SAML 2.0 and AD Security Group Membership

Similar Messages

• Shared Calendars / Room Lists and automatically forcing them to users based on Security Group Membership

  Good morning all,
  I need some help achieving the following in our Exchange 2013 Environment.  First off, we have Exchange 2013, but all our clients have Outlook 2010.
  Here's what I would like to be able to do:
  1) create/manage public calendars / rooms in exchange 2013
  2) force these shared public calendars / rooms to users' calendars who are members of particular security groups
  3) give edit permissions / "booking" permissions for the shared calendars so select users are able to make changes to the shared calendars, as well as accept/deny requests to "book" shared room calendars
  Any one got any resources they can give to point me in the right direction?
  I have already created two mailbox room resources, and have them set up in a room list in AD.  But need to know the above as far as creating a shared calendar for events, and forcing these calendars / room lists out to users based on security group
  membership.
  I don't want my users to have to know how to add a shared calendar...that would be a nightmare explaining.  I just want it to show up.
  Any help on this is greatly appreciated, thank you!

  1) I recommend using Room Mailboxes for resource calendars because it just works better.
  2) This is a standard feature of a Room Mailbox.
  3) You're pretty specific here, but I think this is also more or less available with a Room Mailbox combined with folder rights.
  I don't know any way to just make them "show up".  You'll have to teach them.  Well written instructions can work wonders.
  Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

• How to create a site and add security groups through code: scripts, csom, ... ?

  Hi,
  I'm new to CSOM and are looking for a way to create sites in SharePoint Office365 and especially add user to it with a specific role eg. 'visitor' or 'owner'.
  I use this code to add sites from a csv file, so far so good.
  But now I want to add security groups based on the csv file and assign a role. The security groups allready exists.
  and also how to add a user with a 'owner' role for some sites.
  That would make my life easier :-)
  so thank you in advance!
  # load assemblies
  #[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client")
  #[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client.Runtime")
  Add-Type -Path "c:\Program Files\Common Files\microsoft shared\Web Server Extensions\15\ISAPI\Microsoft.SharePoint.Client.dll"
  Add-Type -Path "c:\Program Files\Common Files\microsoft shared\Web Server Extensions\15\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"
  # site collection
  $siteUrl = “https://mysharepoint.com”
  # admin
  $username = "[email protected]"
  $password = Read-Host -Prompt "Enter password" -AsSecureString
  # get clientcontext as object
  $ctx = New-Object Microsoft.SharePoint.Client.ClientContext($siteUrl)
  # assign credentials to clientcontext object
  $credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($username, $password)
  $ctx.Credentials = $credentials
  # create site from template 'teamsite' => STS#0
  $data = Import-Csv "c:\tools\CSOM\vakwerking_test.csv"
  foreach ($row in $data) {
  $webCreationInformation = New-Object Microsoft.SharePoint.Client.WebCreationInformation
  $webCreationInformation.Url = $row.vakwerkingurl
  $webCreationInformation.Title = $row.vakwerkingnaam
  $webCreationInformation.WebTemplate = "STS#0"
  $webCreationInformation.UseSamePermissionsAsParentSite = $false
  $newWeb = $ctx.Web.Webs.Add($webCreationInformation)
  Write-Host "Title" $newWeb.Title
  #send to sharepoint
  $ctx.Load($newWeb)
  $ctx.ExecuteQuery()

  Hi,
  The command above about creating a group only works for the root site of the site collection, because the scope of the user group is site collection level, these groups
  can be used in all the sites in this site collection.
  With the existing groups in the root site, we can add users into them and grant specific permissions of a specific sub site to these groups.
  Here is a demo about how to assign permission to a group using Client Object Model(though in C#) for your reference:
  http://www.c-sharpcorner.com/UploadFile/54db21/set-permission-to-group-in-sharepoint-2010-programmatically/
  Best regards,
  Patrick
  Patrick Liang
  TechNet Community Support

