Restrict Spiceworks access via Active Directory

Could you specify the base DN Spiceworks is searching in and limit what gets synced? Maybe put the users you want to have Spiceworks access in a separate OU?

I'm trying to figure out a way to restrict access to Spiceworks by way of an Active Directory group. 
I want to do this so that I dont have to create new users manually in Spiceworks and so not just anyone with the URL can log in with their AD credentials. 
I need this kind of feature if possible so I can move our onboarding/offboarding submission process off of another server and integrate it into Spiceworks like we have with our Change Control Request submission process.
EDIT: More specifically, I'd like to be able to restrict access to the Spiceworks Portal via an AD Group.
This topic first appeared in the Spiceworks Community

Similar Messages

  • ISE 1.2 Admin Access via Active Directory

    Hi Experts,
    Good Day!
    I want to configure my ISE 1.2 to authenticate (for admin) against the active directory. I know it is possible but our AD doesn't have any groups named for admins.
    Is it possible for the ISE 1.2 to configure a local user ID and check it to the AD for the password of the UserID?
    Thanks for your great help.
    niks

    Niks,
    I just got done doing this.  First of all you have to have the Active Directory setup as an external data source.  Once you do that Click on Administration - - Admin Access.
    For the Authentication Type ensure that Password Based is toggled and change your data source to Active Directory (or whatever you named it).
    Then click in Administrators - - Admin Users.  Click Add a user - - Create Admin User.  Ensure to check the External box and you will notice the Password field goes away.  Fill out the appropriate information and then assign them to an Admin Group.
    Once you are done with that you can test that user by logging out of your ISE session.  You will notice that when you try to log back in you will have a choice of the data sources used to authenticate the user.  Change the selection to Active Directory and enter the AD user/password for the newly created account you should be good to go.
    Make sure that you don't delete or disable your original admin account in this process.  (Change the password if you like.)

  • "24427 Access to Active Directory failed" error in ACS 5.1

    Hello,
    I'm working on implementing a RADIUS authentication for wireless access with the following :
    - PCs running Windows 7, protocol used is PEAP (without validating the server certificate to make it simple at first),
    - AP 1252  configured to use a RADIUS server to authenticate (it's working good with an ACS server 4.2),
    - ACS Server 5.1.0.44.5 running as VM connected to an AD domain and working good with VPN connections,
    - AD domain running on Windows 2003 Server.
    My ACS VM is working good since a couple of months for VPN (RADIUS) and administration (TACACS) remote access, both using Active Directory. Now, I'd like to use it to authenticate people connecting to a 1252 Cisco access point but I'm getting this error "24427 Access to Active Directory failed". I switched from PEAP to LEAP but this is the same.
    All I can get running the expert troubleshoot
    Investigating failure code: 24427 Access to Active Directory failed
    Checking if Active Directory is configured
    Active Directory is configured
    Attempting connection to Active Directory
    Connection to Active Directory was successful.
    Troubleshooting completed.
    Click on Show Results Summary to view results.
    I followed this guide, at least for the ACS certificate section :
    http://www.cisco.com/en/US/products/ps10315/products_configuration_example09186a0080b4cdb9.shtml
    Anyone has an idea where the problem may come from?
    Thanks in advance,
    Vincent

    hey there, I ran into the same issue with 5.3 and it turned out being this bug. i came across your post looking for instructions on retrieving the logs. thanks mate.
    link
    Problem: Error "24495 Active Directory servers are not available"
    Authentication starts failing with this error: 24495 Active Directory servers are not available. in the ACS 5.3 logs.
    Solution
    Check the ACSADAgent.log file through the CLI of the ACS 5.x for messages such as:Mar 11 00:06:06 xlpacs01 adclient[30401]: INFO base.bind.healing Lost connection to xxxxxxxx. Running in disconnected mode: unlatch. If you see the Running in disconnected mode: unlatch error message, this means the ACS 5.3 cannot maintain a stable connection with Active Directory. The workaround is to either switch to LDAP or downgrade the ACS to 5.2 version. Refer to Cisco bug ID CSCtx71254 (registered customers only) for more information.

