Restricting end user to one specific group with anyconnect

Similar Messages

• Adding and removing current user from one SharePoint group to another with event receiver

  hi friends
  i need to change current user from one SharePoint group to another with list item adding event receiver.
  please help me

  Hi Malli,
  Greetings. Its nt possible
  http://sharepoint.stackexchange.com/questions/42286/event-receivers-on-add-remove-users
  Please remember to click 'Mark as Answer' on the answer if it helps you

• Script to logout users from a specific group, when queries are long

  Hi,
  I have a requirement that users from a specific group need to be logged out, when they are running queries for more than say 20 mins.
  I could get the list of users from that group and could get the list of active sessions on the application, but I get too many info there like connection IP request state etc. and if I spool it to a file, output is not very easy to format to select what's required, rather I have to write lot of shell scripting to format the file.
  So my question here is to know if there's a MAXL script or any other method through which I can just get only couple of columns from the "display session on application <app name>" that I require for my work like username, session ID, DB connect time, and request time.
  Thanks!!

  There are a number of ways to accomplish this, but AFAIK none of them is straightforward like writing a script to accomplish the task.
  This could be accomplished quite readily with the Essbase API.
  Unfortunately, when Maxl outputs tabular data such as what comes out after DISPLAY SESSION ALL; - it comes out as all one big string with lots of spaces.
  So to parse that output you would need to use a language that can tokenize the text into a collection and parse that for the users.
  Then you need to do the same sort of thing after running DISPLAY USER IN GROUP ALL; (or instead of all, use a specific group name);
  Then run ALTER SYSTEM LOGOUT SESSION BY USER <parsed_username>;
  What would be ideal (hello Oracle... <wink> ) is a MAXL command ALTER SYSTEM LOGOUT SESSION BY GROUP <GroupName>;
  The way I would approach this would be to write a little utility that does exaclty what you seek:
  - Scan the current session periodically (say, once every 5 mins)
  - for each user that belongs to group(s) <group>(<group>...)
  - if user has an open query running longer than n minutes, kill the user request.
  This way you're not kicking people, your just taking back resources. Of course you can be more aggressive and code it to kick the user by forcefully ending (invalidating) his session too.
  I can give you a hand with this offline if you want.
  Robb

• LC Rights Management End User can not find groups or users during policy creation process

  hello,
  I'm using LC8.0.1 turnkey install on win2003 box.
  Problem is LC Rights Management End User can not find groups or users (search result is empty) during policy creation process, thus can not apply specific restriction to certain groups or users.
  I have create a user in the DefaultDom and assigned the following roles:
  Live Cycle Rights Management Invite User
  Live Cycle Rights Management End User
  How can I allow the above created user to search for groups and user during policy creation? Thanks.

  Good catch Phuc. Make sure you do this for each Policy Set as well as My Policies.
  Here's an overview of Policy Sets:
  http://blogs.adobe.com/security/2008/04/delegating_control_over_policy.html
  Cut and paste the URL.

• To restrict End user to enter EAN code manually

  In Premargin check when we go for Bar code scanning, the EAN code field appears in editable mode. After scanning an article that field gets the EAN code automatically from database table for that particular article. But one can modify that ean code as it appears in editable mode. I want to make that field to appear in grey mode so that end user can not enter ean code manually and if i scan an article this field gets the ean code from master data.
  How can i restrict end user to enter the EAN code manually in the EAN code field.

  Dear Sri,
  Thanks for your reply but i have tried this option also. Let me explain you about the scenario.
  In UI screen there is a field EAN code. It can be filled either by scanner or an end user can feed the data on his own without scanning the article.
  What i want is to make this happen only by scanning not by manual entry.
  Whenever an article is scanned its EAN code automatically should come in that field.
  I have made the field in grey mode but while scanning it is not picking the EAN code of that article and throwing an error message as "EAN code field can not be left blank". When I am making that field in editable mode then it is able to pick the EAN code after scanning.

