Set Active Directory Folder Permission

Similar Messages

• How to Apply Exchange 2013 Active Directory Split Permission Model and Completely Isolate AD and Exchange Management??

  Hi Experts,
  I am Deploying Exchange 2013 in an organization where currently Active Directory is handled and Administered by a different Admins and they want Exchange to be managed by another set of Admins. My customer wants to completely Isolate Administration and Management
  of both AD And Exchange. i have gone through some technet articles and tested option for both RBAC and Active Directory Split permission model. I think Active Directory Split Permission model would be helpful but while testing i came to know that, via Split
  permission Exchange admin can not create or delete User/Dist. Groups but still he can Edit or modify the details (City, office address, phone no. Department and display name etc.) which means that this is not fully separation of Roles between AD Admins and
  Exchange Admins. 
  please help me to resolve below queries and Scenarios if supported by Exchange Split permission model -
  (1) only AD Admins should be able to create, Delete or modify the Security principles property in Active Directory. Exchange Admin should only need to modify Exchange related property/attributes from exchange Control panel or shell. they should not be able
  to change the Display name, and other AD related common attributes via Exchange Admin centre or management shell. 
  (2) similarly i want to restrict my AD Admins from modifying or changing exchange related attributes by any means (ADSIEDIT, ADUC,). i want to restrict my AD Admins from assigning organization management or recipient management rights to them-self and do
  any modification on my exchange servers via Shell or Admin Centre and then Revoke the membership from Exchange Security groups. i want AD Admins and Exchange should do their respective tasks without any ability to change/edit or modify any settings of each
  others??
  (3) I Want to restrict to open Exchange Admin Centre (ECP) via some limited Systems only. i know we can block to open ECP via internet but i want to restrict it to open within internal network as well and from limited systems of my Exchange Admin.
  Regards,
  Aanand Singh Karki
  Regards, Aanand Singh

  Hi,
  For Exchange privileges, I suggest use RBAC.
  Regards,
  Simon Wu
  TechNet Community Support

• Microsoft Exchange Server 2013 Cumulative Update 7 Setup - Active Directory Topology service on server 'TopologyClientTcpEndpoint (localhost)' returned an error - Set-SharedConfigDC

