Report on a devices local security groups

Similar Messages

• AD security group issues in SharePoint 2013 Integrated Mode

  Hello,
  Sorry if this is the wrong forum, I'm not sure if this is a SharePoint issue or a Reporting Services configuration issue (or if it should be in a SharePoint forum regardless).
  I have SSRS2012 on SharePoint 2013 in integrated mode. We are doing item level permissions, which means we have an AD security group Reports-All with
  Read to the Reports document library, then each actual report has unique permissions. We have a report with the ProjectManagers AD
  security group on it with Read (plus some other stuff to let them manage subscriptions), and another AD security group ProjectUsers with
  just Read access so they can open the reports. The data source used by this report has the AD security group I mentioned before, Reports-All,
  with Read.
  At a SharePoint level, things appear to work. When a user in ProjectManagers or ProjectUsers browses
  to the library, they see only the 3 reports that those two security groups have permission to see (out of a lot more in the library). That means SharePoint is reading those security group memberships correctly as far as I can tell.
  The issue is when a user in ProjectManagers or ProjectUsers clicks
  on a report, they get a reporting server based error message, and the ULS logs have an error specific to the user trying to run the report.
  Microsoft.ReportingServices.Diagnostics.Utilities.AccessDeniedException: The permissions granted to user 'MyDomain\MyUser' are insufficient for performing this operation. (Fault Detail is equal to Microsoft.ReportingServices.ServiceContract.RsExceptionInfo)
  If I add that specific user with Read permissions to the report and the data source, they are then able to run the report without errors. It seems like some Report Server component is not liking the fact that I'm using security groups. 
  Has anyone seen this behavior with AD security groups? Any ideas on why my environment does not want to work properly with those even though AD security groups are working fine for other non-Reporting Services files?
  Thanks,
  Aaron

  Hi aaronzott,
  According to your description, you configured SSRS 2012 of SharePoint integrated mode. You added read permission to reports and data source to AD security group Reports-All, then added just read permission to ProjectManagers and ProjectUsers groups. When
  users in ProjectManagers or ProjectUsers groups click report, the error message occurred. After you added Read permissions to the report and the data source to the groups, they can preview the report without errors.
  Report definition permissions are defined through List permissions on the library that contains the report, but we can set permissions on individual reports if we want to restrict access. Set properties on a report including data source connection information,
  processing options, and parameter properties. Edit Items on the library that contains the report or on the individual report. We also need to have view permissions on a shared data source (.rsds) to select it for use with the report.
  For more information about Set Permissions for Report Server Operations in a SharePoint Web Application, please refer to the following document:
  http://msdn.microsoft.com/en-us/library/bb326286(v=sql.110).aspx
  If you have any more questions, please feel free to ask.
  Thanks,
  Wendy Fu
  If you have any feedback on our support, please click
  here.

• Security group guidance

  Hello,
  I'm having all sorts of troubles getting security groups working within SharePoint. I'm aware of the various timeouts and caching that occur and have changed my WindowsTokenLifeTime to 30 minutes to pick up security group changes faster. However, I have
  some areas in SharePoint where even after days, users in security groups with access to a site, library, or document still do not have access and they don't show up in Check Permissions. Also, I have some instances where a user, as a member of a security group
  with access to a file, has access one day and then the next day does not. This happens for multiple users in multiple locations and I have no idea what's going on. 
  Is there any guidance other than this about using AD security groups in SharePoint? 
  http://technet.microsoft.com/en-us/library/cc261972(v=office.15).aspx
  This is really messing with my head. 
  Our farm is SharePoint 2013 SP1. Some of my security groups have nested security groups, some don't, and both have these issues. 
  Thanks,
  Aaron