• Adding multiple users into one security group at one shot

  Hi,
  Is there any way we can add multiple users into one security group at one shot into PWA.
  For example: I want 100 create 100 users in EPM and Providing them with custom define Team defined permissions and can I add Time sheet Manager as well while creating bulk user through resource template in Project server 2010.
  Thanks,
  Prashant

  Hi Prashant,
  In order to add users in a security group, you can open the group, select all the appropriate resources (pressing CTRL key) and add them to the group. There is no other easy way. Otherwise a powershell script could do the job.
  For the timesheet manager, if all the 100 resources have the same timesheet manager, you can go to the resource center, select the resources (sorting by resource ID will give you together the latest resources added), bulk edit the resources and select the
  timesheet manager for the selected resources.
  Hope this helps,
  Guillaume Rouyre, MBA, MVP, P-Seller |

• Share only specific groups with users over cardDAV?

  OS X Server 3.2.2
  I've successfully set up the Contacts server, but it appears that cardDAV syncing is an all-or-nothing prospect.  There appears to be no way to sync only select groups of contacts with select users or groups.  Instead, it appears you must sync every contact, and group of contacts, with any user who has access.
  Is this really the case, or have I missed something obvious?

  Hi,
  I have the same issue on OSX Maverikcs (10.9.5) using the Contacts App Version 8.0 (1371.2).
  All contact groups are shown as one single group and I do not see a possibility to select one single or a selection of groups to synchronize.
  On the other hand, both my Smartphone and the web-interface of my ISP allow a seamless synchronization and visualization of the different groups in CardDav.
  So I'd assume that this is an issue of the OSX Contats App.
  Is this a known issue?
  Are there any fixes for this?
  Thanks,
  Fab

• Subsciptions - Sending mail to a user using a specific group.

  Hello.
  We currently have SCSM 2012 R2 set up to send mail when an analyst updates a ticket with a comment. We have a template with specific verbage for the user. This works as designed. We've now taken on the role to support a different,  line of business.
   We've created a new connector to monitor our LOB 2 support mailbox.  We've got the workflow set up to assign the correct support group (LOB 2 support group) and email the LOB 2 end-user that a ticket has been created.  We're running into a
  snag now with subscriptions that are used to notify the end-user that the ticket has been updated by an analyst and needs a response. 
  We are trying to expand our subscriptions to do the following:
  Send email to an existing LOB 1 end-user with Template A (LOB 1) when the support group is (LOB 1 Support) - This is our base subscription, and is working correctly.
  Send email to LOB 2 - end-user with Template B (LOB 2) when support group is (LOB 2 Support)
  We are currently using the "when an object of a selected class is created"  and the targeted class = Trouble Ticket Analyst Comments.  However there's no way to filter out the group under additional criteria.
  Does anyone have a suggestion on how to do this?  We are not well versed in XML or PS so I'm hoping that it's something that can be managed inside the SCSM console.
  Thank you.
  Milnesy

  in the criteria window, look for the parent work item relationship in the tree on the left, then find the tier queue or support group value. this should allow you to filter by that value on the parent of the comment. 

• DPM 2012 still requires put end users into local admin groups for the purpose of end user data recovery?

  On client computers that are protected by DPM 2010 and prior versions, you had to put the end users account in the local administrators group. If you did not add the end user account to the local administrators group you would get this error after opening
  the recovery tab in the DPM client: “DPM found no recovery points which you are authorized to restore on the specified DPM server. You can restore only those recovery points for which you were an administrator at the time the
  backup was taken. To restore other recovery points, contact your DPM administrator, or attempt to restore from another DPM.”  This is not ideal on many networks because the end users are not allowed to have local administrator access.
  Ths fix to this was included in hotfix 2465832 found here: http://support.microsoft.com/kb/2465832.
  This hotfix (a hotfix rollup package for DPM 2010) resolves other issues with DPM 2010 as well. You can find the full list of what this hotfix corrects on that link.
  One would think this issue should have been resolved in DPM 2012, however I am encountering the same exact issue, had to include end-users into the workstation local admin group before they can search for recovery points on the DPM server. This is not acceptable
  practice.
  Is there a new hotfix for the same issue on DPM 2012? I am hesitated to apply KB2465832 since it also includes many other fixes for DPM 2010, which may not appicable for version 2012.
  Please help.
  Thanks,