  • Unable to save Unified Messaging PIN: Access to Active Directory Failed

    I'm trying to enable all of our users for Unified Messaging and I've created a powershell script for each of users I want to enable but I am getting an error message everytime I try and run it.
    Unable to save Unified Messaging PIN for mailbox 'smtp address': Access to Active Directory Failed
    Our setup is forest root domain and 2 child domains.  Most of the users are in the child domains and the Exchange server is in the forest root domain.
    I'm using -domaincontroller but this doesn't make a difference.  Here is the script I am using:
    Enable-UMMailbox -Identity [email protected] -UMMailboxPolicy "DefaultUM Default Policy" -Extensions 303 -PIN 1234 -SIPResourceIdentifier "[email protected]" -PINExpired $false -domaincontroller "rc-curdc-01.curriculum.riddlesdown.local"
    Can someone point out why this isn't working?

    I had the same experience as Gueetar. Couldn't enable a UM mailbox, or change the PIN. Got a generic "Access to Active Directory Failed" message instead of anything useful. Even went so far as enabled a ton of diagnostic logging, which didn't report anything
    useful.
    Of course, all the accounts I was enabling had the HiddenFromAddressListsEnabled property set to $true (these were old deactivated accounts I was using to test with). I found that setting it back to $false corrected the issue.
    Of course I didn't know it was that exact problem at the time. I only found a difference after disabling/re-connecting mailboxes (and of course newly created mailboxes exhibited no issues). Assuming this was going to be the case for all mailboxes this would
    be fine for testing and proof of concept, bad for production/implementation. Instead I ran a bunch of scenarios over two days, culminating in a crap load of LDIFDEs and DSACL dumps to enumerate the object properties and compare the values that were different.
    This property (HideFromALEnabled) and a few others stood out. Luckily it wasn't ACL-related - that would've been a complete head wreck!
    Dear Microsoft: More descriptive errors next time, please :)

  • SMB access for Active Directory users

    Hi there,
    My server is an OD Master bound to AD for authentication and my institution's Kerberos realm.
    When I try to share files from the server via SMB and connect as an Active Directory user I get the following error in the logs:
    [2009/06/11 12:02:27, 1, pid=5308] /SourceCache/samba/samba-187.8/samba/source/libads/kerberosverify.c:ads_verifyticket(428)
    adsverifyticket: smbkrb5_parse_name(myserver$) failed (Configuration file does not specify default realm)
    [2009/06/11 12:02:27, 1, pid=5308] /SourceCache/samba/samba-187.8/samba/source/smbd/sesssetup.c:replyspnegokerberos(340)
    Failed to verify incoming ticket with error NTSTATUS_LOGONFAILURE!
    I've read something vague about having to Kerberize the SMB service seperately so I'm not sure if that's the problem.
    My smb.conf file is as follows:
    ; Configuration file for the Samba software suite.
    ; ============================================================================
    ; For the format of this file and comprehensive descriptions of all the
    ; configuration option, please refer to the man page for smb.conf(5).
    ; The following configuration should suit most systems for basic usage and
    ; initial testing. It gives all clients access to their home directories and
    ; allows access to all printers specified in /etc/printcap.
    ; BEGIN required configuration
    ; Parameters inside the required configuration block should not be altered.
    ; They may be changed at any time by upgrades or other automated processes.
    ; Site-specific customizations will only be preserved if they are done
    ; outside this block. If you choose to make customizations, it is your
    ; own responsibility to verify that they work correctly with the supported
    ; configuration tools.
    [global]
    debug pid = yes
    log level = 1
    server string = Mac OS X
    printcap name = cups
    printing = cups
    encrypt passwords = yes
    use spnego = yes
    passdb backend = odsam
    idmap domains = default
    idmap config default: default = yes
    idmap config default: backend = odsam
    idmap alloc backend = odsam
    idmap negative cache time = 5
    map to guest = Bad User
    guest account = nobody
    unix charset = UTF-8-MAC
    display charset = UTF-8-MAC
    dos charset = 437
    vfs objects = darwinacl,darwin_streams
    ; Don't become a master browser unless absolutely necessary.
    os level = 2
    domain master = no
    ; For performance reasons, set the transmit buffer size
    ; to the maximum and enable sendfile support.
    max xmit = 131072
    use sendfile = yes
    ; The darwin_streams module gives us named streams support.
    stream support = yes
    ea support = yes
    ; Enable locking coherency with AFP.
    darwin_streams:brlm = yes
    ; Core files are invariably disabled system-wide, but attempting to
    ; dump core will trigger a crash report, so we still want to try.
    enable core files = yes
    ; Configure usershares for use by the synchronize-shares tool.
    usershare max shares = 1000
    usershare path = /var/samba/shares
    usershare owner only = no
    usershare allow guests = yes
    usershare allow full config = yes
    ; Filter inaccessible shares from the browse list.
    com.apple:filter shares by access = yes
    ; Check in with PAM to enforce SACL access policy.
    obey pam restrictions = yes
    ; Don't be trying to enforce ACLs in userspace.
    acl check permissions = no
    ; Make sure that we resolve unqualified names as NetBIOS before DNS.
    name resolve order = lmhosts wins bcast host
    ; Pull in system-wide preference settings. These are managed by
    ; synchronize-preferences tool.
    include = /var/db/smb.conf
    [printers]
    comment = All Printers
    path = /tmp
    printable = yes
    guest ok = no
    create mode = 0700
    writeable = no
    browseable = no
    ; Site-specific parameters can be added below this comment.
    ; END required configuration.
    Any help would be much appreciated!!
    Thanks.

