Remove User permissions using VS Workflow

Similar Messages

• Removing User Permissions?

  I'm a long time mac user. But the way we've used it in the office was that it was all setup on one user account ("admin"). After upgrading to OS 10.4, we setup 2 user accounts. A "general" account for normal usage and an "admin" account for installing new programs. This is done so that general users can't install new programs, which we were having a problem with.
  Except now when we reference back to old files (made under OS 10.3 and earlier) while logged in as normal, they're totally unusable as we need to authenticate as the admin, and only my employer knows the password for that, making us interrupt him throughout the day.
  I know for windows, you can set multiple folders (and everything within those folders) to specific settings and permissions. Is there anyway to do this on a mac?
  Also, we tried to fix this while logged in as "admin", but under the permissions submenu there were so many different 'users' we could set it to as well as "general" (e.g. system, mysql, etc...). On windows there's an "everybody" option that lets anyone read/write to whatever file/folder. How do I set a drive/folder/file's permissions to be accessible/writtable/deletable by everybody?

  Use the info window (command-I) to set the permissions for "other". This is accessible if you open the disclosure triangle next to owner and permissions. You will then see three groups of popups one each for owner, group and other. It is the last one you want to modify... You may want to modify permissions for group as well...
  I would do that on a folder and apply it to the included elements. Beware, sometimes finder is unable to show you the new permissions. you might have to relaunch it or logout-login to see whether all went well.

• Remove open workitem from user inbox after the workflow starts again.

  I have heard that there is a possibility to remove a open workitem from the user inbox, after the workflow starts again for the same object (data update), via a termiantion event. I have searched in the sap workflow dokumentation but i could not find out how to use this. Could somebody provide me some detailed documentation or examples how to use this for my problem?
  Thanks,
  Steve

  Hi Sudhir,
  the workitem which should terminate is a decision task with two results. The wolkflow looks as follows:
  Activity: Read Data
  Decision: Approval Check Decision
  Activities: Approve or Reject
  How should it look like in your opinion with the termination? How looks this option to terminate this workitem? The workitem should terminate automatically from the userinbox if the workflow starts again for the same object (with updated data).
  Thanks,
  Steve
  Edited by: Steve Malack  on Mar 13, 2008 10:20 AM

• DPM 2012 Failed to update permissions used in end-user recovery

  Hello everyone,
  I'm going to try the clearest way possible to describe the problem.
  Our test server is Windows Server 2012 with DPM 2012 SP1 CU2 (BKP-SRV01) with a Remote SQL server 2012 (PBASC)
  I protected a share folder on a DC on Windows Server 2008 R2 (PAD)
  When I activate End-User Recovery I get a warning in the monitor tab that say this
  Failed to update permissions used for end-user recovery on pad. Permissions update failed for the following reason: (ID 3123)
  DPM is unable to enumerate contents in pad_PartageTest on the protected computer BKP-SRV01. Recycle Bin, System Volume Information folder, non-NTFS volumes, DFS links, CDs, Quorum Disk (for cluster) and other removable media cannot be protected. (ID 38 Details:
  the end user recovery is working, but i do not know if it affect other things. I also get that message when i try to browse on the DPM server when creating a protection group
  When I go see the DPM Server / File and Storage Services / Shares on Server Manager i get  "Failed to retrieve folder permission" in the properties of the Protected server share.
  I tried to search for almost 2 days without finding anything about that particular issue.
  Is there a way (clean way) to fix the issue?
  Thanks in advance for the help!

  Closing for housekeeping.
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Regards, Mike J. [MSFT] This
  posting is provided "AS IS" with no warranties, and confers no rights.
  That's not very helpful. I've got the same issue :(
  Comes up for servers where a protection group related to it errors out (recovery point failure usually).

• Failed to update permissions used for end-user recovery on . Permissions update failed for the following reason: (ID 3123)