  This is a hands off solution to allow all users that use a machine to be able to restore their own files.
  1) Make these two cmd files and save them in c:\temp
  2) Using windows scheduler – schedule addperms.cmd to run daily – any new users that log onto the machine will automatically be able to restore their own files.
  <addperms.cmd>
  Cmd.exe /v /c c:\temp\addreg.cmd
  <addreg.cmd>
  set users=
  echo Windows Registry Editor Version 5.00>c:\temp\perms.reg
  echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Agent\ClientProtection]>>c:\temp\perms.reg
  FOR /F "Tokens=*" %%n IN ('dir c:\users\*. /b') do set users=!users!%Userdomain%\\%%n,
  echo "ClientOwners"=^"%users%%Userdomain%\\bogususer^">>c:\temp\perms.reg
  REG IMPORT c:\temp\perms.reg
  Del c:\temp\perms.reg
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Regards, Mike J. [MSFT] This
  posting is provided "AS IS" with no warranties, and confers no rights.
  That's a good one! Thanks for that.
  I've been scripting on KIX for some time, so here is mine, hope it helps to someone... (it's probably not the best, but it works)
  ========================================================================
  $RC=setoption("WOW64AlternateRegView","on") 
  $DPMkey = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Agent\ClientProtection"
  $uservariable = "%userdomain%\%username%"
  If KeyExist ($DPMkey)
  $Userstring=ReadValue($DPMkey, "ClientOwners")
  If $Userstring == ""
  WriteValue($DPMkey,"ClientOwners", $uservariable, "REG_MULTI_SZ")
  ? "Key created"
  else
  If not instr($Userstring,$uservariable)
  $Userstring = "$Userstring,$uservariable"
  WriteValue($DPMkey,"ClientOwners", $Userstring, "REG_MULTI_SZ")
  EndIf
  Endif
  EndIf
  ==========================================================================
  The problem actually is that you still need to use an admin account to write on the registry, so ensure you configure it properly on the schedule task.
  In case you use a service account on the schedule task... the "$uservariable" will get populated with that account. As a work around to this... I changed it for the following line:
  =========================================================
  $uservariable = ReadValue("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI", "LastLoggedOnSAMUser")
  =========================================================
  The only problem with that, is that key gets created/updated only if user gets logged phisically on that PC, but will not work for anyone connecting through RDP.

• How to restrict end user from modifying/saving the workbook?

  <Moderator Message: As you deleted my comment in this thread by editing it again, I am locking it now>
  Hi,
  We have created few workbooks. The requirement is that the end user should not be able to modify or save the workbook. We tried using S_RS_Tools authorization object with "themes" in the Command ID. But this does not seem to solve our problem. Please suggest whether it is possible to enter any other value in this field to restrict access to the end user.
  We also tried including the following authorization objects with the corresponding values :
  1.S_GUI with the value Activity=60(import)
  2.S_USER_AGR with Activity = 03 and * in Role.
  3.S_BDS_DS with Activity = 03(display) and 30 ; Class Type = OT.
  4. S_USER_TCD with tcode = RRMX.
  But still the end user is able to modify the workbooks. (The end user must not be able to make changes to settings of any of the buttons in the design mode, must not be able to save the workbook).
  Please suggest the corrections required. Also kindly suggest if there are any other ways to resolve this issue <removed by moderator>.
  Your help is appreciated.
  Thanks.
  Edited by: Siegfried Szameitat on Nov 26, 2008 12:55 PM
  Edited by: suresh naidu on Nov 26, 2008 1:19 PM
  Edited by: Siegfried Szameitat on Nov 26, 2008 1:23 PM

  Hi,
  Only few people have authorization to create S.O. w.r.t. quotation (as in our case, sales ppl create quotation and Finance ppl create S.0., with reference to Quotation Only - T.Code: VTAA).
  Others have only authorization to View/ Display, VA03.
  Consult your Basis-Admin, he will create appropriate role & assign T. Code: va03 for list of user, provided by you.
  Best Regards,
  Amit.
  Note: You can't restrict anyone with T. Code: VA02, to change qty or price in Sales order, directly.