    I am now having the same problem - a Windows server trying to access a file share on the Mac Server is presented with the same error message in the log files:
    [2009/06/29 21:34:56, 2, pid=485] /SourceCache/samba/samba-187.8/samba/source/smbd/sesssetup.c:setupnew_vcsession(1260)
    setupnew_vcsession: New VC == 0, if NT4.x compatible we would close all old resources.
    [2009/06/29 21:34:56, 1, pid=485] /SourceCache/samba/samba-187.8/samba/source/libads/kerberosverify.c:ads_verifyticket(428)
    adsverifyticket: smbkrb5_parsename(vifile$) failed (Configuration file does not specify default realm)
    [2009/06/29 21:34:56, 1, pid=485] /SourceCache/samba/samba-187.8/samba/source/smbd/sesssetup.c:replyspnegokerberos(340)
    Failed to verify incoming ticket with error NTSTATUS_LOGONFAILURE!
    Workgroup manager can read from Active Directory - seems to be jiving correctly - my server (SMB) is in Domain Member mode...
    When I try to access system from \\UNC command, I am presented with username/password prompt and nothing works.
    Not feeling the Mac OS X love tonight.
    Bill
    System is bound to active directory - green light in Directory Utility

  • Can't connect to Small Business Server 2003 via Active Directory

    I have done lots of searching, both in these forums and the wider internet, and cannot find a solution to my specific problem.
    I am trying to connect my G5 (10.3.9) to a Windows network. We have a Microsoft Small Business Server 2003 with Active Directory. The PCs have no problem using this, and I can connect to shares setup on the server via AFP.
    But I am having problems when I try to configure the AD plug-in in Directory Access on the Mac. When I click 'Bind', I enter the Server's Administrator username & password and when I click 'OK', it gets to Step 3 of 5 "Verifying Credentials". It ticks away at this step for about 30 seconds, then comes up with error message saying "Invalid user name and password combination."
    I have tried other users with admin privileges, but they don't work either. I know the usernames and passwords aren't invalid, because I created them. I have tried fiddling around with other settings in the AD setup, but nothing gets any further.
    Without any other 3rd party software (that's my final option), is there something I need to check/change, either on the Mac or the server, to make this Mac to authenticate via AD? Please help!