  I patched 2012 to the SP1 level and now I'm getting these warnings on many servers.
  It seems to be considering these items as removable media?
  DPM 2012, SP1, version 4.1.3313.0
  Failed to update permissions used for end-user recovery on skutter.pmuk.net. Permissions update failed for the following reason: (ID 3123)
  Affected area: skutter.pmuk.net
  Occurred since: 11/01/2013 09:04:43
  Description: Failed to update permissions used for end-user recovery on skutter.pmuk.net. Permissions update failed for the following reason: (ID 3123)
   DPM is unable to enumerate contents in 2aad3f75a7e54a0f91b640d7f158f00a , 5702fef3756e4ca8af0554013951f32d , 78f9e6070fbd43aeb328700a88a3c926 , aquaria.pmuk.net_MTATempStore$ , ariel.pmuk.net_MTATempStore$ , atlantis.pmuk.net_downloads , atlantis.pmuk.net_MTATempStore$
  , atlantis.pmuk.net_print$ , capricorn.pmuk.net_MTATempStore$ , CCM.pmuk.net_IvrDirectory , CCM.pmuk.net_MTATempStore$ , CHIRON.pmuk.net_MTATempStore$ , cpeserv-i03.pmuk.net_IMAGING , defiant.pmuk.net_idsc , defiant.pmuk.net_MTATempStore$ ,firebird.pmuk.net_Accts_serve
  , firebird.pmuk.net_case , firebird.pmuk.net_Control ,firebird.pmuk.net_Fuel Cell , firebird.pmuk.net_HADCAD , firebird.pmuk.net_haddesign , firebird.pmuk.net_hadendurancelab , firebird.pmuk.net_HADEngCad , firebird.pmuk.net_HADPCLGainspeed ,firebird.pmuk.net_HADPCLProjects
  ,firebird.pmuk.net_HADPCLQuality  , firebird.pmuk.net_HADPCLStandards , firebird.pmuk.net_hrXerox , firebird.pmuk.net_hs , firebird.pmuk.net_ITXerox , firebird.pmuk.net_JunHigashimura , firebird.pmuk.net_MTATempStore$ ,firebird.pmuk.net_office  ,firebird.pmuk.net_OMPM
  , firebird.pmuk.net_Outplacement ,firebird.pmuk.net_personal , firebird.pmuk.net_PJSESCANNER  ,firebird.pmuk.net_pmuk ,firebird.pmuk.net_pwa ,firebird.pmuk.net_pwa2 , firebird.pmuk.net_scanfret ,firebird.pmuk.net_Siebel8  ,firebird.pmuk.net_Spares 
  ,firebird.pmuk.net_test   ,firebird.pmuk.net_TVDC ,firebird.pmuk.net_xeroxcpe$  ,firebird.pmuk.net_xeroxrd$ , HALLEY.pmuk.net_MTATempStore$ ,legion.pmuk.net_dfs ,legion.pmuk.net_MTATempStore$ , legion.pmuk.net_NETLOGON  ,legion.pmuk.net_SYSVOL
  , nemesis.pmuk.net_KEvin  ,nemesis.pmuk.net_MTATempStore$ , PLEIDES.pmuk.net_Archive , PLEIDES.pmuk.net_DGHOME , PLEIDES.pmuk.net_MTATempStore$  ,PLEIDES.pmuk.net_print$ , roosevelt.pmuk.net_ARCserve$ ,roosevelt.pmuk.net_CHEYALERT$ , roosevelt.pmuk.net_HADQCEOLP
  ,roosevelt.pmuk.net_home3 , roosevelt.pmuk.net_MTATempStore$ ,roosevelt.pmuk.net_smssource , roosevelt.pmuk.net_WindowsEasyTransfer ,roosevelt.pmuk.net_XeroxScan , sagittarius.pmuk.net_MTATempStore$ ,sagittarius.pmuk.net_print$ , sakura.pmuk.net_MTATempStore$
  ,scorpia.pmuk.net_MTATempStore$ ,scorpion.pmuk.net_chandleram, scorpion.pmuk.net_Control  ,scorpion.pmuk.net_CPE ,scorpion.pmuk.net_Digital  ,scorpion.pmuk.net_Electrical , scorpion.pmuk.net_MTATempStore$ , scorpion.pmuk.net_NASUtils ,scorpion.pmuk.net_Personal
  ,scorpion.pmuk.net_QA ,scorpion.pmuk.net_QC , scorpion.pmuk.net_Technical , silverberg.pmuk.net_dfs  ,silverberg.pmuk.net_MTATempStore$ ,silverberg.pmuk.net_NETLOGON , silverberg.pmuk.net_SYSVOL ,skutter.pmuk.net_dfs , skutter.pmuk.net_MTATempStore$ ,skutter.pmuk.net_NETLOGON
  ,skutter.pmuk.net_sharepoint-saver ,skutter.pmuk.net_SYSVOL , tempest.pmuk.net_MTATempStore$ , tempest.pmuk.net_Quarantine ,tempest.pmuk.net_SiteBackups , tempest.pmuk.net_tsdp , titania.pmuk.net_MTATempStore$ , valiant.pmuk.net_domino , valiant.pmuk.net_hadprod
  , valiant.pmuk.net_MTATempStore$ ,valiant.pmuk.net_oracle ,vindaloo.pmuk.net_MTATempStore$ , virgon.pmuk.net_faxclient ,virgon.pmuk.net_FxsSrvCp$ ,virgon.pmuk.net_MTATempStore$ , xavier.pmuk.net_Address ,xavier.pmuk.net_downloads ,xavier.pmuk.net_drivers ,
  xavier.pmuk.net_Exchange IS Starter ,xavier.pmuk.net_ExchangeOAB , xavier.pmuk.net_ExchangeUM , xavier.pmuk.net_MTATempStore$ , xavier.pmuk.net_out-arch , xavier.pmuk.net_Resources$ on the protected computer tower.pmuk.net. Recycle Bin, System Volume Information
  folder, non-NTFS volumes,  DFS links,  CDs,  Quorum Disk (for cluster) and other removable media cannot be protected. (ID 38 Details: )
  Any Ideas? backups are OK, recovery points/sync's etc.
  Mark.

  I am using DPM 2012 R2, what finally worked to me to resolve my problem with EUR was to:
  In DPM I disabled EUR
  In Computer Management delete all DPM Shares (\\?\c:\Program Files\...)
  Using ADSI edit go to CN=MS-ShareMapConfiguration,CN=System,DC=X,DC=Y (Replace X & Y for your domain)
  Delete all of the mappings within the container
  In DPM enable EUR
  In DPM on a protection group I created a new recovery point and selected “Only synchronize (available only for file data)”
  Related article on ADSI Edit and DPM -
  http://social.technet.microsoft.com/Forums/en-US/e0258384-8422-408c-8839-2580d616a9ec/edsi-edit-related-to-data-protection-manager?forum=dpmfilebackup
  I hope this helps
  JD Young

• How to add multiple users permissions to a calendar using powershell?