  What am I trying to do?
  I have tried installing Microsoft Exchange Server 2013 Cumulative Update 7 Setup on a fresh install of Windows Server 2012 R2 but it gets stuck when running the setup exe on Step 8 of 14 “Mailbox Transport Service” I have included full
  error logs at the bottom of the page but the basics are in order it will throw which loop around are:
  [01/20/2015 17:13:20.0084] [2] Beginning processing Set-SharedConfigDC
  [01/20/2015 17:13:20.0178] [2] The call to Microsoft Exchange Active Directory Topology service on server 'TopologyClientTcpEndpoint (localhost)' returned an error. Error details No Minimal Required Number of Suitable Directory Servers
  Found in Forest mydomain.com Site Default-First-Site and connected Sites..
  [01/20/2015 17:13:20.0178] [2] No Minimal Required Number of Suitable Directory Servers Found in Forest mydomain.com Site Default-First-Site and connected Sites.
  Exchange is currently running in the envirmonet on 2010 Sp3 I am installing 2013 CU7 fresh so I can migrate the databases over.
  What am I running?
  2 X DC on domain and forest functional level 2008R2 both writable
  1 X fresh install of Windows 2012 R2 which is domain joined
  What have I tried?
  Checked Ipv6 is enabled on all DC NICS and Existing Exchange Servers
  Rebooted every server
  Run setup as Administrator
  My account is part of the domain Enterprise Admin group
  Tried adding "Exchange Server" or "Exchange Enterprise Servers" to the group policy and doing the relevant gpupdate /force and reboot :
  Computer Configuration Windows Settings
  Security Settings + Local Policies
  User Rights Assignment Mange auditing and security log
  Turned off firewall on DC and Exchange Server even stopped the service
  Turned off all AV on the DC and Exchange Server
  Checked I could telnet to global catalog servers on port 3268 which I can
  Checked the global catalog records existed in DNS which they all do
  Done the obvious ping tests all round which confirms connectivity
  Schema has been prepared using appropriate commands before running the setup exe
  setup.exe /PrepareSchema /IacceptExchangeServerLicenseTerms
  Making sure the following path has full permissions:
  EXCHANGE14:\Current\Release\Shared\Datacenter\Setup
  Restarted Microsoft Exchange Active Directory Topology service
  DcDiag all looks good
  What have I noticed that is suspicious?
  Microsoft Exchange Transport service will not start even though both of its dependences services have started:
  Microsoft Filtering Management Service
  Microsoft Exchange Active Directory Topology Service
  It will eventually error with
  “Windows could not start the Microsoft Exchange Transport Service on local computer
  Error 1053: This Service did not respond to the start of control request in a timely fashion”
  This error is from the GUI wizard itself:
  Error:
  The following error was generated when "$error.Clear();
  $maxWait = New-TimeSpan -Minutes 8
  $timeout = Get-Date;
  $timeout = $timeout.Add($maxWait);
  $currTime = Get-Date;
  $successfullySetConfigDC = $false;
  while($currTime -le $timeout)
  $setSharedCDCErrors = @();
  try
  Set-SharedConfigDC -DomainController $RoleDomainController -ErrorVariable setSharedCDCErrors -ErrorAction SilentlyContinue;
  $successfullySetConfigDC = ($setSharedCDCErrors.Count -eq 0);
  if($successfullySetConfigDC)
  break;
  Write-ExchangeSetupLog -Info ("An error ocurred while setting shared config DC. Error: " + $setSharedCDCErrors[0]);
  catch
  Write-ExchangeSetupLog -Info ("An exception ocurred while setting shared config DC. Exception: " + $_.Exception.Message);
  Write-ExchangeSetupLog -Info ("Waiting 30 seconds before attempting again.");
  Start-Sleep -Seconds 30;
  $currTime = Get-Date;
  if( -not $successfullySetConfigDC)
  Write-ExchangeSetupLog -Error "Unable to set shared config DC.";
  " was run: "System.Exception: Unable to set shared config DC.
  at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target, Boolean reThrow, String helpUrl)
  at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target)
  at Microsoft.Exchange.Management.Deployment.WriteExchangeSetupLog.InternalProcessRecord()
  at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b()
  at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)".
  Exchange logs which have been written:
  **The error will loop around for 8 minutes on trying to set-sharedconfig DC whatever this is trying to do ??
  [01/20/2015 17:13:20.0084] [2] Active Directory session settings for 'Set-SharedConfigDC' are: View Entire Forest: 'True', Configuration Domain Controller:mydomain.com', Preferred Global Catalog: 'mydomain.com', Preferred Domain Controllers:
  '{ mydomain.com}'
  [01/20/2015 17:13:20.0084] [2] User specified parameters: 
  -DomainController:mydomain.com' -ErrorVariable:'setSharedCDCErrors' -ErrorAction:'SilentlyContinue'
  [01/20/2015 17:13:20.0084] [2] Beginning processing Set-SharedConfigDC