  I'm going to have to re-open this in a Reporting forum because this is so confusing.
  So our setup is SSRS2012 on SharePoint 2013. We are doing item level permissions, which means we have an AD security group
  Reports-All with Read to the Reports folder, then each actual report has unique permissions. We have a report with the
  ProjectManagers AD security group on it with Read (plus some other stuff to let them manage subscriptions), and another AD security group
  ProjectUsers with just Read access so they can open the reports. The data source used by this report has the AD security group I mentioned before,
  Reports-All, with Read.
  At a SharePoint level, things appear to work. When a user in ProjectManagers
  or ProjectUsers browses to the library, they see only the 3 reports that those two security groups have permission to see (out of a lot more in the library). That means SharePoint is reading those security group memberships correctly
  as far as I can tell.
  The issue is when a user in ProjectManagers or ProjectUsers
  clicks on a report, they get a reporting server based error message, and the ULS logs have an error specific to the user trying to run the report.
  Microsoft.ReportingServices.Diagnostics.Utilities.AccessDeniedException: The permissions granted to user 'MyDomain\MyUser' are insufficient for performing this operation. (Fault Detail is equal to Microsoft.ReportingServices.ServiceContract.RsExceptionInfo)
  If I add that specific user with Read permissions to the report and the data source, they are then able to run the report without errors. It seems like some Report Server component is not liking the fact that I'm using security groups. 
  Even though I'm going to put this elsewhere I figured I'd expand on my situation here in case it's an obvious solution to someone.

• SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT - Active Directory Security Group Discovery Agent reported warnings for 524 object(s). DDRs were generated for 0 object(s) that had warning(s) while reading non-critical properties.

  Hi, can anyone help me troubleshoot the following please:
  Active Directory Security Group Discovery Agent reported warnings for 524 object(s). DDRs were generated for 0 object(s) that had warning(s) while reading non-critical properties. DDRs were not generated for 524 object(s) that had warnings while reading
  critical properties.
  Possible cause: OU name or Security Group name may contain at least a Unicode character which has conversion problem between Unicode and your system ANSI locale(e.g. Korean characters in English System Locale). The site server might not have access to
  some properties of this object. The container specified might not have the properties available.
  Solution: Please verify the Active Directory schema for properties that are not replicated or locked. Refer to the discovery logs for more information.
  Does the error relate to 524 security groups? There are several invalid search paths listed in adsgdis.log, are these related?
  Thanks,
  Dale

  You'll have to examine the log to determine exactly which objects its referring to. Although this is in the context of group discovery, group discovery still creates DDRs for computer objects within those groups so it could be either groups or computers.
  This is not a search path issue though as it's clear that the discovery process found 524 different objects, but as stated, it could not properly read criticial properties of those objects and thus did not create DDRs for them.
  As mentioned, reading the log in detail will list the objects individually and the reason it could not create a DDR for it.
  Jason | http://blog.configmgrftw.com

• Nested Security Groups in Device Collections

  Hi all,
  Is it possible to create a device collection with a dynamic query containing nested Security Groups(Active directory).
  Following is the a sample-
  Security Group 'A' has the following members-
  1) Security Group 'C'
  2) Security Group 'D'
  3) User 'John'
  4) User 'Dave'
  I'm trying to create a device-collection in SCCM 2012 referencing this Security Group 'A' and my intent is to have all members of SG 'C' & 'D' to be part of it along with John & Dave.
  thanks in advance.

  Within ConfigMgr, "Security Group A" will be listed as a Security Group Name with all the direct members of "Security Group A" and the members of "Security Group B" and "Security Group C".
  So, simply querying for "Security Group A" should be sufficient.
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude

• PS2010: Resource synchronization fails in project site creation and when changes users at the Security Groups.