    Hi Andbrowny, thanks for your response.
    Your advice didn't really help my Active Directory problem (AD doesn't require SMB does it?), but it gave me some progress on my SMB problem. I can connect via AFP, but previously when I tried to connect via SMB, it kept coming up with the error "Could not connect to the server because the name or password is not correct".
    Now, after changing the policies on the server, I get an error -43 message saying "The operation could not be completed because one or more required items cannot be found."
    So now I have two problems! SMB is not finding something it needs, and Active Directory is not "verifying credentials".
    Actually, I have three problems: When I am connected via AFP, filenames over 31 characters long are truncated on the server, and I can't copy long filenames onto the server without renaming them. I have read that SMB would fix this to a degree (256 characters for the complete file path), but is there anything (a protocol or software) that allows long filenames to be read/written with ease?
    Side note: The server is not 100% configured, the bloke installing it still has some work to do, but Active Directory works for all the XP machines, and I can connect to each XP workstation with SMB.

  • Xserve file share control via active directory

    I have an Intel Xserve running 10.4.11
    It has one directory shared via SMB for windows users
    I want to join this server to an active directory, that seems fairly straightforward to do.
    However am I right that i will be able to control permissions and apply ACLs from the Active Directory to this share once it has bound to the AD.
    or will this still have to be done from the Xserve?
    TIA

    Hi
    +"am I right that i will be able to control permissions and apply ACLs from the Active Directory to this share once it has bound to the AD?"+
    Not really. Re-sharing a share is never a good idea especially with disparate platforms.
    +"I want to join this server to an active directory, that seems fairly straightforward to do"+
    If I've understood you correctly you 'bind' the Server to Active Directory using the Active Directory plug-in available in the Directory Access application (/Applications/Utilities). When binding use an AD account name and password that has authority for the AD Domain. The Server should then behave as an NT Domain Member would.
    +"Will this still have to be done from the Xserve?"+
    Once bound launch WorkGroup Manager and you should 'see' AD Users and Groups. In Workgroup Manager enable the ACLs option for desired volumes if you've not already done so. That's if you want to use ACLs? You could just as easily use the Standard POSIX Permissions model. If you do want to enable ACLs you must restart the Server afterwards for them to 'take'. Enabling/Disabling ACLs always requires a restart on 10.4 Server. On successful log-in start creating your shares if you've not already done so. You can use the Finder or WorkGroup Manager to do this. If using ACLs don't share the volume, share directories/folders instead as ACLs propagate better that way. Add desired Users/Groups from the AD node into the ACLs window. Leave the POSIX Permissions at their defaults. Apply desired privileges. Click Save. When saved click on the gear wheel at the bottom of the window. Select Propagate Permissions. The ACLs checkbox should be automatically ticked. Leave everything else as it is and fire it off.
    That should be it?
    Tony

  • T5-2 ILOM authentication via Active Directory

    Hello,
    We are trying to leverage AD to authenticate our ILOMs. However I am seeing the following when I set the method to None (server authentication)
    (ActDir) ServerUserAuth - Error 0, failed to validate user group access
    We have a group defined and I have set it under Admin groups using the DN.
    Any ideas on this or has anyone been successful getting this to work with AD and AD Groups?
    TIA.
    Jeff

    Hello Man !
    your provided documents and links are very effective. thank you guy for your help. right now i have to problem below listed,
    I have Cisco aironet 1142n access point. I have no ACS / WLC
    but want to authenticate end users 802.1x with Active directory 2003/2008 using RADIUS (IAS/NPS).
    These APs are standalone. Please provide any configuration document
    "How to authenticate end users with active directory using cisco 1142n Standalone (Without WLC/ACS)".
    Thanks & Regards,
    Rizwan Haider Siddiqui.