  [01/20/2015 17:13:20.0178] [2] The call to Microsoft Exchange Active Directory Topology service on server 'TopologyClientTcpEndpoint (localhost)' returned an error. Error details No Minimal Required Number of Suitable Directory Servers
  Found in Forest mydomain.com Site Default-First-Site and connected Sites..
  [01/20/2015 17:13:20.0178] [2] No Minimal Required Number of Suitable Directory Servers Found in Forest mydomain.com Site Default-First-Site and connected Sites.
  [01/20/2015 17:13:20.0178] [2] The call to Microsoft Exchange Active Directory Topology service on server 'TopologyClientTcpEndpoint (localhost)' returned an error. Error details No Minimal Required Number of Suitable Directory Servers
  Found in Forest mydomain.com Site Default-First-Site and connected Sites..
  [01/20/2015 17:13:20.0178] [2] No Minimal Required Number of Suitable Directory Servers Found in Forest mydomain.com Site Default-First-Site and connected Sites.
  [01/20/2015 17:13:20.0178] [2] Ending processing Set-SharedConfigDC
  [01/20/2015 17:13:20.0193] [2] Beginning processing Write-ExchangeSetupLog
  [01/20/2015 17:13:20.0193] [2] An error ocurred while setting shared config DC. Error: The call to Microsoft Exchange Active Directory Topology service on server 'TopologyClientTcpEndpoint (localhost)' returned an error. Error details
  No Minimal Required Number of Suitable Directory Servers Found in Forest mydomain.com Site Default-First-Site and connected Sites..
  [01/20/2015 17:13:20.0193] [2] Ending processing Write-ExchangeSetupLog
  [01/20/2015 17:13:20.0193] [2] Beginning processing Write-ExchangeSetupLog
  [01/20/2015 17:13:20.0193] [2] Waiting 30 seconds before attempting again.
  [01/20/2015 17:13:20.0193] [2] Ending processing Write-ExchangeSetupLog
  [01/20/2015 17:13:50.0195] [2] Beginning processing Write-ExchangeSetupLog
  [01/20/2015 17:13:50.0273] [2] [ERROR] Unable to set shared config DC.
  [01/20/2015 17:13:50.0273] [2] [ERROR] Unable to set shared config DC.
  [01/20/2015 17:13:50.0288] [2] Ending processing Write-ExchangeSetupLog
  [01/20/2015 17:13:50.0288] [1] The following 1 error(s) occurred during task execution:
  [01/20/2015 17:13:50.0288] [1] 0.  ErrorRecord: Unable to set shared config DC.
  [01/20/2015 17:13:50.0288] [1] 0.  ErrorRecord: System.Exception: Unable to set shared config DC.
     at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target, Boolean reThrow, String helpUrl)
     at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target)
     at Microsoft.Exchange.Management.Deployment.WriteExchangeSetupLog.InternalProcessRecord()
     at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b()
     at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)
  [01/20/2015 17:13:50.0288] [1] [ERROR] The following error was generated when "$error.Clear();
  $maxWait = New-TimeSpan -Minutes 8
  $timeout = Get-Date;
  $timeout = $timeout.Add($maxWait);
  $currTime = Get-Date;
  $successfullySetConfigDC = $false;
  while($currTime -le $timeout)
  $setSharedCDCErrors = @();
  try
  Set-SharedConfigDC -DomainController $RoleDomainController -ErrorVariable setSharedCDCErrors -ErrorAction SilentlyContinue;
  $successfullySetConfigDC = ($setSharedCDCErrors.Count -eq 0);
  if($successfullySetConfigDC)
  break;
  Write-ExchangeSetupLog -Info ("An error ocurred while setting shared config DC. Error: " + $setSharedCDCErrors[0]);
  catch
  Write-ExchangeSetupLog -Info ("An exception ocurred while setting shared config DC. Exception: " + $_.Exception.Message);
  Write-ExchangeSetupLog -Info ("Waiting 30 seconds before attempting again.");
  Start-Sleep -Seconds 30;
  $currTime = Get-Date;
  if( -not $successfullySetConfigDC)
  Write-ExchangeSetupLog -Error "Unable to set shared config DC.";
          " was run: "System.Exception: Unable to set shared config DC.
     at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target, Boolean reThrow, String helpUrl)
     at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target)
     at Microsoft.Exchange.Management.Deployment.WriteExchangeSetupLog.InternalProcessRecord()
     at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b()
     at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)".
  [01/20/2015 17:13:50.0288] [1] [ERROR] Unable to set shared config DC.
  [01/20/2015 17:13:50.0288] [1] [ERROR-REFERENCE] Id=AllADRolesCommonServiceControl___ee47ab1c06fb47919398e2e95ed99c6c Component=EXCHANGE14:\Current\Release\Shared\Datacenter\Setup
  [01/20/2015 17:13:50.0288] [1] Setup is stopping now because of one or more critical errors.
  [01/20/2015 17:13:50.0288] [1] Finished executing component tasks.
  [01/20/2015 17:13:50.0304] [1] Ending processing Install-BridgeheadRole
  Windows Event Viewer:
  Process Microsoft.Exchange.Directory.TopologyService.exe (PID=5276) Forest mydomain.com. Exchange Active Directory Provider couldn't find minimal required number of suitable Global Catalog servers
  in either the local site 'Default-First-Site' or the following sites:

  Hi apl228,
  1. Please make sure the IPv6 is enabled.
  2. Please make sure the account that install Exchange server has Administrator permission.
  3. Please make sure DNS has been configured correctly.
  Thanks
  Mavis Huang
  TechNet Community Support

• Active Directory Changes have causes users to loose access to Projects they are set as contributor too.

  Hello,
  We recently had an employee of our helpdesk delete (by accident) and recreate a number of Active Directory user profiles.  The profiles were created exactly like they were before, but now those users are not able to access the projects in TFS that they
  have contributor permissions too.  Some of these users can see a minimal set of objects in the Source Control Explorer, but each item has a (+) plus sign next to it as if the object does not exist in the repository.  The users and windows groups
  that are concerned are still listed inside of TFS's group memberships for each project.  I have confirmed that the sync from AD with TFSJobAgent.exe is completing with out errors as well.
  Is this a SID issue where TFS actually thinks that these are new users, and if so how can I best fix it for those users?
  Doug Dayley

  Hi Doug, 
  Thanks for your reply.
  Ok, let’s check whether TFS Server can identify this user and its groups which this user belonged to. Please execute below command for this one user, then view command result, check if the user name and SID both show correctly in result, and whether this
  user belonged to groups all listed in command result.
  Tfssecurity /imx “domain\username” /collection:URL
  If this user’s all information show correctly in command result. Please try to remove this user from your TFS server, then clean the TFS Cache, re-add this user back to TFS Server, then check if this user can access your team project as expect.
  Clean the Cache for TFS 2013 manually(delete the content of the folder only, not the cache folder itself):
  Clean the Cache folder on Server machine. The folder path is:
  C:\Program Files\Microsoft Team Foundation Server 12.0\Application Tier\Web Services\_tfs_data.  
  After cleaned, on Server machine, click Start and select
  Run… to open the dialog box, then input iisreset.exe and click OK, wait it run completely.
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• Setting up Wiki Calendars in iCal with Active Directory Accounts

  I'm Having a little trouble wrapping my head around our Wiki Calendar Solution,
  Id like to find a way to get the 10.6 Wiki Server Calendar's in iCal Client - using our active directory authentication.
  I have a test 10.6 Server bound to our Active Directory with Wiki's up and running and am able to log in with AD account's and view and manage the Wiki Calendar - I can see how to subscribe to the calendar's - But I need full integration with iCal and maybe even Outlook - subscribing only provides read access.
  anyone have any idea how his can be accomplished in and active directory setting - my searches have lead me to OD solutions and thats not going to work.

  I don't know how much I'll be able to help, but I do have AD accounts using wiki services. Can you verify a few things:
  1. The AD group is listed in the "Wiki Creators" box in Server Admin, yes?
  2. If you open Terminal and run "sudo serveradmin settings teams:enableClearTextAuth", does it return "teams:enableClearTextAuth = yes"?
  3. If you open System Preferences -> Accounts and then edit the directory servers, does the AD domain show as working normally?
  Also, have you worked to isolate the problem? Have you tried creating an OD user to test against the wiki? Are the logs showing anything?