  I have an organization that was recently setup in Exchange Online and they have unique circumstances in that every user in the organization needs "reviewer"
  access to every other users calendars.  I cannot change the default permission since new users added after this should not be able to see these calendars details.  There are a few I will go back to run a Set command on to change an individual permission
  here and there for specific needs, but the main need is below.
  I have basic experience with powershell commands and have found how to manually add a single users permissions to a calendar using the command below:
  Add-MailboxFolderPermission -Identity alias:\calendar -user alias -AccessRights reviewer
  Since it's not realistic to run this command thousands of times changing the user aliases each time, I was hoping someone could help me build a command to run on a single mailbox's calendar that would add every current user in the organization with certain
  permissions such as "reviewer" or "availabilityonly".
  Thanks for the help!

  Hi,
  A possible solution is to do this via Security Groups.
  Add-MailboxFolderPermission -Identity [email protected]:\Calendar -User [email protected] -AccessRights Owner
  This way, you simply add users that require access to the CalendarOwnerAccessGroup
  You still have to run this on every mailbox that should have this feature, but that could be solved using powershell piping.
  http://technet.microsoft.com/en-us/library/ee176927.aspx
  /Anders Eide

• Users are not removed from role using UME API

  Hello,
  I am using this code to remove users from a batch of roles that I have.
  Everything is running OK, no exception is thrown and at the System.out I see all the actions that needs to be taken correctly. The problem is that if I'll go later to one of the roles the users are still assigned to it. Any idea what I'm doing wrong here?
  try
  IRoleFactory roles = UMFactory.getRoleFactory();
  IUserFactory users = UMFactory.getUserFactory();
  IRoleSearchFilter filter = roles.getRoleSearchFilter();
  filter.setUniqueName("<My_filter>", ISearchAttribute.LIKE_OPERATOR, false);
  ISearchResult sresult = roles.searchRoles(filter);
  if ( sresult.getState() == ISearchResult.SEARCH_RESULT_OK )
       while(sresult.hasNext())
       String id = (String)sresult.next();
       IRole role = UMFactory.getRoleFactory().getMutableRole(id);
       Iterator i = role.getUserMembers(false);
       while (i.hasNext())
                       String uid = (String)i.next();
            IUser user = users.getUser(uid);
            role.removeUserMember(user.getUniqueName());
            System.out.println("Removed user: " + user.getUniqueName() + " from role: " + role.getDisplayName());
       role.save();
       role.commit();
  catch (Exception e)
       manager.reportException(new WDNonFatalException(e), false);

  Solved it!
  It needs the FQDN User ID...

• Deleting a user in AD using Oracle Workflow

  Hello.
  I have a very unusual scenario that I want to solve.
  We are developing an application using Oracle Workflow in which we are simulating the process of deleting a user from several systems. In one of the steps of the process we have to invalidate the user in MS Active Directory.
  Using OID it's possible to do that? Any clues on how to do it?
  Thanks In Advice.

  adi,
  Yes, the Change User Password workflow is called even if the user logged in using "forgot my password" questions.
  By default, IDM commits the user passwords before the "Change User Password" WF is called (unless you set the deferCommit option), so the problem may be that your function isn't getting called or receiving valid input. Can you verify that your code is actually called?
  The workflow goes like this: (1) Start; If there's an uncommitted password view (there isn't by default) -> (2) CommitView -> (3) Now reprovision the user.
  If you're depending on the transition to CommitView, that may be why your code isn't being called.

• Using a workflow to share documents with external users

  I'm trying to create a workflow that will share documents with external users. Those external users don't have SharePoint logons.
  One approach might be to send an email using a 2010 workflow. However there doesn't appear to be the ability to attach a document to that email.
  The other approach could be to use the Share function of SharePoint 2013 but can this be triggered using a workflow? If so how?
  Please note: I'm using SharePoint Online
  Thanks in Advance,
  Mark E.
  Learning SharePoint

  Hi Mark,
  You can use external sharing option in SharePoint Online. Below links might help:
  https://support.office.com/en-gb/article/Manage-external-sharing-for-your-SharePoint-online-environment-c8a462eb-0723-4b0b-8d0a-70feafe4be85
  https://support.office.com/en-in/article/Manage-sharing-with-external-users-in-Office-365-Small-Business-2951a85f-c970-4375-aa4f-6b0d7035fe35?ui=en-US&rs=en-IN&ad=IN
  http://www.adrit.de/Blog/Post/25/External-sharing-with-Office-365---Part-2--How-to-share-SharePoint-content-with-external-users-
  Best Regards,
  Brij K
  http://bloggerbrij.blogspot.co.uk/

• Provision a resource to a user using a workflow

  Hi all,
  Please tell me how can i provision a resource to an user through a custom workflow.

  {noformat}Hi [~frogger123]{noformat}
  <Activity id='1' name='act2'>
  <Action id='0' name='Checkout' application='com.waveset.session.WorkflowServices'>
  <Argument name='op' value='checkoutView'/>
  <Argument name='type' value='Provision'/>
  <Argument name='id' value='$(UserId)'/>
  <Argument name='subject' value='configurator'/>
  <Argument name='authorized' value='true'/>
  <Return from='view' to='user'/>
  </Action>
  <Action id='1'>
  <expression>
  <block>
  <set name='assignRoleList'>
  <appendAll>
  <ref>assignRoleList</ref>
  <s>Role1</s>
  </appendAll>
  </set>
  <set name='user.waveset.roles'>
  <filterdup>
  <filternull>
  <appendAll>
  <ref>user.waveset.roles</ref>
  <ref>assignRoleList</ref>
  </appendAll>
  </filternull>
  </filterdup>
  </set>
  </block>
  </expression>
  </Action>
  <Action id='3' name='CheckIn' application='com.waveset.session.WorkflowServices'>
  <Argument name='op' value='checkinView'/>
  <Argument name='view'>
  <ref>user</ref>
  </Argument>
  <Argument name='subject' value='configurator'/>
  <Argument name='id' value='$(UserId)'/>
  <Argument name='authorized' value='true'/>
  </Action>
  <Transition to='act3'/>
  <WorkflowEditor x='103' y='10'/>
  </Activity>
  is this correct?
  i could import this and even run the workflow ....but the resource doesnt get assigned.