  • SJSAS7 - Access to Active Directory LDAP

    Hi All
    Is it possible to connect SJSAS7 to Active Directory via LDAP. I know that this can be done with other app servers like WebSphere 4 & 5.
    I would like to use our existing Active Directory infrastructure for authentication of Admin and Application users.
    Does anyone have information how to configure this or can point me to some documents with this info.
    Any help would be much appreciated.
    TIA
    Tony Hawes

    Although I haven't tried it, I would guess that this is possible. We are using the LDAP realm with Sun's directory server and a few years ago I used the standard LDAP provider in the JDK to connect to Active Directory. The only problem I had was that I had to connect with a user that had the form "domain/user" instead of a common name. The online help in the admin console describes the properties you can use.
    HTH,
    Gunnar

  • Can I configure WS-Sec authentication via Active Directory with OSB or OWSM

    Hi
    I'm planning a project where I need to add security to a group of proxy services in OSB. I need to authenticate them via WS-Security using Active Directory. Is this possible with OSB or adding OWSM?
    Regards,
    Néstor Boscán

    Hi.
    OSB http://docs.oracle.com/cd/E23943_01/dev.1111/e15866/model.htm#i1088877
    OWSM
    http://docs.oracle.com/cd/E17904_01/doc.1111/e15866/owsm.htm
    and
    http://docs.oracle.com/cd/E21764_01/web.1111/e13713/owsm_appendix.htm
    hope this helps
    best
    rolando

  • Need help to access the active directory

    Hi.
    I have WinXP and I want to connect to its active directory using JNDI to get the users informations..
    I have read from sun tutorial the following :
    Hashtable env = new Hashtable();
    env.put(Context.INITIAL_CONTEXT_FACTORY,
    "com.sun.jndi.ldap.LdapCtxFactory");
    env.put(Context.PROVIDER_URL, "ldap://localhost:389/o=JNDITutorial");
    but the problem is I have never used win active directory before, so I don't
    know its syntax inside my system.
    what should I put instead of : ldap://localhost:389/o=JNDITutorial
    to access the MS active directory ?
    what should I put instead of o=JNDITutorial to access the users informations ?
    should I modify com.sun.jndi.ldap.LdapCtxFactory ?
    should I download LDAP server for windows ?
    your help is really appreciated ....

    Using SIMPLE authentication against the Active Directory, you can use either the fully distinguished name (not a relative distinguished name), a userPrincipalName or a NT Domain style name.
    Eg.
    "CN=John Smith,OU=IT Admins,DC=Antipodes,DC=Comor
    "[email protected]"or
    "ANTIPODES\jsmith"If you are using the distinguished name form, even if your initial LDAP Context URL is something like:
    "LDAP://mydc.antipodes.com:389/OU=IT Admins,DC=Antipodes,DC=Com"you cannot just use the Relative Distingusihed Name (RDN) "CN=John Smith", you must use the full distinguished name:
    "CN=John Smith,OU=IT Admins,DC=Antipodes,DC=Com"Regarding the userPrincipalName, even if there is no value for the userPrincipalName attribute there is an implicit userPrincipalName which is constructed from the user's samAccountName attribute (a mandatory attribute) and the dns name of the domain.
    Assume the following attributes for the user object:
    Distinguished Name: CN=John Smith,OU=IT Admins,DC=Antipodes,DC=Com
    samAccountName: jsmith
    userPrincipalName: J.Smith@IT Admins.Antipodes.Com
    givenName: John
    sn: Smith
    displayName: Smith, John
    An explicit userPrincipalName is the value stored in the user's userPrincipalName attribute.
    You could then either use the explicit form "J.Smith@IT Admins.Antipodes.Com" or the implicit form "[email protected]"Even if the userPrincipalName attribute had no value, you could still use the implicit form "[email protected]" to authenticate the user.

  • 10.7.4 Web Access for Active Directory Users

    Does anyone know how to permantly set the AuthType in Web Services to Basic ?
    The reason I ask is I have a web site I want to protect and allow active directory users access to it.
    I have added the users to a local group, added the group to the Who Can Access option.
    Local users can log in but not Active Directory.  If I edit the conf file for the site in /etc/apache2/sites and change the AuthType from Digist to Basic it works fine until I change something in the server app then the conf file gets rewritten.
    Dan