• Set a default value to checkbox on Active Directory form

  Hi all
  how to set a default value to checkbox UD_ADUSER_MUST on Active Directory form?
  I set the value 1 on the column default value (ADUSER form), i try the provisioning resource AD to the user and this field is not selected.
  please help me.

  hi
  My problem is solved, I tried to change the default form ADUSER, but this value was overridden by the policy form.
  I set this value in the policy form.
  thanks

• Setting the logonHours attribute for a user in Active Directory

  Hi Anyone,
  I'm a brasilian guy and I need your help. How can I set the logonHours attribute on my Active Directory?
  I have this code but it doesn't works good:
      public void setLogonHours(boolean[] logonHoursBits){
          int i;
          int j;
          int k;
          int index21 = 0;
          int index24 = 0;
          byte[] byteLogonHour = new byte[21];
          byte byte8Hours = 0;
          for(i=0; i <= 6; i++){
              for(j=1; j <= 3; j++){
                  for(k=7; k >= 0; k--){
                      if (i < 6){
                          if (logonHoursBits[i] == (boolean)(index24 == 0) ? true : false){
                              byte8Hours += (byte)Math.pow(2,k);
                      else{
                          if (logonHoursBits[0] == (boolean)(index24 == 0) ? true : false){                           
                              byte8Hours += (byte)Math.pow(2,k);
                      index24++;
                  byteLogonHour[index21] = byte8Hours;
                  index21++;
              index24 = 0;
          try{
              String nome = "CN=Dryelle,OU=Pesquisa,DC=cifya,DC=com,DC=br";
              ctx = new InitialLdapContext(env,null);
              ModificationItem logonHours[] = new ModificationItem[1];
              logonHours[0]= new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("logonHours",byteLogonHour));
              ctx.modifyAttributes(name,logonHours);
              System.out.println("Atributo logonHours alterado com sucesso.");
          catch (NamingException e) {
             System.err.println("Problema na altera??o " + e);
      }the code set the attribute but wrong. Can anyone help-me? It's making me crazy.
  Sorry about my poor english.
  Tks.
  Edited by: th_slopes on Aug 15, 2008 5:50 PM

  DirContext ctx = new InitialDirContext(pr);
            BasicAttributes entry = new BasicAttributes(true);
            String entryDN = "cn=CharbelHad,ou=test users,dc=test,dc=dev";
            Attribute cn = new BasicAttribute("cn", "ChHad");
            Attribute street = (new BasicAttribute("streetAddress", "Ach"));
            Attribute loginPreW2k = (new BasicAttribute("sAMAccountName", "[email protected]"));
            Attribute login = (new BasicAttribute("userPrincipalName", "[email protected]"));
            Attribute sn = (new BasicAttribute("sn", "Chl"));
            Attribute pwd = new BasicAttribute("unicodePwd", "\"Ch@341\"".getBytes("UTF-8"));
  Attribute userAccountControl = new BasicAttribute("userAccountControl", "512");
            Attribute oc = new BasicAttribute("objectClass");
            oc.add("top");
            oc.add("person");
            oc.add("organizationalPerson");
            oc.add("user");
            // build the entry
            entry.put(cn);
            entry.put(street);
            entry.put(sn);
            entry.put(userAccountControl);
            entry.put(pwd);
            entry.put(login);
            entry.put(loginPreW2k);
            entry.put(oc);
            ctx.createSubcontext(entryDN, entry);

• Mobile Account and Active Directory home folder

  We install a XServe server (Mac OS X 10.6.3). We join it to Active Directory for authentification and Open Directory for policy. I read the magic triangle on the web.
  I mount a MacBook Pro with Mac OS X 10.6. I join it to AD and after to OD. When I configure an account to be mobile, the home folder configure in AD stop to mount automatically. If the account is not mobile the home folder mount correctly.
  Somebody has an idea of waht happen?