• File Server Migration - For ORG A Forest to ORG B Forest ( Need to create and Map Security Group automatically on new Migrated Folders - Please Help

  I have two forest With Trust works Fine .
  I have file server in ORG – A ( Forest ) with 2003 R2 Standard
  I have a File server in ORG  - B ( Forest ) With Windows server 2012 ( New Server for Migration )
  I have 1000 + folders with each different permission sets on ORG-A. We are using Security groups for providing permission on the share Folders on ORG A
  I need to Migrate  all the folders from ORG – A to ORG – B.
  I am looking for an automated method of creating Security Groups on AD during the Migration, Once the Migration is Done, I can add the required users to the security groups manually.
  Example.
  Folder 1 on ORG – A has Security Group Called SEC-FOLDER1-ORGA
  I need an automated method of Copying the files to ORG – B and Creating a new security Groups on ORG –B Forest with the same permission on parent and child Folders. I shall Add the users manually to the Group.
  Output Looks Like
  Folder 1 on ORG – B has Permission called SEC-FOLDER1-ORGB ( New Security Group )
  Also I need a summarized report of security Group Mapping, Example – Which security Group on ORGA is mapped with Security Group Of ORGB

  Hi,
  I think you can try ADMT to migrate your user group to target domain/forest first. Once user groups are migrated, you can use Robocopy to copy files with permission - that permission will continue be recognized in new domain as you migrated already. 
  Migrate Universal Groups
  http://technet.microsoft.com/en-us/library/cc974367(v=ws.10).aspx
  If you have any feedback on our support, please send to [email protected]

• AD security group memberships not coming over to SP2013.

  This seems to have coincided with applying a number of updates to our SharePoint server via Windows Update over the weekend.  Since then, changes in AD security groups are not being reflected by the appropriate access in SharePoint.  If somebody
  has been a member of an AD group prior to this weekend, their access is fine.  But changes made today aren't seeming to propagate.  Any suggestions?
  Thanks!

  Because SharePoint 2013 is based on claims it is normal for users added to AD groups to not gain the permissions for up to 24 hours because the claims tokens are cached.
  http://sergeluca.wordpress.com/2013/07/06/sharepoint-2013-use-ag-groups-yes-butdont-forget-the-security-token-caching-logontokencacheexpirationwindow-and-windowstokenlifetime/
  Paul Stork SharePoint Server MVP
  Principal Architect: Blue Chip Consulting Group
  Blog: http://dontpapanic.com/blog
  Twitter: Follow @pstork
  Please remember to mark your question as "answered" if this solves your problem.

• AD - import users and check AD group membership

  Hi I'm relatively useless with PowerShell and I am wanting to write a script that will do the following and am just getting stuck with part B.
  Part A- import a list of users from a CSV
  Part B- check if the users are members of an ad group and if so remove from group A and add to group B 
  Can anyone point me in the best direction ? that would be amazing.

  Hi,
  I happen to have something already written that will do what you're after:
  Import-Csv .\userList.csv | ForEach {
  $userDetails = Get-ADUser -Identity $_.Username -Properties memberOf
  If ($userDetails.memberOf -contains 'CN=Test Group 1,OU=Security Groups,DC=domain,DC=com') {
  Remove-ADGroupMember -Identity 'Group A' -Members $userDetails.SamAccountName -Confirm:$false -WhatIf
  Add-ADGroupMember -Identity 'Group B' -Members $userDetails.SamAccountName -Confirm:$false -WhatIf
  This will require in input CSV file with a header of Username that contains the usernames to test. You'll also need to update the names of the groups for 'Group A' and 'Group B' along with the DN of the group to test against.
  Remove the -WhatIf parameters from the Remove/Add lines if you're happy with what you see in the output.
  Don't retire TechNet! -
  (Don't give up yet - 12,830+ strong and growing)

• Populate the EmployeeID attribute of a user, based on their security group membership in Active Directory