• Enable or disable button on a ribbon based on user permissions in SharePoint 2010

  Hi,
  I have requirement to find a way to disable Inheritance, Add and Modify group from permission tab for users who are not added into specific group e.g. Administrators
  I have followed the following article to create a feature but have encountered few issues:
  http://msdn.microsoft.com/en-us/library/ff408060.aspx
  Issues:
  I used the above code as a sample to create a feature and test if it would work. It worked fine but even though i have replaced Location="Ribbon.Library.Actions.ConnectToClient" with my permission locations,
  Connect to Outlook button still doesn't appear when the feature is activated. If i deactive this feature it shows
  Connect to Outlook button even though there is no reference for this in the code!
  I have modified the Elements.XML and have added the following code but it still disables the buttons for a user who has Site Collection Administrator permissions, i just want to disable this for users who are in particular group:
  <?xml version="1.0" encoding="utf-8"?>
  <Elements xmlns="http://schemas.microsoft.com/sharepoint/">
  <CustomAction
  Id="RemoveRibbonButton"
  Location="CommandUI.Ribbon"
  RequireSiteAdministrator = "TRUE"
  >
  <CommandUIExtension>
  <CommandUIDefinitions>
  <CommandUIDefinition
  Location="Ribbon.Permission.Modify" />
  </CommandUIDefinitions>
  </CommandUIExtension>
  </CustomAction>
  <CustomAction
  Id="RemoveRibbonButton"
  Location="CommandUI.Ribbon"
  RequireSiteAdministrator = "TRUE"
  >
  <CommandUIExtension>
  <CommandUIDefinitions>
  <CommandUIDefinition
  Location="Ribbon.Permission.Add" />
  </CommandUIDefinitions>
  </CommandUIExtension>
  </CustomAction>
  </Elements>
  I have also have another issue when this feature is activated even though i haven't removed 'Check' and 'Manage' Ribbon locations, they are also greyed out as shown it the screenshot below:
  I have also created a user control using the following method:
  http://sharepointroot.com/2010/06/18/remove-actions-from-the-ribbon-sharepoint-2010/
  But again i need to restrict it specific user group.
  Any advice how to do this? or which way is better creating a feature or creating a user control? even though i liked the creating the feature as it gives your more control.
  Regards,
  Kashif

  Thanks for your reply Paul.
  I do understand that this is a partial solution and wouldn't stop them completely from doing these actions using different UI but atleast it would remove these options from the ribbon which is causing us some major issues when clicked by mistake especially
  'inherit permissions'.
  We do have governance policies in place and a certain user group can add and remove users from SP site. But the issue we have currently is that when one of these (authorised) users uses 'inherit permissions from parent' site. This removes the unique
  permissions from the subsite and delete all SP groups / permission level in the subsite. In some cases subsite contains confidential information which is then exposed to all the users who have access to the parent site.
  The main button which i'm interested to disable is 'Inherit Permissions' which i believe can't be used from anyother UI apart from the ribbon.
  I just need to know if it's possible to restrict this for some users or group? even if it just removes it from the ribbon only i would be still interested to explore this implementation.
  Any help would be apperciated.
  Regards,
  Kashif

• Project Server 2013 - Remove user from resource pool via sync

  Hello everyone,
  has anyone managed to configure their Project Server 2013 box with a resource pool sync that will actually remove user from the resource pool (disable "User can be assigned as resource" or deactivate users) when the user is removed from the AD
  group(s)?
  Setup: Single box, SQL 2012 SP1, SharePoint/Project Server 2013 + PU March + CU April. 2 PWA instances, 1 in SharePoint and 1 in Project permission mode. Tried on 2 different machines (different setup, accounts, domains).
  Proceedings:
  Create AD user U, AD group G. Add U to G.
  Go to PWA, setup resource pool sync with G, sync.
  U is now in the resource pool, has no PWA permissions.
  Remove U from G. Resync resoure pool.
  U is still in resource pool, still a resource, still active, can still be assigned as resource.
  Adding U back to G an repeating the whole spiel with a resource pool and a PWA group sync of G will result in U being added and removed from the user list (as expected), and U being added but not removed from the resource pool.
  Having read
  http://technet.microsoft.com/en-us/library/gg982985.aspx and
  http://technet.microsoft.com/en-us/library/gg750243.aspx, there does not seem to be an omission on my part.
  The first article states:
  Note:
  The corresponding Project Server User Account is not deactivated based on this synchronization. If the same Active Directory user is configured to synchronize with a Project Server security group, the Project Server user account will be inactivated when
  that synchronization occurs. For more information, see
  Best practices to configure Active Directory groups for Enterprise Resource Pool synchronization in Project Server 2013.
  Unfortunately, this deactivation either does not seem to occur even with a PWA group sync or I misunderstood the article.
  So, did anyone manage to setup their resource pool sync in a way, that new resource will be added, but also be removed from the resource pool?
  Kind regards,
  Adrian