  I am not using AD syncronization for resource pool and security groups in Project Server 2010.
  When I publish a new Project or try to create a Project web site manually it creates the Project site, but fails to synch the resources.
  If I add or change one or more resources at the Project Managers security group at PWA it also fails to synchronize the root site and existing Project web sites.
  I looked at the ULS log and appears the the following error:
  Add or remove resources from a Security Group error excerpts:
  "GeneralQueueJobFailed (26000) - AddSingleUserMembershipInWss.AddSingleUserMembershipInWssMessage. Details: id='26000' name='GeneralQueueJobFailed' uid='36d89522-f218-4bd2-870e-f07c9292435e' JobUID='f083e721-d7b2-4334-839b-fb10b5c0c513' "
  "Failed to find the XML file at location '14\Template\Features\ReportServer\feature.xml'
  Feature definition missing for Feature 'ReportServer' (Id: 'e8389ec7-70fd-4179-a1c4-6fcb4342d7a0')"
  Create a new Project site error excerpt:
  "CreateWssSiteContent: Creating project site failed! Project Uid=20450550-17ec-4278-83b0-b86116c63fb9, site URL=http://project.b2w/PWA/Teste 1001 2S, site name=Teste 1001 2S. System.Runtime.InteropServices.COMException (0x8107058A): <nativehr>0x8107058a</nativehr><nativestack></nativestack>The
  content type name _$Resources:ReportServerResources,DataSourceContentTypeName;_ cannot contain: \ / : * ? " # % < > { } | ~ & , two consecutive periods (..), or special characters such as a tab..."
  My Project site template is exactly the same than original Project Server site template (for test purpose) but created as Project site and then saved as template with another name.
  In both cases there are a reference to "ReportServer", but I do not have either a Report Server installed in the farm or the Reporting Services Service Application.
  Any ideas how can I correct this issue?
  Best regards, Ricardo Segawa - Segawas Projetos / Microsoft Partner

  Hi Segawa,
  In the above thread you are saying that there are reference to "Report Server". Save the template to local file system and extract the template. Now check the onet.xml under "Webtemplates" folder. Do you see the references of report server there.
  If that is the case, my suggestion would be to recreate the template without the reference for report server and then test the behavior.
  Also, you can even remove the reference in the onet.xml and use some compressing tools to rebuild the wsp file and then use that as template.
  Happy troubleshooting...
  Vikram Daruru - MSFT

• Security Group for SharePoint 2013 Online Enterprise 3

  I need to copy all the user account names from one SharePoint Security group to a different SharePoint Security group in the same single tenant.
  I can not figure out how to do this.
  Thanks.
  Dawn

  Call your local Microsoft office (any office may due, but info from your local office will be more accurate), and ask for the
  Account Manager for SMB (small to medium businesses) in the
  education sector.
  Scott Brickey
  MCTS, MCPD, MCITP
  www.sbrickey.com
  Strategic Data Systems - for all your SharePoint needs

• How to Export local security setting all filed name & value against filed.