  Hey guys, I need to create a script that assigns a value to the EmployeeID of every user that is a member of a particular AD security group.
  For example, there are the following groups - Accounting_01, Accounting_02, Accounting_03. The script has to read what members there are in these groups and assign to the people of Accounting_01 an EmployeeID of 01, to the people of Accounting_02 an EmployeeID
  of 02, and to the people of Accounting_03 an EmployeeID of 03.
  I have a script that adds a user to a security group, based on the value of a certain attribute, but not the other way around. Have you written such a script? Thanks in advance

  I haven't tried the code, because I don't have AD cmdlets.
  But I see some discrepancies between the documentation and your code.
  Looking at http://technet.microsoft.com/en-us/library/hh852287.aspx (Set-ADUser cmdlet) we can read for the
  -Replace<Hashtable> parameter: ... Use this parameter
  to replace one or more values of a property that cannot be modified using a cmdlet parameter ...
  But the OP referred to EmployeeID, which is a Set-ADUser cmdlet parameter (look for -EmployeeID),
  thus, cannot be used with -Replace<Hashtable> parameter (as per the documentation).
  Also, the documentation states for this same
  -Replace<Hashtable> parameter: ... To modify
  an object property, you must use the LDAP display name ...
  And the LDAP display name for EmployeeID is employeeID, and not employeeid as in your code (although I'm
  not sure if LDAP display name
  is case sensitive).
  As you say your code works correctly, I
  suspect that you created a new property named employeeid, which is not the same referenced by the parameter
  -EmployeeID.
  The documentation merely says that it can be used to modify attributes that do not have their own parameter. If they were to include a parameter for every AD attribute the list would be huge. It doesn't imply that -replace cannot be used instead of the defined
  parameters.
  I must admit that I didn't realise that -EmployeeID could be used as I didn't consult the documentation before I wrote the code but I can confirm that using the method I posted the employeeID attribute was modified. It didn't create a second attribute with
  different letter casing.

• Applications / Security Group Membership

  I have a few tasks i would like to automate in my task sequence on MDT 2010 update 1. Any feedback or recomendations would be helpful...
  Applications
  I have a set of applications which are common to both laptops and desktops. These are deployed using an application bundle. I would like to be able, to do one of two things
  Have the ability to choose additional application as part of the wizard
  If possible, have MDT detect the machine is a laptop, either by WMI or computer name (all laptop names end with the letter "L"), and deploy a set of applications if these conditions are met
  Security Groups
  We also have a couple of security groups that desktops and laptop needs to be a member of, this is currently a manual task and therefor prone to be missed. As above, is it possible for MDT to recognice the machine is a laptop or desktop then add the computer
  account to a pre determined list of security groups

  Thanks for the feedback, i got this working with a power shell script that adds the computer account to specified security groups then use "
  PS Script as follows :-
  Run as follows :- powershell.exe -executionPolicy RemoteSigned "%SCRIPTROOT%\ADSecurityGroupAdd.ps1 "[security group name to add machine account to]""
  # Function Find Distinguished Name
  function find-dn { param([string]$adfindtype, [string]$cName)
      # Create A New ADSI Call
      $root = [ADSI]''
      # Create a New DirectorySearcher Object
      $searcher = new-object System.DirectoryServices.DirectorySearcher($root)
      # Set the filter to search for a specific CNAME
      $searcher.filter = "(&(objectClass=$adfindtype) (CN=$cName))"
      # Set results in $adfind variable
      $adfind = $searcher.findall()
      # If Search has Multiple Answers
      if ($adfind.count -gt 1) {
          $count = 0
          foreach($i in $adfind)
              # Write Answers On Screen
              write-host $count ": " $i.path
              $count += 1
          # Prompt User For Selection
          $selection = Read-Host "Please select item: "
          # Return the Selection
          return $adfind[$selection].path
      # Return The Answer
      return $adfind[0].path
  $GroupName = $args[0]
  #write-host $GroupName
  $Computer = get-wmiobject win32_computersystem
  $ComputerDN = find-dn "computer" $Computer.name
  $ADSecGroupDN = find-dn "group" $GroupName
  #write-host $computerdn
  #write-host $ADSecGroupDN
  $Group = [ADSI]($ADSecGroupDN)
  $Group.Add($ComputerDN)
  #Members = $Group.member
  #Group.member = $Members+$ComputerDN
  $Group.Setinfo()

• How to restrict an infopath custom view based on SharePoint group or security group membership?