  Hi Adrian,
  you tried to sync the same AD group that you used for the resource pool sync also with a Project Server permission group?
  And on removal of the user of the AD group the project user/resource is not deactivated? Only removed from the group
  Regards
  Christoph
  Hi  Christoph,
  even though I might have tried that before, I tried it again in several constellations. It didn't change anything. The the user will be properly added to and removed from the PWA group whenever I remove them from the AD group, the use will also stay active
  (but cannot logon without permissions). However, the user will always remain in the resource pool, i.e. the "User can be assigned as resource." checkbox will remain unless it is cleared manually.
  Having re-read the technet articles, none of the scenarios actually seem to descibe or address the process that I require, or maybe I'm just misunderstanding. Let me just try to outline the core issue:
  Add user to AD group. Sync AD group with resource pool. User is now a PWA resource and PWA user.
  Remove user from AD group, but do not deactivate/delete user from AD.
  (Magic happens!)
  User cannot be assigned as ressource in PWA.
  So, is there anything to make this step 3 happen, or is it just not possible to sync users out of the resource pool anymore unless they are deleted/deactivated in AD?
  Kind regards,
  Adrian

• Controlling Leopard user permissions with launchd-user.conf

  INTRODUCTION:
  For the uninitiated OS X file permissions are still being developed and documented. In the meantime some default permissions are not prudently set, eg new items created by users grant read access to 'everyone'.
  There is growing interest in the use of a launchd-user.conf file to control the default permissions for all users without endangering system performance in the way which launchd.conf can do. This is documented by Apple for OS X Server at http://support.apple.com/kb/HT2202 although it also works for my non-server Leopard installations.
  PROCEDURE:
  The following Finder based procedure is adequate:
  1 - Create a new text file containing:
  umask 077
  2 - Set its permissions to:
  user (Me) - Read and Write
  everyone - Read only
  3 - Name the file:
  launchd-user.conf
  4 - Use the Finder's 'Go to Folder' command to open:
  /etc
  5 - Put the new file in the 'etc' folder - you will be asked to authenticate this step.
  6 - Restart.
  7 - Test for at least two users. All new items created by Users should now have the following permissions:
  user (Me) - Read and Write
  everyone - No Access
  8 - If you want to undo the above you only have to remove launchd-user.conf from /etc and restart.
  DIFFICULTIES:
  The common reasons for the above not working first time are:
  A - Incorrect file name - at least one site got it wrong
  B - Use of Log Out - Restart is necessary for this
  C - Incorrect permissions for launchd-user.conf - 2 above works and so does replacing 'everyone' with 'staff' although this can be slightly more tedious in the Finder.
  WARNINGS:
  The few users who use Root access will find that this fails to alter anything for them, ie new items created by Root will still have the original default of: 'everyone - Read only'.
  I anticipate that this procedure will stop 'Public' and 'Sites' folders from functioning as intended so if any user requires these you may need a more elaborate approach.
  GOING FURTHER:
  I have also asserted equivalent permissions by selecting 'Apply to enclosed items' for each user folder. This is irreversible and you are strongly advised to backup before attempting it particularly as any pitfalls may not be evident for a while. I have not, so far, experienced the difficulties described at http://discussions.apple.com/thread.jspa?threadID=1788541 but you are advised to read it.
  QUESTIONS:
  X - Is there a satisfactory way of doing the same for Root users?
  Y - Is there a simple way to reinstate satisfactory defaults for 'Public' and 'Sites' folders?
  Z - Since I started playing with OS X about two years ago I have often thought that I would prefer all permissions to be controlled solely by the directory address of folders. Can this be done with Leopard and if so how?
  RELATED LINKS:
  At the time of writing there were only 12 related links at:
  http://www.google.co.uk/search?num=100&newwindow=1&q=%22launchd-user.conf%22&lr= lang_en

  François L wrote:
  Neville Hillyer wrote:
  Y - Is there a simple way to reinstate satisfactory defaults for 'Public' and 'Sites' folders?
  On http://www.apple.com/support/security/guides/?aosid=p204&siteid=982861&program_i d=2701&cid=OAS-EMEA-AFF&tduid=04ef3a9b9d2b80c382ed275fbba9df74,
  you can get the +Mac OS X Security Configuration Guide (2nd Ed)+,
  and page 135, you can read :
  "To change the global umask file permission:
  1 Sign in as a user who can use sudo.
  2 Open Terminal.
  3 Change the umask setting:
  $ sudo echo “umask 027” >> /etc/launchd.conf
  This example sets the global umask setting to 027.
  changing umask by modifying /etc/launchd.conf is a very bad idea IMO and should be avoided. that security guide is outdated. 10.5.3 introduced the ability to change umask for users only by modifying /etc/launchd-user.conf as mentioned by the original poster and in the KB article that he cites. Changing umask by modifying /etc/launchd.conf changes it for absolutely everything including all system files and operations. this would pose a huge security risk if one chooses a more permissive umask than the default one and potentially make the system unusable if the umask is set to be too restrictive. apparently 027 umask mentioned in that article is safe to use but I wouldn't want to test the limits.