  HI all,
  I am trying to export local security setting from local policy using bellow scrip. but it is showing only these are configured. I need expert help which allowed me to export all filed with value where it is configure or not. Please give me.
  $output=@()
  $temp = "c:\"
  $file = "$temp\privs.txt"
  [string] $readableNames
  $process = [diagnostics.process]::Start("secedit.exe", "/export /cfg $file /areas USER_RIGHTS")
  $process.WaitForExit()
  $in = get-content $file
  foreach ($line in $in) {
  if ($line.StartsWith("Se")) {
  $privilege = $line.substring(0,$line.IndexOf("=") - 1)
  switch ($privilege){
  "SeCreateTokenPrivilege " {$privilege = "Create a token object"}
  "SeAssignPrimaryTokenPrivilege" {$privilege = "Replace a process-level token"}
  "SeLockMemoryPrivilege" {$privilege = "Lock pages in memory"}
  "SeIncreaseQuotaPrivilege" {$privilege = "Adjust memory quotas for a process"}
  "SeUnsolicitedInputPrivilege" {$privilege = "Load and unload device drivers"}
  "SeMachineAccountPrivilege" {$privilege = "Add workstations to domain"}
  "SeTcbPrivilege" {$privilege = "Act as part of the operating system"}
  "SeSecurityPrivilege" {$privilege = "Manage auditing and the security log"}
  "SeTakeOwnershipPrivilege" {$privilege = "Take ownership of files or other objects"}
  "SeLoadDriverPrivilege" {$privilege = "Load and unload device drivers"}
  "SeSystemProfilePrivilege" {$privilege = "Profile system performance"}
  "SeSystemtimePrivilege" {$privilege = "Change the system time"}
  "SeProfileSingleProcessPrivilege" {$privilege = "Profile single process"}
  "SeCreatePagefilePrivilege" {$privilege = "Create a pagefile"}
  "SeCreatePermanentPrivilege" {$privilege = "Create permanent shared objects"}
  "SeBackupPrivilege" {$privilege = "Back up files and directories"}
  "SeRestorePrivilege" {$privilege = "Restore files and directories"}
  "SeShutdownPrivilege" {$privilege = "Shut down the system"}
  "SeDebugPrivilege" {$privilege = "Debug programs"}
  "SeAuditPrivilege" {$privilege = "Generate security audit"}
  "SeSystemEnvironmentPrivilege" {$privilege = "Modify firmware environment values"}
  "SeChangeNotifyPrivilege" {$privilege = "Bypass traverse checking"}
  "SeRemoteShutdownPrivilege" {$privilege = "Force shutdown from a remote system"}
  "SeUndockPrivilege" {$privilege = "Remove computer from docking station"}
  "SeSyncAgentPrivilege" {$privilege = "Synchronize directory service data"}
  "SeEnableDelegationPrivilege" {$privilege = "Enable computer and user accounts to be trusted for delegation"}
  "SeManageVolumePrivilege" {$privilege = "Manage the files on a volume"}
  "SeImpersonatePrivilege" {$privilege = "Impersonate a client after authentication"}
  "SeCreateGlobalPrivilege" {$privilege = "Create global objects"}
  "SeTrustedCredManAccessPrivilege" {$privilege = "Access Credential Manager as a trusted caller"}
  "SeRelabelPrivilege" {$privilege = "Modify an object label"}
  "SeIncreaseWorkingSetPrivilege" {$privilege = "Increase a process working set"}
  "SeTimeZonePrivilege" {$privilege = "Change the time zone"}
  "SeCreateSymbolicLinkPrivilege" {$privilege = "Create symbolic links"}
  "SeDenyInteractiveLogonRight" {$privilege = "Deny local logon"}
  "SeRemoteInteractiveLogonRight" {$privilege = "Allow logon through Terminal Services"}
  "SeServiceLogonRight" {$privilege = "Logon as a service"}
  "SeIncreaseBasePriorityPrivilege" {$privilege = "Increase scheduling priority"}
  "SeBatchLogonRight" {$privilege = "Log on as a batch job"}
  "SeInteractiveLogonRight" {$privilege = "Log on locally"}
  "SeDenyNetworkLogonRight" {$privilege = "Deny Access to this computer from the network"}
  "SeNetworkLogonRight" {$privilege = "Access this Computer from the Network"}
    $sids = $line.substring($line.IndexOf("=") + 1,$line.Length - ($line.IndexOf("=") + 1))
    $sids =  $sids.Trim() -split ","
    $readableNames = ""
    foreach ($str in $sids){
      $str = $str.substring(1)
      $sid = new-object System.Security.Principal.SecurityIdentifier($str)
      $readableName = $sid.Translate([System.Security.Principal.NTAccount])
      $readableNames = $readableNames + $readableName.Value + ", "
  $output += New-Object PSObject -Property @{            
          privilege       = $privilege               
          readableNames   = $readableNames.substring(0,($readableNames.Length - 1))
          #else            = $line."property" 
  $output  