  Hello, sifeduc, and welcome to the AppleBoards,
  This really seems like a Directory Services question and is probably best suited to this board: http://discussions.apple.com/forum.jspa?forumID=1353
  That being said are you talking about Portable Home Directories? If so PHDs should be created on the server first and on the client second. If you have a client account you want to sync to the OD you need to delete the client account - *but leave it in place* - create a server account and then use the local account which will then sync to the server. The steps for this are a little more complicated than that but not much.
  Good Luck,
  =Tod

• SCVMM 2008 R2 - "The SQL Server service account does not have permission to access Active Directory Domain Services (AD DS)."

  I know this question has been asked before, but never for R2, that I can tell, and the posted fixes aren't working. I have just installed SCVMM 2008 R2 on a Windows Server 2008 R2 server, using a remote SQL 2008 SP1 database. When I attempt to connect to SCVMM, I get the following error:
  "The SQL Server service account does not have permission to access Active Directory Domain Services (AD DS).
  Ensure that the SQL Server service is running under a domain account or a computer account that has permission to access AD DS. For more information, see "Some applications and APIs require access to authorization information on account objects" in the Microsoft Knowledge Base at http://go.microsoft.com/fwlink/?LinkId=121054.
  ID: 2607"
  What I've seen online is that this is usually becuase the domain account SCVMM is running as does not have the proper permissions on the SQL database. Here's what I've confirmed:
  1) My SCVMM service account is a local admin on the SCVMM server
  2) My SCVMM service account is a dbowner on the SCVMM database in SQL
  3) My SQL service account is a dbowner on the SCVMM database in SQL
  4) My SQL service account is a domain user (even made it a domain admin, just in case, and it still "doesn't have access to AD DS," which is obviously untrue)
  5) Neither service account is locked out
  Has anyone run in to this? It says in Technet that remote SQL 2008 is supported, as long as the SQL management studio is installed to the SCVMM server, and I installed and patched before I began the SCVMM installation. I just don't know what else to try - I have no errors in event logs, no issues during the installation itself...
  Andrew Topp

  That answer was very unhelpful fr33m4n. The individual mentions that they've received the error that points to the KB article. I currently receive the same error -- there seems to be no resolution. I've run the Microsoft VBS script to add TAUG to the WAAG
  as suggested by 331951, and that made absolutely no difference.
  1) My SCVMM service account is a local admin on the SCVMM server
  2) My SCVMM service account is a dbowner on the SCVMM database in SQL
  3) My SQL service account is a dbowner on the SCVMM database in SQL
  4) My SQL service account is a domain user (even made it a domain admin, just in case, and it still
  "doesn't have access to AD DS," which is obviously untrue)
  The user is also a member of WAAG, the machines have delegated authority to each other. Is there any other solution?

• New users not showing up while trying to set folder permission settings

  Server 2012
  This is a new virtual domain server and file server in a starwind cluster, I just started migrating users last week.
   This last weekend (two days ago) the cluster crashed while doing windows updates on this server. I have been unable to get it to download any updates since without crashing, not sure if that is related to this issue somehow.
  I added some new users today and got them all logged in and their data transferred over. good. But then I went to this shared folder that everyone has a mapped drive too and tried to add them in the security tab of a sub folder but their accounts will not show
  up when I search for them. Any account I added previously to last weekend  show up, students, mine, etc.
  even if I select the exact OU the accounts are located in, even if I type their whole name and domain. In AD the accounts are there.
  If I log into the backup domain controller Their accounts show up there while in a folder security settings tab. They are listed in active directory on both domain controllers.
  I have exhausted myself on Google search.
  What the heck did I break?
  Maybe I should run 
  DISM.exe /Online /Cleanup-image /Restorehealth
  Not sure if I will lose any data doing that or what the repercussions would be..