• How to force my Web part to run regardless of users permissions

  I have created the following custom permission , which will allow users to Create items without being able to view,edit them:-
  $spweb=Get-SPWeb -Identity "http://vstg01";
  $spRoleDefinition = New-Object Microsoft.SharePoint.SPRoleDefinition;
  $spRoleDefinition.Name = "Submit only";
  $spRoleDefinition.Description = "Can submit/add forms/files/items into library or list but cannot view/edit them.";
  $spRoleDefinition.BasePermissions = "AddListItems, ViewPages, ViewFormPages, Open";
  $spweb.RoleDefinitions.Add($spRoleDefinition);
  $spweb.Dispose();
  then inside my "Issue Tracking List" i stop inheriting permission from team site , and i define the following permission for all users:-
  now users can add items and they can not view them ,, which is perfect :).
  But now i wanted to add a custom web part to my Create form which will hide certain fields if the user is not within specific group ,the web part looks as follow:-
  protected override void OnInit(EventArgs e)
  base.OnInit(e);
  InitializeControl();
  using (SPSite site = new SPSite(SPContext.Current.Site.Url))
  using (SPWeb web = site.OpenWeb())
  web.AllowUnsafeUpdates = true;
  SPGroup group = web.Groups["Intranet Visitors"];
  bool isUser = web.IsCurrentUserMemberOfGroup(group.ID);
  if (!isUser)
  SPList myList = web.Lists.TryGetList("Issue List");
  SPField titleField = myList.Fields.GetField("Category");
  titleField.Hidden = true;
  titleField.ShowInEditForm = false;
  titleField.ShowInNewForm = false;
  titleField.ShowInDisplayForm = false;
  titleField.Update();
  myList.Update();
  // web.AllowUnsafeUpdates = false;
  else
  SPList myList = web.Lists.TryGetList("Issue List");
  SPField titleField = myList.Fields.GetField("Title");
  titleField.Hidden = false;
  titleField.Update();
  myList.Update();
  // //web.AllowUnsafeUpdates = false;
  web.AllowUnsafeUpdates = false;
  then i deploy the web part and i add it to the Create form. but after doing so user are not able to create items and they will get the following error:-
  Sorry this site has not been shared with you
  so can anyone advice how to force my web part to run , without checking the users permissions or with minimal permssions ?

  in this case, use the elevated privileges to read/add/edit items with elevated privileges with below code.
  but make sure the page which you add this web part have at least read access to all user.
  SPSecurity.RunWithElevatedPrivileges(delegate()
  using (SPSite site = new SPSite(web.Site.ID))
  // implementation details omitted
  More: http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.spsecurity.runwithelevatedprivileges.aspx
  Bistesh
  Ok after adding :-
  SPSecurity.RunWithElevatedPrivileges(delegate()
  users with the following permissions can create items:-
  "AddListItems, ViewPages, ViewFormPages, Open";
  and they can not edit/read them, which is great. but i am facing a caching problem , because if user is inside the "Intranet visitor" he will be able to see Category field as mentioned in my code, but if i remove him from the "Intranet Visitor"
  he still can see the field,, although in the web part i specify not to display the Category column if the user is not inside the "Intranet visitor " group... here is my current code:-
  protected override void OnInit(EventArgs e)
  base.OnInit(e);
  InitializeControl();
  SPSecurity.RunWithElevatedPrivileges(delegate()
  using (SPSite site = new SPSite(SPContext.Current.Site.Url))
  using (SPWeb web = site.OpenWeb())
  web.AllowUnsafeUpdates = true;
  SPGroup group = web.Groups["Intranet Visitor"];
  bool isUser = web.IsCurrentUserMemberOfGroup(group.ID);
  if (!isUser)
  SPList myList = web.Lists.TryGetList("Risk & Issue Management");
  SPField titleField = myList.Fields.GetField("Category");
  titleField.Hidden = true;
  titleField.ShowInEditForm = false;
  titleField.ShowInNewForm = false;
  titleField.ShowInDisplayForm = false;
  titleField.Update();
  myList.Update();
  // web.AllowUnsafeUpdates = false;
  else
  SPList myList = web.Lists.TryGetList("Risk & Issue Management");
  SPField titleField = myList.Fields.GetField("Category");
  titleField.Hidden = false;
  titleField.ShowInEditForm = true;
  titleField.ShowInNewForm = true;
  titleField.ShowInDisplayForm = true;
  titleField.Update();
  myList.Update();
  web.AllowUnsafeUpdates = false;
  so can you advice please ? is this a caching problem, or once the user add at-least single item he will be able to see all columns ?

• Exchange 2010 Unable to Assign Full Access Permissions using a Security Group

  I've been running into this issue lately.  I cannot seem to use groups to allow full access to mailboxes.  When I add them from the EMC, it will show up when you go to "Manage Full Access Permission...".  After waiting a day and even restarting
  the Information Store service, the permissions do not take effect.  When I view the msExchDelegateListLink attribute of the mailbox account, the group is not listed.
  When I grant a user full permission, it works and updates the attribute.  However, on occasion when I revoke the full access permission for a user is doesn't always remove that user from the msExchDelegateListLink attribute.  So the mailbox
  will still appear in Outlook, but the user isn't able to see new emails.
  Any ideas on what may be going wrong?
  Environment:
  Exchange Server 2010 SP1 Standard
  Windows Server 2008 R2 Standard
  Outlook 2010 SP1 (tried without SP1 as well)
  I was looking over Add-MailboxPermission on Technet (http://technet.microsoft.com/en-us/library/bb124097.aspx) and I noticed that it doesn't mention adding groups.  Is this not possible?