  As an alternate approach wee can preset the hash and just update it.  This version also deal with trapping the errors.
  function Get-UserRights{
  Param(
  [string]$tempfile="$env:TEMP\secedit.ini"
  $p=Start-Process 'secedit.exe' -ArgumentList "/export /cfg $tempfile /areas USER_RIGHTS" -NoNewWindow -Wait -PassThru
  if($p.ExitCode -ne 0){
  Write-Error "SECEDIT exited with error:$($p.ExitCode)"
  return
  $selines=get-content $tempfile|?{$_ -match '^Se'}
  Remove-Item $tempfile -EA 0
  $dct=$selines | ConvertFrom-StringData
  $hash=@{
  SeCreateTokenPrivilege =$null
  SeAssignPrimaryTokenPrivilege=$null
  SeLockMemoryPrivilege=$null
  SeIncreaseQuotaPrivilege=$null
  SeUnsolicitedInputPrivilege=$null
  SeMachineAccountPrivilege=$null
  SeTcbPrivilege=$null
  SeSecurityPrivilege=$null
  SeTakeOwnershipPrivilege=$null
  SeLoadDriverPrivilege=$null
  SeSystemProfilePrivilege=$null
  SeSystemtimePrivilege=$null
  SeProfileSingleProcessPrivilege=$null
  SeCreatePagefilePrivilege=$null
  SeCreatePermanentPrivilege=$null
  SeBackupPrivilege=$null
  SeRestorePrivilege=$null
  SeShutdownPrivilege=$null
  SeDebugPrivilege=$null
  SeAuditPrivilege=$null
  SeSystemEnvironmentPrivilege=$null
  SeChangeNotifyPrivilege=$null
  SeRemoteShutdownPrivilege=$null
  SeUndockPrivilege=$null
  SeSyncAgentPrivilege=$null
  SeEnableDelegationPrivilege=$null
  SeManageVolumePrivilege=$null
  SeImpersonatePrivilege=$null
  SeCreateGlobalPrivilege=$null
  SeTrustedCredManAccessPrivilege=$null
  SeRelabelPrivilege=$null
  SeIncreaseWorkingSetPrivilege=$null
  SeTimeZonePrivilege=$null
  SeCreateSymbolicLinkPrivilege=$null
  SeDenyInteractiveLogonRight=$null
  SeRemoteInteractiveLogonRight=$null
  SeServiceLogonRight=$null
  SeIncreaseBasePriorityPrivilege=$null
  SeBatchLogonRight=$null
  SeInteractiveLogonRight=$null
  SeDenyNetworkLogonRight=$null
  SeNetworkLogonRight=$null
  for($i=0;$i -lt $dct.Count;$i++){
  $hash[$dct.keys[$i]]=$dct.Values[$i].Split(',')
  $privileges=New-Object PsObject -Property $hash
  $privileges
  Get-UserRights
  A full version would be pipelined and remoted or, perhaps use a workflow to access remote machines in parallel.
  ¯\_(ツ)_/¯

• File Server Migration - For ORG A Forest to ORG B Forest ( Need to create and Map Security Group automatically on new Migrated Folders - Please Help

  I have two forest With Trust works Fine .
  I have file server in ORG – A ( Forest ) with 2003 R2 Standard
  I have a File server in ORG  - B ( Forest ) With Windows server 2012 ( New Server for Migration )
  I have 1000 + folders with each different permission sets on ORG-A. We are using Security groups for providing permission on the share Folders on ORG A
  I need to Migrate  all the folders from ORG – A to ORG – B.
  I am looking for an automated method of creating Security Groups on AD during the Migration, Once the Migration is Done, I can add the required users to the security groups manually.
  Example.
  Folder 1 on ORG – A has Security Group Called SEC-FOLDER1-ORGA
  I need an automated method of Copying the files to ORG – B and Creating a new security Groups on ORG –B Forest with the same permission on parent and child Folders. I shall Add the users manually to the Group.
  Output Looks Like
  Folder 1 on ORG – B has Permission called SEC-FOLDER1-ORGB ( New Security Group )
  Also I need a summarized report of security Group Mapping, Example – Which security Group on ORGA is mapped with Security Group Of ORGB

  Hi,
  I think you can try ADMT to migrate your user group to target domain/forest first. Once user groups are migrated, you can use Robocopy to copy files with permission - that permission will continue be recognized in new domain as you migrated already. 
  Migrate Universal Groups
  http://technet.microsoft.com/en-us/library/cc974367(v=ws.10).aspx
  If you have any feedback on our support, please send to [email protected]