  Hi,
  I have created a custom view in InfoPath Designer 2013 based on a SharePoint online - custom list.
  Right now the custom view is available for all users in the "View:" dropdown under the "PAGE DESIGN" tab in InfoPath.
  I would like to make this view available only to a set of users. (i.e., users of a SharePoint group / Security group).
  Please let me know how I can do this..
  Thanks,
  Thanan

  Hi Thanan,
  We can use check the current user permission using REST API in SharePoint 2013, then hide the dropdown the "View" base on the permission.
  The following articles for your reference:
  SP2013 REST API – Find if user is member of SharePoint group
  http://simonovens.wordpress.com/2014/08/13/sp2013-rest-api-find-if-user-is-member-of-sharepoint-group/
  Quick Tip: Using JQuery to hide options in a select
  https://formidablepro.com/help-desk/quick-tip-using-jquery-to-hide-options-in-a-select/
  Best Regards
  Patrick Liang
  TechNet Community Support

• Getting firstnames and surnames from group membership in AD

  Morning guys..
  I am trying to get a list of the firstname and surnames that are currently in a group on ad.
  I am currently using the following command but I want to tidy it up a bit.
  At the moment I am getting a table with a load of stuff I don't want or need, what pipelining command can I use to only show the first and last names of the accounts?
  This is the command I have so far..
   get-adgroupmember "EXT_Information_Exchange_MODIFY" | format-table | format-wide
  Many Thanks!

  I'd suggest you use the following command:
  get-adgroupmember EXT_Information_Exchange_MODIFY | Get-ADUSer | Select GivenName, SurName
  But this will give you errors where the member is not a user. Therefore this command is better (it filters the pipeline to only user objects):
  get-adgroupmember EXT_Information_Exchange_MODIFY | ? { $_.ObjectClass -eq "user" } | Get-ADUSer | Select GivenName, SurName
  Then you can add your Format-Table commands etc.

• Transformer tags and checking user group memberships

  Is the command "stringToACLGroup ('group=203;').isMember($currentuser)" in the code below, doing a Database lookup or getting it from a cached value? If this the server API or a PRC call?
  <pt:when pt:test="stringToACLGroup ('group=203;').isMember($currentuser)" xmlns:pt='http://www.plumtree.com/xmlschemas/ptui/'> Welcome corp user!<br> ... Home Office content... </pt:when>
  Thanks.
  Vanita
  Staples

  On the machine that is having this issue, run this command:
  RSOP.msc
  When the results come up, browse to this path:
  Computer Configuration->Windows Settings->Security Settings->Restricted Groups
  Do you have a listing for "Remote Desktop Users"
  I suspect what you have going on is a GPO that is applying explicit members of that group.  That would remove anyone that you specify every 15 minutes.
  - If you have found my post to be helpful, or the answer, please mark it appropriately.  Thank you.
  Chris Ream