  I never got a proper fix.
  I worked around it by creating a script which gets the members of an AD Mail Enabled security group, and updates the full access based on the groups members.
  Here's a script I'm running every hour which updates permissions. It's probably not the most efficient script ever, but it works. It has several benefits
  1. Managers of the distribution group can add/remove mailbox members using OWA or through the address list
  2. New members of groups are added to FULL Access Permissions
  3. Members removed from the groups are removed from FULL access permissions
  4. Automapping works :)
  5. Maintains a log of access added / removed / time taken etc.
  Obviously I have had to remove domain related information, replace with whatever your domain requirements are, and PLEASE debug it properly in your environent first, don't complain to me if it wipes out a load of access for you or something like that!
  It takes about 5 minutes to run in my environement. Some formatting seems to have got messed up on here, sorry. I hope it is of use!
  # Mailbox Permissions Setter for Exchange #
  # v1.1 #
  # This script will loop through all mailboxes in Exchange and find any where #
  # the type is 'SHARED'. These should be determined to be a GROUP/SHARED mailbox #
  # and access to these mailboxes are controlled by a single ACL, e.g. 'ACL_Shared_Mailbox'. #
  # This script will add any members of these ACLs directly to the Full Access Permissions #
  # of the mailbox and also remove them if they no longer need the access. #
  # Script created by Jon Read, Technical Administration
  # Recent Changes
  # 15/11/2012
  # 1.1 Added exclusions for ACLs that we don't want automapping to happen for
  # 12/11/2012
  # 1.0 Initial script
  #Do not change these values
  Add-PSSnapin *Ex*
  $starttime = Get-Date
  $logfile = "C:\accesslog.txt"
  $logfile2 = "C:\accesslog2.txt"
  $totaladditionstomailboxes = 0
  $totalremovalsfrommailboxes = 0
  $totalmailboxesprocessed = 0
  $totalmailboxesskipped = 0
  # Exclude any ACLs that shouldn't be processed here if they are used for a non-standard purpose and
  # we don't want FULL access mapping to happen. Seperate array values with commas
  $ExcludedACLArray = "DOMAIN\ACL_ExcludedExample"
  Write-Output " " >> $logfile
  Write-Output " " >> $logfile
  Write-Output "#----------------------------------------------------------------#" >> $logfile
  Write-Output "# Mailbox Permissions Setter for Exchange #" >> $logfile
  Write-Output "# v1.1 #" >> $logfile
  Write-Output "#----------------------------------------------------------------#" >> $logfile
  Write-Output " " >> $logfile
  Write-Output " " >> $logfile
  Write-output "Start time $starttime ">> $logfile
  Write-Output " " >> $logfile
  Write-Output " " >> $logfile
  # Set preferred DCs and GCs
  $preferredDC = "preferredDC.domain"
  $preferredGC = "preferredGC.domain"
  Write-Output " PreferredDC = $preferredDC ">> $logfile
  Write-Output " PreferredGC = $preferredGC " >> $logfile
  Set-ADServerSettings -PreferredGlobalCatalog $preferredGC -SetPreferredDomainControllers $preferredDC
  # The first part of this will ADD permissions to the mailbox, reading from an associated ACL.
  # Check for all mailboxes where the type is SHARED. These are the only ones we would
  # want to apply group mailbox permissions to.
  foreach ($mailbox in get-mailbox -resultsize "unlimited" | where-object {$_.RecipientTypeDetails -eq "SharedMailbox"})
  $totalmailboxesprocessed = $totalmailboxesprocessed + 1
  Write-Output " " >> $logfile
  Write-Output " " >> $logfile
  Write-Output "|-------------------------------------------------------" >> $logfile
  Write-Output "| MAILBOX ADDITIONS: $mailbox " >> $logfile
  Write-Output "|-------------------------------------------------------" >> $logfile
  $mailbox=$mailbox.ExchangeGuid.ToString()
  # For each of them, get the distribution list applied to the mailbox (Starting DOMAIN\ACL_)
  # We then need it to be turned into a string to use later.
  #Declared $changes as 0. if this is set to 0 at the end of the mailbox job, we know no changes were made.
  $changes = 0
  foreach ($distributiongroup in get-mailbox $mailbox | Get-MailboxPermission | Where-Object {$_.User -like "DOMAIN\ACL_*" })
  $skipACL = 0
  #Get the distribution group and put the name in a useable format
  $distributiongroup=$distributiongroup.user.tostring()
  Write-Output "Found ACL $distributiongroup" >> $logfile
  # Check if this distribution group needs to be excluded and if it shouldn't be processed
  # then move onto the next ACL. This will stop FULL access being granted if the mailbox is
  # used for a non-standard purpose. See the start of this script
  # for where these are excluded (ExcludedACLArray)
  foreach ($ACL in $ExcludedACLArray )
  if ($distributiongroup -eq $ACL)
  $skipACL = 1
  Write-Output "ACL $distributiongroup is excluded so skipping mailbox " >> $logfile
  $totalmailboxesskipped = $totalmailboxesskipped + 1
  if ($skipACL -eq 0)
  # Get each user in this group and for each of them, add try to add them to full access permissions.
  foreach ($user in Get-DistributionGroupMember -identity $distributiongroup)
  # Get the user to try, convert to DOMAIN\USER to use shortly
  $user="DOMAIN\" + $user.alias.ToString()
  # Check to see if the user we have chosen from the ACL group already exists in the full access
  # permissions. If they do, set $userexists to 1, if they do not, leave $userexists set to 0.
  # Set $userexists to 0 as the default
  $userexists = 0