    I am now having the same problem - a Windows server trying to access a file share on the Mac Server is presented with the same error message in the log files:
    [2009/06/29 21:34:56, 2, pid=485] /SourceCache/samba/samba-187.8/samba/source/smbd/sesssetup.c:setupnew_vcsession(1260)
    setupnew_vcsession: New VC == 0, if NT4.x compatible we would close all old resources.
    [2009/06/29 21:34:56, 1, pid=485] /SourceCache/samba/samba-187.8/samba/source/libads/kerberosverify.c:ads_verifyticket(428)
    adsverifyticket: smbkrb5_parsename(vifile$) failed (Configuration file does not specify default realm)
    [2009/06/29 21:34:56, 1, pid=485] /SourceCache/samba/samba-187.8/samba/source/smbd/sesssetup.c:replyspnegokerberos(340)
    Failed to verify incoming ticket with error NTSTATUS_LOGONFAILURE!
    Workgroup manager can read from Active Directory - seems to be jiving correctly - my server (SMB) is in Domain Member mode...
    When I try to access system from \\UNC command, I am presented with username/password prompt and nothing works.
    Not feeling the Mac OS X love tonight.
    Bill
    System is bound to active directory - green light in Directory Utility

  • Authentication of Unix or Linux Systems via Active Directory

    Hi,
    Is there a inbuilt solution in Windows 2012 R2 which can be used to authenticate Unix or Linux users ?
    I understand there are there are many 3rd Party solution for this but I want to know if there is any available inbuilt in Windows Server.
    Thanks
    Vivek

    What do you mean exactly?
    You can start with these:
    Mixing It Up: Windows, UNIX, And Active Directory: https://technet.microsoft.com/fr-fr/magazine/2005.01.activedirectory(en-us).aspx
    How to Join UNIX / Linux to Active Directory: http://social.technet.microsoft.com/wiki/contents/articles/25944.how-to-join-unix-linux-to-active-directory.aspx
    This posting is provided AS IS with no warranties or guarantees , and confers no rights.
    Ahmed MALEK
    My Website Link
    My Linkedin Profile
    My MVP Profile

  • Deploy iTunes Via Active Directory

    I would like to publish iTunes as well as Quicktime using Group policies in our Active Directory. This seems to be close to impossible as far as I can tell. Is this possible, or will it be possible in the future? Trying to point to the .MSI fails because it must be called by Setup as far as I can tell.
    Thanks in advance!
    Matthew

    hi Matthew!
    hmmmm. MacMuse and Buegie have-been-doing-research/have-some-resources on related issues ... if you don't get an answer here soon, maybe try reposting over in "using itunes?" you get a lot of the SDK hands over there too, so you may well also get some good feedback from random passers-by.
    love, b

  • Can not install Flash 10.1 via Active Directory GPO

    Greetings,
    Starting with the 10.0.45.2 update, we moved to install Flash via AD GPO using the instructions in the admin guide. We are doing zero custom configuration of Flash with this method, just setting up a Computer based GPO install linking to the downloaded and shared MSI installer from Adobe. For the install of 10.0.45.2, this ran with out a hitch. Setup the GPO ran it in a test OU and then on to production and all the pc's were updated just like it should work
    Trying to do the same thing with 10.1.53.64 flat out does not work execpt on a system you have manually uninstalled flash on first, then if you have the GPO load the 10.0.45.2 Flash, that works, then if you follow up with removing the GPO from the OU and adding a new 10.1.53.64 GPO to the OU, the pc will uninstall 10.0 and install 10.1 correctly as your would expect it to do. It will not do this on our deployed systems.
    On our deployed systems with the currently installed 10.0.45.2 will not uninstall cleanly when the new installer runs via GPO, nor will it uninstall cleanly if the install computer is moved out of GPO scope as it is configured to do. The GPO attempts to do so but the installer fails with 1603 errors.
    Does anyone have a workaround to cleanup the current installs so that 10.1 can be installed? We just don't have the time to hit 100+ desktops to update Flash.
    Miles

    Just to make sure: have you seen that there is a new Admin Guide for 10.1 at http://www.adobe.com/devnet/flashplayer/articles/flash_player_admin_guide.html ?
    One thing about the 10.1 installer is that it fails if any browsers are running; I don't know if this is also true when using GPO.

Maybe you are looking for