  Hi Dustin,
  If the DC is having USN rollback issue, we can resolve it by demote then re-promote or restore the DC using a supported method such as using System State backup to restore.
  More information for you:
  USN Rollback, Virtualized DCs and improvements on Windows Server 2012
  http://blogs.technet.com/b/reference_point/archive/2012/12/10/usn-rollback-virtualized-dcs-and-improvements-on-windows-server-2012.aspx
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Setting folder permission in windows 8.1

  setting folder permission in windows 8.1

  Hi,
  You can set the share and NTFS permissions on a file\folder, I'd like to share the following links with you:
  (Permissions in Windows 8.1 are similiar to Windows 7)
  http://windows.microsoft.com/en-in/windows/what-are-permissions#1TC=windows-7
  https://technet.microsoft.com/en-in/library/cc772196.aspx?f=255&MSPPError=-2147217396
  https://technet.microsoft.com/en-us/library/cc770962.aspx
  Yolanda Zhu
  TechNet Community Support

• How to set in Windows 8.1 the Account Picture from Active Directory

  Hello All,
  In my company I have uploaded the photos for
  each employees in
  Active Directory using a powershell script that set the attribute
  thumbnailphoto.
  This is useful for images in Lync and Outlook,
  now I want to use these pictures
  to sync with the account picture
  in Windows 8.1 but I haven't found anything in internet that helps me
  for this.
  I hope someone can help me,
  Thanks!

  Hi,
  You can try the steps in following article:
  Using Pictures from Active Directory
  http://msitpros.com/?p=1036
  This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore,
  Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you
  completely understand the risk before retrieving any software from the Internet.
  For your reference, here is the similar thread with different method:
  http://social.technet.microsoft.com/Forums/en-US/d6e7b2c3-c343-4900-a01d-24bfb30357b6/is-there-a-solution-to-set-user-account-picture-from-active-directory-thumbnailphoto-attribute-in?forum=w8itproinstall
  Hope these would be helpful.
  Kate Li
  TechNet Community Support

• How to get the list of Group set in each Users in MS Active Directory

  Hi. I would like to know if you know how to get the set group of each user in Active Directory?
  We have this sample code
  String INITCTX ="com.sun.jndi.ldap.LdapCtxFactory";
  //String MY_HOST = "ldap://myserver/ou=dev,dc=test,dc=com,dc=ph";
  String MY_HOST ="ldap://myserver.dev.test.com.ph:389/dc=dev,dc=test,dc=com,dc=ph";
  String strUsername,strPassword;
  try
       strUsername = Request.getParameter("username").toLowerCase().trim();
       strPassword = Request.getParameter("password").toLowerCase().trim();
       Hashtable env = new Hashtable();
       env.put(Context.INITIAL_CONTEXT_FACTORY, INITCTX);
       env.put(Context.PROVIDER_URL, MY_HOST);
       env.put(Context.SECURITY_AUTHENTICATION, "simple");
       env.put(Context.SECURITY_PRINCIPAL,strUsername+"@dev.lst.com.ph");
       env.put(Context.SECURITY_CREDENTIALS, strPassword);
  After validating the User Name and Password the next task is to Retrieve the group list of the User.