• HELP : how to change security group of a document in UCM

  Hello all,
  I'm working with UCM a few weeks ago, but I cannot find a solution for this problem :
  I have defined two security groups and two roles,
  SECURITY GROUP ROLE
  A ---------> ROLE_A (RW)
  B ---------->ROLE_B (RW)
  Then I have two Local pages and access is controlled by security group :
  LOCAL PAGE SECURITY GROUP
  FOLDER_A -----> A
  FOLDER_B -----> B
  Then i have users A1,A2,...An for role A, and B1,B2 ...Bn for role B, but they are NOT administrators.
  The problem comes when an error is detected in a document by a B user, and I need that user to be able to set the security group of the document to 'A', so that users in role A can fix the problem, for example. The thing is that it seems that if you are not an administrator you cannot edit the security group of a document and in my case regular users have to be able to do that.
  I would like a way to have different groups of users (or roles), collaborating toguether and sending documents from one another, but with limited responsabilities. But once the document is under a security group, the users belonging to roles with no access to that sec. group should not be able to view or edit the document.
  They will be able to act on the document if the security group is changed to something they can access.
  Any help on this will be greatly appreciated.
  Thanks and regards,
  Plan.

  Hey Plan,
  thats the way UCM works. that is only one part of the problem, your user will also need RW permission on the other security group to add a content in there. So only changing the security group is not the solution to your problem.
  You may look at the collaboration/workflow functionality offered by UCM.
  cheers,
  swapnil

• CUCM 10.5 Local Route Group

  When utilizing the local route group for a device pool, when a change is made for that device pool, does a reset of the devices have to occur for the changes to go into affect?  The reason I ask is if you are simply making the change to the Route List there is no interruption to the end users, but what if a location's Long Distance is pointing to a Route List that references a Local Route Group.  If you want move that to another route group under the device pool is there any impact on the phones in that device pool?
  Thanks,
  Joe

  So What you ask is if you modified the route list (change the actual local route Group for other route group) will reset the phones ? as far as I now no change on rl will reset phone but change on dp will..

• Active Directory users not made member of Local Network group

  Hi all,
  I've just done a clean install from 10.6 Server to 10.8.4.
  The issue I seem to be having is a mismatch between what Groups in Server.app is reporting as members (who happen to be users or groups from our Active Directory domains) of a Local Network group and what dseditgroup reports as members of the same network.
  The Setup:
  In Groups in Server.app under Local Network Group I have created a group call "AccessServer"
  Members in that group are:
       - AD-Domain User Group (so should be all users in the domain)
       - MacOS X "netaccounts" group (again, should capture all users that connect through the network I've used this in the past/10.6 very handy)
       - AD User 1
       - AD User 2
       - AD User 3
  The Server is bound to the AD Domain, All-Domains is not selected and a Search Path is added for each Domain needed and set at the top of the search order.
  The Behaviour:
  AD User 1 can access AFP and other services as expected.
  AD User 2 and 3 cannot.
  Another user within AD-Domain User Group or netaccounts can access AFP and other services as expected
  Yet other users within AD-Domain User Group or netaccounts cannot
  Furthermore: 
  If I REMOVE AD User 1 (a working user) *and* the AD Domain Group and netaccounts Group.  I can still login with that account!
  Diagnosis:
  I tried checking group membership with dseditgroup, the results match the behaviour, not the setup.
  >dseditgroup -o checkmember -m ADUser1 accessserver
  yes ADUser1 is a member of accessserver
  >dseditgroup -o checkmember -m ADUser2 accessserver
  no ADUser2 is NOT member of accessserver
  >dseditgroup -o checkmember -m ADDomainUser/netacc accessserver
  yes ADDomainUser/netacc is a member of accessserver
  >dseditgroup -o checkmember -m n accessserver
  no ADUser2 is NOT member of accessserver
  When non-member users try to connect I get a message in the logs of (IP/DNS values anonymized):
  2013-06-25 3:04:36.794 PM sshd[5217]: error: PAM: authentication error for illegal user ----- from ----.mala.bc.ca via x.x.
  I get the same results even after removing the user from the Groups screen!
  Failed Solutions
  - As we are a large AD I've tried specifying specific Active Direcotry servers that might better be able to find the users in question and authenticate.
  - I've let the system just sit, in hopes delayed replication would solve the problem overnight.
  - I've deleted and recreated the groups.

