mac (worked perfectly)  but now I am at 10.7.5 and must use WGM on the server. Has anyone else seen this behaviour?"
  http://support.apple.com/kb/HT1822
  HTH?
  Tony

• Read group membership for a user object and populate every group with matching user from another domain

  I have LON\JSmith in LON domain and DEL\JimSmith in DEL domain
  I would like to extract group memberships of LON\JSmith in LON domain and append matching by email (i.e. DEL\JimSmith) user object in every group in LON domain.
  for instance
  LON\JSmith and DEL\JimSmith is the same person and has same email address [email protected]
  LON\JSmith belongs to 3 groups - LON\localadmingroup;LON\univdesktop;LON\globalsurvey
  The outcome of the script should be
  LON\JSmith; DEL\JimSmith    should be in 3 groups - LON\localadmingroup;LON\univdesktop;LON\globalsurvey.
  How can i do it?
  Navgup

  Hi Navgup,
  Please refer to the script below, to query users in other domain by specifying the parameter "-Server" in the cmdlet "get-aduser", and also note I haven't tested the script below:
  import-module activedirectory
  get-adgroupmember "group"|foreach{
  $email=(get-aduser $_.samaccountname -properties *).EmailAddress#get the user email
  Get-ADUser -filter {EmailAddress -eq $email} -properties * -server DomainB.company.com|select samaccountname, memberof}#filter user name and group with the email in other domain
  To get users across domain, please also refer this blog:
  Adding/removing members from another forest or domain to groups in Active Directory:
  http://blogs.msdn.com/b/adpowershell/archive/2010/01/20/adding-removing-members-from-another-forest-or-domain-to-groups-in-active-directory.aspx?Redirected=true
  I hope this helps.

• AD Group Membership revoked on adding new group through role and acespolicy

  Hi all,
  when a user is created in OIM, it is provisioned with Default Role say CONTRACTS which will provision AD Account and a default AD group membership.
  when I assign a new role membership say BILLING, to assign additional AD group memberships through access policies, it is removing the default AD group membership from the user. But still the user is having both the roles CONTRACTS and BILLING.
  The ootb AD task, remove user from group is triggered.
  The problem is happening only in Testing environment.
  In development envi it is working fine.
  it is not removing the default group memberships.
  any ideas? thoughts? which I need to check.
  my oim server is 11.1.1.3.0, with weblogic setup.
  Edited by: Venu on Dec 2, 2011 1:06 PM

  Do one thing:
  Take New User
  Assign First BILLING
  Assign Second Group
  And then ASSIGN CONTRACT
  Update the results.
  It is happening in one env so you might have done some configuration or it could be env issue as well.

• SAML 2.0 and AD Security Group Membership

  In ADFS 2.0, as a part of the token, I can pass the AD
  security groups the user is in. Does SAP SSO have the ability to send and
  receive SAML 2.0 tokens with AD security group membership?

  Hi Jeff,
  SAP SAML 2.0 Identity Provider is able to include any group (or role) assignment of the user (available in the NetWeaver AS Java UME) as SAML Attribute in the generated SAML 2.0 Assertion.
  These group assignments of the user can be local (maintained in local UME database) or remote ones if the UME is configured with other Data Source.
  So in order to be able send the AD group assignments of the user you need to change the NetWeaver UME Data Source to your AD. More information how to do that you can find at this page: Identity Management - SAP Library.
  Then in your Identity Provider you can configured so called "Authorization-Based Assertion Attributes" in the "Identity Federation" tab of your trusted Service Provider configuration. An example with such attributes is provided at this page: Configuring Identity Federation with Transient Users - Identity Provider for SAP Single Sign-On and SAP Identity Managem… (although the page is for Transient federation these attributes are supported for all supported NameID formats).
  Regarding the receiving part:
  In SAP SAML 2.0 Service Provider of NetWeaver AS Java received SAML 2.0 Attribute can be either assigned to any UME attribute of the authenticated user, or to be used in rules that assign specific role(s) or group(s) to the user. For more details see these pages: Configuring Federation Type Persistent Users (Advanced) - User Authentication and Single Sign-On - SAP Library and Configuring Federation Type Virtual Users - User Authentication and Single Sign-On - SAP Library
  Regards,
  Stefan

• AD - import users and check AD group membership

  Hi I'm relatively useless with PowerShell and I am wanting to write a script that will do the following and am just getting stuck with part B.
  Part A- import a list of users from a CSV
  Part B- check if the users are members of an ad group and if so remove from group A and add to group B 
  Can anyone point me in the best direction ? that would be amazing.

  Hi,
  I happen to have something already written that will do what you're after:
  Import-Csv .\userList.csv | ForEach {
  $userDetails = Get-ADUser -Identity $_.Username -Properties memberOf
  If ($userDetails.memberOf -contains 'CN=Test Group 1,OU=Security Groups,DC=domain,DC=com') {
  Remove-ADGroupMember -Identity 'Group A' -Members $userDetails.SamAccountName -Confirm:$false -WhatIf
  Add-ADGroupMember -Identity 'Group B' -Members $userDetails.SamAccountName -Confirm:$false -WhatIf
  This will require in input CSV file with a header of Username that contains the usernames to test. You'll also need to update the names of the groups for 'Group A' and 'Group B' along with the DN of the group to test against.
  Remove the -WhatIf parameters from the Remove/Add lines if you're happy with what you see in the output.
  Don't retire TechNet! -
  (Don't give up yet - 12,830+ strong and growing)