SQL content database is locking when a user is disabled in Active Directory.

Similar Messages

• How to de-provisions user's resource when the user is disable ?

  When a user is disable in OIM, I would like OIM to de-provisions all the user's resources.
  Is it possible to do it and how to do it ?

  Hi Deborah,
  I have tried the following configuration, but i am unable to de-provision the resource for the user. The Delete User task is not getting called. Here are the steps that i have followed.
  1) Created a Disable User task with conditional checked and Task Effect as Disable.
  2) Added a adapter to it, and in the response tab added a new response COMPLETE (adapter will be returning COMPLETE) and given the status for the response as Cancelled.
  3) In the Undo/Recovery tab, added the Delete User task.
  4) In the Task to Object status mapping, given Revoked for Object status for the Cancelled status.
  As per the OIM document the Undo tasks are triggered when the current process task status is Cancelled, but still i found that the undo task is not getting triggered. I have made both Disable and Delete User task as conditional. Also i have added the Delete User task under Undo/Recover tab of Create User task. Can you tell me why the Delete User task is not getting called. Here the user is also not getting deleted from OIM.
  Also all the tasks in the resource object are showing the status as Cancelled.
  I have created a simple Mobile Phone resource object and done all these steps. Can you tell what went wrong. If i directly deleted the user from Admin console the Delete User task is getting called and user is also getting deleted.

• User login report in Active Directory for specific date and time

  I want to get User login report in Active Directory for specific date and time e.g user logged in at15-01-2015 from 8:00am to 4:00pm
  Is any query, script or any tool available?
  Waiting for reply please

  You can identify the last logon date and time using my script here: https://gallery.technet.microsoft.com/scriptcenter/Get-Active-Directory-User-bbcdd771
  If you would like to get back in time and see when the user did a logon / logoff then you need to have auditing enabled. Once done, you can records from Security log in the event viewer: https://social.technet.microsoft.com/Forums/windowsserver/en-US/98cbecb0-d23d-479d-aa65-07e3e214e2c7/manage-active-directory-users-logon-logoff-events
  I have started a Wiki about how to track logon / logoff and it can help too: http://social.technet.microsoft.com/wiki/contents/articles/20422.record-logon-logoff-activities-on-domain-servers-and-workstations-using-group-policy.aspx
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• Account locked out events are not getting in active directory security event logs

  Account locked out events are not getting in active directory security event logs for some users. I can see that the user is locked and when i tried to find out the event in sec log at DC but couldnt able to find. It is only happening for some users.
  not for the all users.

  In addition.
  Check the ADDS Audit.
  Active Directory Services Audit - Document references
  Regards~Biswajit
  Disclaimer: This posting is provided & with no warranties or guarantees and confers no rights.
  MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
  MY BLOG
  Domain Controllers inventory-Quest Powershell
  Generate Report for Bulk Servers-LastBootUpTime,SerialNumber,InstallDate
  Generate a Report for installed Hotfix for Bulk Servers

• Could we have same name's for User and Groups in Active directory

  When iam trying to create a user name " Logistics " under a OU, I am getting a error
  "The pre-windows 2000 logon name you have chosen is already in use in this domain. Choose  aother pre-windows logon name, and then try again"
  We already have a group by the name " Logistics "
  Could we have same name's for User and Groups in Active directory?
  Thanks in Advance

  sAMaccountName attribute is unique. So, the short answer is you cannot.
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• Problem in provisioning user from oim to active directory using ssl

  hi,
  problem in provisioning user from oim to active directory using ssl i am getting following error while provisioning user to AD.
  15:18:12,984 ERROR [ADCS] Communication Errorsimple bind failed: 172.16.30.35:636
  15:18:12,984 ERROR [ADCS] The error occured in tcADUtilLDAPController::connectTo
  AvailableAD():simple bind failed: 172.16.30.35:636
  15:18:13,015 ERROR [SERVER] Class/Method: tcProperties/tcProperties encounter so
  me problems: Must set a query before executing
  com.thortech.xl.dataaccess.tcDataSetException: Must set a query before executing
  at com.thortech.xl.dataaccess.tcDataSet.checkExecute(Unknown Source)
  at com.thortech.xl.dataaccess.tcDataSet.executeQuery(Unknown Source)
  at com.thortech.xl.dataobj.tcDataSet.executeQuery(Unknown Source)
  at com.thortech.xl.dataaccess.tcDataSet.executeQuery(Unknown Source)
  at com.thortech.xl.dataobj.tcDataSet.executeQuery(Unknown Source)
  at com.thortech.xl.dataobj.util.tcProperties.<init>(Unknown Source)
  at com.thortech.xl.dataobj.util.tcProperties.initialize(Unknown Source)
  at Thor.API.tcUtilityFactory.getLocalUtility(Unknown Source)
  at Thor.API.tcUtilityFactory.getUtility(Unknown Source)
  at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.co
  nnectToAvailableNextAD(Unknown Source)
  at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.se
  archResultPageEnum(Unknown Source)
  at com.thortech.xl.schedule.tasks.ADLookupRecon.performReconciliation(Un
  known Source)
  at com.thortech.xl.schedule.tasks.ADLookupReconTask.execute(Unknown Sour
  ce)
  at com.thortech.xl.scheduler.tasks.SchedulerBaseTask.run(Unknown Source)
  at com.thortech.xl.scheduler.core.quartz.QuartzWrapper$TaskExecutionActi
  on.run(Unknown Source)
  at Thor.API.Security.LoginHandler.jbossLoginSession.runAs(Unknown Source
  at com.thortech.xl.scheduler.core.quartz.QuartzWrapper.execute(Unknown S
  ource)
  at org.quartz.core.JobRunShell.run(JobRunShell.java:203)
  at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.j
  ava:520)
  can any one help.
  Thanks and Regards,
  praveen,