  Nope I want the log-in user to retrieve its Group where he is belong. I have this following code
  strUsername = Request.getParameter("username").toLowerCase().trim()+"@dev.test.com.ph";
  strPassword = Request.getParameter("password").toLowerCase().trim();
  Hashtable env = new Hashtable();
  env.put(Context.INITIAL_CONTEXT_FACTORY, INITCTX);
  env.put(Context.PROVIDER_URL, MY_HOST);
  env.put(Context.SECURITY_AUTHENTICATION, "simple");
  env.put(Context.SECURITY_PRINCIPAL,strUsername);
  env.put(Context.SECURITY_CREDENTIALS, strPassword);
  // enable tracing
  env.put("com.sun.naming.ldap.trace.ber", System.err);
  // Create the initial context
  DirContext initCtx = new InitialDirContext(env);
  // Get the target context
  DirContext targetCtx = (DirContext)initCtx.lookup("");
  SearchControls constraints = new SearchControls();
  constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
  // Perform the search on the target context
  NamingEnumeration enum = targetCtx.search("","(userPrincipalName="+strUsername+")",constraints);
  javax.naming.directory.Attributes attrs;
  NameClassPair item;
  String[] attrIds = new String[]{"MemberOf"};
  // For each answer found, get its "Groups" attribute
  // If relative, resolve it relative to the target context
  // If not relative, resolve it relative to the initial context
  while (enum.hasMore()) {
  item = (NameClassPair)enum.next();
  Out.println(item);
  attrs = targetCtx.getAttributes(item.getName(), attrIds);
  Out.println(attrs + "<br>");
       initCtx.close();
  It returns all this string :
  {memberof=memberOf: CN=CMCanadaRD,OU=Groups / Teams,DC=dev,DC=test,DC=com,DC=ph, CN=iMngrCanadaRW,OU=Groups / Teams,DC=dev,DC=test,DC=com,DC=ph, CN=Domain Users,CN=Users,DC=dev,DC=test,DC=com,DC=ph, CN=Backup Operators,CN=Builtin,DC=dev,DC=test,DC=com,DC=ph, CN=Administrators,CN=Builtin,DC=dev,DC=test,DC=com,DC=ph}
  How can i retrieve the Group named CMCanadaRW and CMCanadaRD on the Attribute?
  Thanks

• Lync Hybrid : Unable to write to active directory due to lack of permission

  Hello everyone,
  I need a little help to troubleshoot a problem I have when moving a user to Lync Online.
  My client has a Dirsync and Adfs working perfectly with o365.
  My problem is that when I try to move a user to Lync Online I have this error :
  Move-CsUser -Identity "Username" -Target sipfed.online.lync.com -credential $cred -hostedmigrationOverrideUrl "https://admin0e.online.lync.com/hostedmigration/hostedmigrationservice.svc"
  "Move-CsUser : Unable to write to Active Directory due to lack of permissions"
  Like the error said, it's a lack of permission but what kind of permission do I need to make this work ? I've tried to googleit/technetit but no helpful topic found...
  Thanks in advance for your help and answers.
  Regards,
  Adrian TUPPER - ABC Systemes - http://thelyncexperience.blog.com/ If answer is helpful, please hit the green arrow on the left, or mark as answer Thank you

  Hi,
  Did you solve the issue by adding the account to RTCUniversalUserAdmins group?
  To move an on-premises user to your Lync Online tenant, run the following cmdlets in the Lync Server Management Shell, using the administrator credentials for your Microsoft Office 365 tenant. Replace "[email protected]" with the information for the user
  that you want to move.
  You can try to move the user from Lync Server on premises to Lync online with the help of the link below “Move users to Lync Online”:
  http://technet.microsoft.com/en-us/library/jj204969.aspx
  Best Regards,
  Eason Huang
  Eason Huang
  TechNet Community Support

• How to set permissions on a file for a Mac without active Directory

  We don't have our Macs in the Active Directory, we are looking to share an external hard drive to only Macs and not the Windows PC's on the network with out using active directory. I have tested sharing the external hard drive from a PC to everyone and both the PC's and Macs can access this, but we only want the Macs to see this and access this and not everyone. There is no selection for sharing with the computer name in the Share permissions so the only way to do this is to share it to everyone. The Mac accounts are local to the Macs and the PC's are on Active Directory so what i need to do is have a way to share this folder with only Macs and not all the windows PC's. Any solutions, any ideas will help
  Thanks

  hi
  good
  go through these links
  http://help.sap.com/saphelp_nw2004s/helpdata/en/b9/b4de3f68d48f15e10000000a155106/content.htm
  http://help.sap.com/saphelp_nw04s/helpdata/en/be/0de03f41b9eb06e10000000a1550b0/content.htm
  thanks
  mrutyun