  Upon further investigation we have discovered:
  a) the main behaviour that is causing the problem is best described as AD users that are added to a Local or Network OS X group... either individually or through a Domain group.... are not actually recognized as members of that OS X group even though the GUI or CLI tool have added them and acknowledge them as being in the list.
  b)  This is NOT limited only to MacOS X Server 10.8.  The same behaviour is occuring on a long-running 10.6 server as well.
  c) The problem remains whether we nest AD groups to capture a large bunch of users, or add users individually.  If the user is part of the mysteriously denied set, how they are added to the OD or local group is irrelevant, including if added from the command line.
  d) Which users are allowed and which are not is unclear and appears generally random.  We have found 3 'classes' of users:    
            1 - those that are successfully becoming members every time.
            2 - those that are intermittent members.  Members on one server or another, or in one case even go from being reported as a member (by dseditgroup), to not being a member, to being a member again within the span of only a minute or two.
            3 - those that are never successfully admitted as a member.
  So the problem is both Apple's and Windows in that:
  Apple: Is allowing a group and/or user to be added and implying then membership in the group even though that membership is not being honoured in some way and there is no feedback or communication of that fact aside from generic 'denied' or 'illegal user' errors.
  Windows:  Is passing along membership through its groups and users, but not completely, for reasons that are, at this point, a mystery.
  Really hoping people have some ideas on this.  This system of nested groups or individual user access is something we have of course being using for many years.  So this is a major setback.

• How to create a security group to manage a Distribution list in exchange 2013

  Hi folks,
  We have AD synced with Online Exchange 2013. Dirsync is installed on AD. We would like to create a security group for a Distribution list(for instance: distribution list name is [email protected] and it is managed via a security group named "abc" ).
  How can this be achieved? I do see an option under Online Exchange console using browser-> Groups to create a new security group but it doesn't allow me to add the group created in AD-instead it ask us to create a new one. If we create a new one in Exchange
  online console- will it publish to our local AD?

  Hi TR,
  Thank you for your question.
  Are there any errors when we could not add group which is in local AD.
  When we could not add group which was created In AD, there are following options we could check:
  If current user who logon Exchange server has enough permission to add it
  The connection between Exchange server and AD
  If we create a new DG in Exchange online, it will be published to local AD.
  We could run the following command to create DG for abc.com:
  New-DistributionGroup -Name "abc" -Alias abc -Type "Security" -MemberJoinRestriction open
  We could refer to the following link to learn more about distribution group:
  https://technet.microsoft.com/en-us/library/bb124513%28v=exchg.150%29.aspx
  If there are any questions regarding this issue, please be free to let me know. 
  Best Regard,
  Jim
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Jim Xu
  TechNet Community Support

• People Picker can resolve users and security group from another domain but no validation for groups

  Dear all,
  Here is the scenario of our issue:
  We are migrating from Domain A to Domain B and in Domain A we currently have a SharePoint 2013 on which we want to set permissions for users and groups that have already migrated to Domain B.
  A bi-directional trust exist between the two domains and all applications relying on trust and resolving IDs from on domain to another are working fine (Windows RDS for instance)
  The "bug" that we have is when using the PeoplePicker, it can resolve without any issue a user account in Domain A or B, and a security group (type global, I haven't tried local or universal yet) from domain A or B. But for the security groups
  only (it works well for users), when I click on "Save" to validate the add of the group to the site permissions, I have the following error:
  I have seen a lot of similar issues on the web but no answer so far that work :( 
  Example: https://social.technet.microsoft.com/forums/sharepoint/en-US/74e8d14b-a0f4-4e21-8cfa-b1a937247160/cant-provision-security-to-old-domain-users
  If you have any question that could help you to understand it, do not hesitate. 
  Thanks a lot in advance for your help ! :)

  Can you give the snippet from the ULS log where you're seeing this error?
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Projects Security Group

  Hi, can anyone tell me (under collaboration) what's the difference between user1 and user2 under this circumstances:
  1. Projects being the security group that comes as default in the system.
  user1 - Projects(RWD)
  user2 - Projects(RWDA)
  where local access (ACL) and account (Prj) permissions are the same?
  2. Prj being the Account that comes as default in the system.
  user1 - Prj(RWD)
  user2 - Prj(RWDA)
  where local access (ACL) and Projects (Security Group) permissions are the same?
  Thanks!

  any help? plz