• Unable to push user profiles to AD groups with Profile Manager since upgrade to Server v3

  Since upgrading our OS X Mac server from 10.8.5 to 10.9.1, and OS X Server app to v3 (now 3.0.2) I have been unable to push or modify user profiles to AD groups (or AD users) using Profile Manager. This was working fine on OS X 10.8.5. Pushing device profiles is still working OK after the upgrade.
  From what I can see from the logs on the client side and server side, it seems related to a problem with the mdm authtoken.
  In the client console I can see this entry:
  27/01/14 14:30:15.844 mdmclient[38557]: *** ERROR *** [Agent:636102071] Unable to proceed with connection to: https://ourserver.ourdomain/devicemanagement/api/device/mdm_connect (com.apple.mdmconfig.mdm) because don't have valid MDM AuthToken
  On the server, in the php.log I can see the corresponding attempt to authenticate:
  1::Jan 27 14:29:50.930 [158] <192.168.28.171> {require_once (mdm_checkin.php:11)} vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv - PUT mdm_checkin
  0::Jan 27 14:29:50.931 [158] <192.168.28.171> checkin: 'UserAuthenticate'
  1::Jan 27 14:29:50.936 [158] <192.168.28.171> {Target_for_incoming_request (target.php:209)} Found target NETWORK LS: <User[156]@ourclientmachine>
  0::Jan 27 14:29:50.937 [158] <192.168.28.171> {LabSession_validate_auth_token (mdm_checkin.php:22)} Failed auth for target NETWORK LS: <User[156]@Device[1697]>, incoming_request={
  0::Jan 27 14:29:50.937 [158] <192.168.28.171>   'MessageType'=>'UserAuthenticate',
  0::Jan 27 14:29:50.937 [158] <192.168.28.171>   'UDID'=>'17aff5c5a40f51acbbd78023d0028c80',
  0::Jan 27 14:29:50.937 [158] <192.168.28.171>   'UserID'=>'A5EA25B7-7CCD-4EF4-B240-F23DED275EEC'
  0::Jan 27 14:29:50.937 [158] <192.168.28.171> }
  1::Jan 27 14:29:50.965 [158] <192.168.28.171> {SendFinalOutput (mdm_checkin.php:145)} Sent Final Output (407 bytes)
  1::Jan 27 14:29:50.965 [158] <192.168.28.171> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - /devicemanagement/mdm/mdm_checkin
  0::Jan 27 14:29:50.965 [158] <192.168.28.171> {SendFinalOutput (mdm_checkin.php:145)} Completed in 34ms | 200 OK [https://ourserver.ourdomain/devicemanagement/api/device/mdm_checkin]
  So I can see there is a failure to authenticate, but don't really know how to troubleshoot this further. Or maybe this is just a bug in the new server app?
  I have tried to remove and re-enroll clients in Profile Manager but no joy there.
  In the client's Keychain I can see an MDM user AuthToken linked to the correct user account.
  Thanks in advance for any help or suggestions

  I just wanted to update my post, as this issue for me is resolved.
  I uninstalled and reinstalled the Server.app on our Mac server, since then I've been able to push profiles to AD Users and Groups. I guess that in my case the Server app got into a bit of a mess when it was upgraded to v3.
  Now the next headache I have is that my AD Groups which are displayed in Profile Manager are not syncing any recent changes. I think I'm probably seeing the same issue as described in this post
  https://discussions.apple.com/message/25420919#25420919