• Weblogic 10.3.0 -  Security Violation when Group Membership Lookup enabled

  Dear Admins,
  We're running a Weblogic 10.3.0 cluster with our own software deployed.
  We're using SQL authentication (JDBC to Oracle DB) to authenticate users.
  Recently we've been tuning our WL cluster to improve performance, and have enabled Group Membership Lookup Hierarchy Caching.
  Sometimes users log into our application and get inssuficient rights (or some other error). This appears to happen at random. Most of the times they can log in without problems.
  We determined it's not something to do with the cluster, although it can happen on one node and the other node will work as normal.
  In the Managed server we see this error (with test user):
  Managed7Server.out00011:java.rmi.AccessException: [EJB:010160]Security Violation: User: 'test' has insufficient permission to access EJB: type=<ejb>, application=leanapps, module=process_general.jar, ejb=LaLifeProcessController,
  method=create, methodInterface=Home, signature={}.
  When we disable Group Membership Lookup Hierarchy Caching, this error never occurs.
  Our settings (Security Realms -> myrealm -> Providers -> SQL Authenticator -> Performance):
  Max Group Hierarchies In Cache: 5000 (we have approx. 2000 groups)
  Group Hierarchy Cache TTL: 3600
  provider specific settings :
  Group Membership Searching: unlimited
  Max Group Membership Search Level: 0
  Also in Myrealm -> Performance we have set :
  Enable WebLogic Principal Validator Cache
  Max WebLogic Principals In Cache: 5000
  If we put the TTL really low (default 60 seconds), the error hardly ever occurs. But we want to have cache that lasts longer then one minute.
  This might be a bug, as we have other clusters running on WL 10.3.5, 12c where we use the same cache settings. This issue does not occur there.
  I'm more then willing to provide more info or config files
  Edited by: user5974192 on 21-nov-2012 5:17

  This is fixed now. Someone had defined a Servlet for the web service in web.xml that was preventing the EJB container to kick in.
  Edited by: user572625 on Aug 25, 2011 11:54 PM

• Custom routing agent based on sender's security group and subject

  I made a custom routing agent that routes mails contains the word [encrypt] in the subject and sent from domain test.com
  The part of the code is
  if (e.MailItem.FromAddress.DomainPart.Contains("test.com")
                  && e.MailItem.Message.Subject.Contains("[encrypt]"))
  now what i need is to route mails based on the membership of a certain security group like "securemail" not the whole domain. ie if the sender is a member in security group (securemail) and the subject contains the word [encrypt] route the mail
  Thanks

  Thanks for your answer Glen
  The following  code is on exchange 2010 but i need it to check for a security group membership if possible
  using System;
  using System.Collections.Generic;
  using System.Linq;
  using System.Text;
  using Microsoft.Exchange.Data.Transport;
  using Microsoft.Exchange.Data.Transport.Email;
  using Microsoft.Exchange.Data.Transport.Smtp;
  using Microsoft.Exchange.Data.Transport.Routing;
  using Microsoft.Exchange.Data.Common;
  namespace RoutingAgentOverride
      public class SampleRoutingAgentFactory : RoutingAgentFactory
          public override RoutingAgent CreateAgent(SmtpServer server)
              RoutingAgent myAgent = new ownRoutingAgent();
              return myAgent;
  public class ownRoutingAgent : RoutingAgent
      public ownRoutingAgent()
          //subscribe to different events
          base.OnResolvedMessage += new ResolvedMessageEventHandler(ownRoutingAgent_OnResolvedMessage);
      void ownRoutingAgent_OnResolvedMessage(ResolvedMessageEventSource source, QueuedMessageEventArgs e)
          try
              // For testing purposes we do not only check the sender address but the subject line as well
              // If the subject contains the substring "REDIR" then the default routing is overwritten.
              // Instead of hard-coding the sender you could also perform an LDAP-query, read the information
              // from a text file, etc.
              if (e.MailItem.FromAddress.DomainPart.Contains("contoso.com")
                  && e.MailItem.Message.Subject.Contains("[encrypt]"))
                  // Here we set the address space we want to use for the next hop. Note that this doesn't change the recipient address.
                  // Setting the routing domain to "nexthopdomain.com" only means that the routing engine chooses a suitable connector
                  // for nexthopdomain.com instead of using the recpient's domain.
                  RoutingDomain myRoutingOverride = new RoutingDomain("nexthopdomain.com");
                  foreach (EnvelopeRecipient recp in e.MailItem.Recipients)
                      recp.SetRoutingOverride(myRoutingOverride);
          catch // (Exception except)