  foreach ($fullaccessuser in get-mailbox $mailbox | Get-MailboxPermission)
  # See if the user exists in the mailbox access list.
  # Change $fullaccessuser to a useable string (matching $user)
  $fullaccessuser=$fullaccessuser.user.tostring()
  if ($fullaccessuser -eq $user)
  $userexists=1
  # Break out of foreach if the user exists so we don't unnecessarily loop
  break
  # Now we know if the user needs to be added or not, so run code (if needed) to add
  # the user to full access permissions
  if ($userexists -eq 0)
  Add-MailboxPermission $mailbox –user $user –accessrights "FullAccess"
  Write-Output "Added $user " >> $logfile
  $changes = 1
  $totaladditionstomailboxes = $totaladditionstomailboxes + 1
  #Now repeat for other users in the ACL
  #if changes were 0, then log that no changes were made
  if ($changes -eq 0)
  Write-Output "No changes were made." >> $logfile
  Write-Output " " >> $logfile
  Write-Output " " >> $logfile
  Write-Output "---------------------------------------------------------------------------------" >> $logfile
  Write-Output " FINISHED ADDING PERMISSIONS" >> $logfile
  Write-Output "---------------------------------------------------------------------------------" >> $logfile
  Write-Output " " >> $logfile
  # The second part of this will REMOVE permissions from the mailbox, reading from an associated ACL.
  ## Check for all mailboxes where the type is SHARED. These are the only ones we would
  ## want to apply group mailbox permissions to.
  foreach ($mailbox in get-mailbox -resultsize "unlimited" | where-object {$_.RecipientTypeDetails -eq "SharedMailbox"})
  Write-Output " " >> $logfile
  Write-Output " " >> $logfile
  Write-Output "|-------------------------------------------------------" >> $logfile
  Write-Output "| MAILBOX REMOVALS : $mailbox " >> $logfile
  Write-Output "|-------------------------------------------------------" >> $logfile
  $mailbox=$mailbox.ExchangeGuid.ToString()
  #Declared $changes as 0. if this is set to 0 at the end of the mailbox job, we know no changes were made.
  $changes = 0
  # For the current mailbox, get a list of all users with FULLACCESS, and then for each of them
  # check if they exist in the ACL
  foreach ($fullaccessuser in get-mailbox $mailbox | Get-MailboxPermission | Where-Object {$_.Accessrights -like "FullAccess" })
  # Get the security identifier (SSID) of the FULLACCESS user to store for later.
  $fullaccessuserSSID=$fullaccessuser.user.SecurityIdentifier.ToString()
  $fullaccessuser=$fullaccessuser.User.ToString()
  #If user needs to be excluded then skip this bit
  #Users added or removed will only start with 07 (07$, 07T, so only run if the user starts with this.
  #This stops it trying to remove NT AUTHORITY\SELF and other System entries
  if ($fullaccessuser -like "DOMAIN\07*")
  # Set $userexists to be 0. if we find the use user needs to remain, then change it to 1.
  $userexists=0
  # Check if this user exists in the ACL, if not, remove.
  foreach ($distributiongroup in get-mailbox $mailbox | Get-MailboxPermission | Where-Object {$_.User -like "DOMAIN\ACL_*" })
  $distributiongroup=$distributiongroup.user.tostring()
  #Write-Output "Found associated distribution group $distributiongroup" >> $logfile
  # Get each user in this group and for each of them, See if it matches the user in the mailbox.
  foreach ($user in Get-DistributionGroupMember -identity $distributiongroup)
  # Get the user to try, convert to DOMAIN\USER to use shortly
  $userguid = $user.Guid.ToString()
  $user="DOMAIN\" + $user.alias.ToString()
  if ($fullaccessuser -eq $user)
  $userexists=1
  #we have found the user exists so no need to continue
  break
  # If userexists = 0, then they are NOT in the ACL, and should be removed from
  # the full access permissions. Run the code to remove them from full access.
  #CONVERT FULLACCESSUSER TO GUID AND REMOVE $FULLACCESSUSERGUID NOT $USERGUID
  if ($userexists -eq 0)
  Remove-MailboxPermission -Identity $mailbox –user $fullaccessuserSSID –accessrights "FullAccess" -Confirm:$false
  Write-Output "Removed $fullaccessuser " >> $logfile
  $changes = 1
  $totalremovalsfrommailboxes = $totalremovalsfrommailboxes + 1
  # if changes = 0, no changes were made to this mailbox, so log this fact.
  if ($changes -eq 0)
  Write-Output "No changes were made." >> $logfile
  #Put the time in a displayable format
  $endtime = Get-Date
  $runtime = $endtime - $starttime
  $runtime = $runtime.ToString()
  $runtime1 = $runtime.split(".")
  $totaltime = $runtime1[0]
  Write-Output " " >> $logfile
  Write-Output " " >> $logfile
  Write-Output "|-------------------------------------------------------------------------------------- " >> $logfile
  Write-Output "| SCRIPT COMPLETE : STATS " >> $logfile
  Write-Output "|-------------------------------------------------------------------------------------- " >> $logfile
  Write-Output "| Total Mailboxes Processed : $totalmailboxesprocessed " >> $logfile
  Write-Output "| Total Additions : $totaladditionstomailboxes " >> $logfile
  Write-Output "| Total Removals : $totalremovalsfrommailboxes " >> $logfile
  Write-Output "| Total Mailboxes Skipped due to ACL : $totalmailboxesskipped " >> $logfile
  Write-output "| Start time : $starttime ">> $logfile
  Write-output "| End time : $endtime ">> $logfile
  Write-Output "| **END OF RUN** - Elapsed time : $totaltime " >> $logfile
  Write-Output "|---------------------------------------------------------------------------------------" >> $logfile
  Write-Output " " >> $logfile