• How to restrict end-user from not using certain movement-types in MB1B

  Dear Gurus,
  My client wants that end user has access to only particular movement types in MB1B.i.e only to 311 and 412,421E.
  They do not want any other movement types to be access by end-users in MB1B
  How to go about this requirement?
  Thanks in advance
  Regards
  Ram
  Edited by: RAMKUMAR WARIYAR on Jun 27, 2009 2:14 PM

  hi,
  This is possible you can restrict and allow user for movement type which they can do through any t code.
  Contact yours BASIS consultant for that
  Regards,
  Vishal
  Edited by: VS on Jun 27, 2009 5:46 PM

• Authenticating Device Admin users against AD specific groups

     Hi,
  I am using ACS 5.3 What I am about is setting user authentication against existence of the user in specific AD group, not just being a member in any AD. What is happening now, users get authenticated as long as they exists in the AD, luckily they fail on authorization, as it is bound to specific AD group.
  Any idea, how can I bind the authentication aginst specific group in AD, not just using AD1 as the identity source.
  Thanks

  Hi Mike,
  Can you please define what you exactly mean by authentication and authorization?
  The ACS checks the AD for a specific user if it is available and if the credentials are correct. If it is then on the AD you will probably find a successful authentication on the logs, but form the user perspective, the user does not know about if it is authenticated or not at this stage.
  Now, the ACS knows the credentials are correct and then check the policy rules that are configured. depending on the policy rules it will tell the user if it is successfully authenticated or not.
  In the policy, you control success of failure of the authentication of the client depending on the AD group.
  If what I explained above is not what you are looking for please elaborate more about your request so we better understand your concern.
  Regards,
  Rating useful replies is more useful than saying "Thank you"

• Remove Users and Members of Groups with DIP

  We are using the DIP connector to map between NONLDAP(oracle DB) and OID. We are using a profile to create and update users. We have another profile that will create any new groups. We are currently working on a third profile that will populate the groups with their members. These profiles look at views in our oracle DB to determine when they were last updated.
  We have been successful at creating and updating users and creating new groups. I have not found any documentation to remove a user or remove a member from a group. Is there a way in the mapping file or the configuration file to tell OID that a user needs to be deleted or a member needs to be deleted from a group?
  Has anyone had any experience with this?

  If your question is whether you can use the DIP DB connector
  to synchronize group and group memberships, then yes
  you can.
  Keep in mind though, that the DB connector will do a full
  refresh of the group memberships (and not incremental)
  We are using the DIP connector to map between
  NONLDAP(oracle DB) and OID. We are using a profile
  to create and update users. We have another profile
  that will create any new groups. We are currently
  working on a third profile that will populate the
  groups with their members. These profiles look at
  views in our oracle DB to determine when they were
  last updated.
  We have been successful at creating and updating
  users and creating new groups. I have not found any
  documentation to remove a user or remove a member
  from a group. Is there a way in the mapping file or
  the configuration file to tell OID that a user needs
  to be deleted or a member needs to be deleted from a
  group?
  Has anyone had any experience with this?

• How to retrieve all users in a specific group

  Hi,
  I am using SunOne directory server. Can someone please post a sample code that illustrates how to fetch all the list of users in a particular group.
  1) Let's say I want to find all the users in a group called "marketing". The root context is dc=mycompany,dc=com This group can be anywhere below this root context. Only information I am told is the name of the group - "marketing". How will I get all the users in this group?
  2) For each user that is retrieved from the group marketing, how will I find out the user's DN?
  Thanks for the help,
  - Satish

  Do it like this...
  String searchBase = "ou=marketing";
  StringBuffer filter = new StringBuffer();
  filter.append("(|");
  if (organizationName != null && !organizationName.trim().equals("")) {
       filter.append("(");
       filter.append(ou);
       filter.append("=");
       filter.append("marketing");
       filter.append(")");
  SearchControls constraints = new SearchControls();
  constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
  constraints.setCountLimit(200); // How many users should be found
  constraints.setTimeLimit(100000); // how much time should this search wait
  // Get a initial context and set it to the ctx object
  ctx.search(searchBase, filter.toString(), constraints);