• People Picker can resolve users and security group from another domain but no validation for groups

  Dear all,
  Here is the scenario of our issue:
  We are migrating from Domain A to Domain B and in Domain A we currently have a SharePoint 2013 on which we want to set permissions for users and groups that have already migrated to Domain B.
  A bi-directional trust exist between the two domains and all applications relying on trust and resolving IDs from on domain to another are working fine (Windows RDS for instance)
  The "bug" that we have is when using the PeoplePicker, it can resolve without any issue a user account in Domain A or B, and a security group (type global, I haven't tried local or universal yet) from domain A or B. But for the security groups
  only (it works well for users), when I click on "Save" to validate the add of the group to the site permissions, I have the following error:
  I have seen a lot of similar issues on the web but no answer so far that work :( 
  Example: https://social.technet.microsoft.com/forums/sharepoint/en-US/74e8d14b-a0f4-4e21-8cfa-b1a937247160/cant-provision-security-to-old-domain-users
  If you have any question that could help you to understand it, do not hesitate. 
  Thanks a lot in advance for your help ! :)

  Can you give the snippet from the ULS log where you're seeing this error?
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Security Group Creation in Specific OU and Create Network Share For the Security Group

  Hi,
  We would really want to create a PowerShell script that creates a specific Security Group within a selected Organisation Unit.
  Brief Scenario;
  We have created several Organisation Units. Each Organisation Unit contains another Organisation Unit called users. 
  +OU=Netherlands
  ++OU=Company A
  +++OU=users
  ++OU=Company B
  +++OU=users
  And so forth.
  If we run the PowerShell script it should create a list of all the Companies in container Netherlands. After the list is created it creates an output like 1. Company A; 2. Company B. (Forearch ..)
  The script asks for user input where to create the Security Group. If user selects option 2, a security group Called "Company B" is being created. All the users located in the Organisation Unit users within Company B are joined to that group. (Sets
  option 2 as a value like Security Group = "$Company B", create Security Group "Universal, Global (option), and get all users from container users and join them)
  Then without user interaction a share is being created. Granting Domain Administrators full access and the Security Group which has just been created.
  Is somebody able to help me with this kind of script?
  Thank you in advance,
  With kind regards,
  Danny Locorotondo

  Already gathered some information. Have this as a result. Now I need to figure out how to put the results into a list, so the user can select the group. As far as now I am stuck.
  Import-Module ActiveDirectory
  Function SelectCollectionRelease 
      [CmdletBinding()]
      Param
          [Parameter(Mandatory=$true,
                     Position=0,
                     HelpMessage='Enter the Release of the Collection. By example: Alfa,Beta or Charlie')]
          $CollectionRelease
      IF(!$CollectionRelease)
          write-host "`n You did not select a proper Collection Release" -foregroundcolor "red"
  SelectCollectionRelease 
      Elseif($CollectionRelease)
      [string] $OUPath = "OU=$CollectionRelease,OU=VDI,OU=carsystems,DC=carsysdev,DC=local"
  if (!([adsi]::Exists("LDAP://$OUPath"))) 
  write-host "`n Collection Release does not exists" -foregroundcolor "red"
  SelectCollectionRelease 
  else
  write-host "`n Collection Release exists." -foregroundcolor "green"
  write-host "`n Selected $OUPath ..." -foregroundcolor "yellow"
  Get-ADGroup -SearchBase "OU=$CollectionRelease,OU=VDI,OU=carsystems,DC=carsysdev,DC=local" -filter {GroupCategory -eq "Security"} | Format-List -Property Name
      Else
          //$SecurityGroup = Get-ADGroup -SearchBase "OU=$CollectionRelease,OU=VDI,OU=carsystems,DC=carsysdev,DC=local" -filter {GroupCategory -eq "Security"} -and (ObjectClass -eq "user")
  SelectCollectionRelease