  Are you able to connect to AD over SSL through some LDAP Browser ?
  Check the validity of Certificate ?
  Does your certificate appear in the list ?

• How to Uninstall SQL instance on active-passive SQL server , which failed during Cluster Setup (Error-Failed at Validate Active Directory Configuration)

  How to Uninstall SQL instance on active-passive SQL server , which failed during Cluster Setup (Error-Failed at Validate Active Directory Configuration)
  active-passive SQL server cluster setup failed due to some steps missed in initial cluster setup,
  now i have unistall sql instance from nodes,
  Your help will higly appriciated.
  Regards,
  Anish
  Asandeen

  Hello,
  Please refer to the following link about remove a node of  SQL Server Failover Cluster Instance:
  http://msdn.microsoft.com/en-us/library/ms191545.aspx#Remove
  Regards,
  Fanny Liu
  Fanny Liu
  TechNet Community Support

• User Defined Table locked when multi users try to save data?

  Hi All,
  I am having a problem with User Define Table (UDT). I am just checking if somebody having the same problem as mine (any patch level).
  I've developed an add-on to save additional data to some UDTs upon saving a Production Order. I added my code in FormDataEvent (After Action = True and ActionSuccess = True).
  Here are my sequences to save the data:
  1. Start Transaction
  2. Remove Existing Data from 3 UDTs linked to the production order number.
  3. Save to table 1, using UserTable object
  4. Call function A to save to table2 , using UserTable object
  5. Call function B to save to table 3, using UserTable object
  6. Commit Transaction.
  Note: I have a try catch and rollback the transaction if any exception thrown by .NET and SAP. Below are parts of my coding to handle exception from SAP
                  If oUserTable.Add() <> 0 Then
                      oCompany.GetLastError(ErrCode, ErrMsg)
                      Throw New ApplicationException(ErrCode & "-" & ErrMsg)
                  End If
  in the try catch block, i add the following code
              If oCompany.InTransaction Then
                  oCompany.EndTransaction(SAPbobsCOM.BoWfTransOpt.wf_RollBack)
                  SBO_Application.MessageBox("[SaveRoute]:" & ex.Message)
                  Return False
              End If
  Now, the issue is in some occasions, when multi users try to save the Production Order, the data get deleted from the UDTs, but some of the data did not get saved yet it did not throw an exception. From our observation, it only happens when multi users are trying to save to the same table.
  Does anybody having the same or similar issue? Really appreciate if you can share on this.
  Many Thanks,
  Harianto Ng

  I Believe you should look carefully where in your code writting, you should start transaction and be sure of using end.transaction commit if the insert sends a succesfull message, and rollback it for negative message.
  I used to start transacción right before .add method
  Wha DBMS are u using?
  Hope it helps.

• SQL Content Database Restore

  Environment :- Sharepoint 2013
  The farm already has the content database attached to a web application (web app 1)
  The client needs a same content database (copy) to be restored and attached to a new web application (web app 2). 
  we are using the command -assignnewdatabaseid, even then we are not able to see all the site collections.
  Please advise

  That's expected behavior as the Site Collections have the same GUID, so the second copy (Web App 2) will not be able to see them. Your options are:
  1) Restore the Content Database to a Web Application on another farm
  2) Use Backup-SPSite/Restore-SPSite which assigns a new GUID to the Site Collection so you can 'duplicate' it within the same farm
  3) Use a 3rd party content migration tool
  4) Use Export-SPWeb/Import-SPWeb
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• User synchronization issue between Active Directory and Solution manager.

  Requirement:
  Synchronize the users between Active directory and solution manager system.
  <u>What we did:</u>
  1.     Created RFC connection (LDAP_RFC) for LDAP connector.
  2.     Created new LDAP connector that utilize the RFC (LDAP_RFC).
  3.     Created new logical LDAP Server(CUA).Here we have to maintain the connection
  details to the physical directory.
  4.     We maintained the communication user that is used by the LDAP connector to bind the LDAP Directory Server.
  5.     In transaction LDAPMAP specific SAP data fields, we mapped to the desired
  directory attributes.
  6.     Testing from LDAP transaction working fine. We are able to see the attributes and
  values       from Active directory.
  <b><u>Issue:</u></b>
  When executed the program RSLDAPSYNC_USER for user synchronization from t-code se38 with below selection .
  LDAP Server = CUA (created earlier)
  LDAP Connector = LDAP_RFC (RFC connection created created ealier)
  In the tab: (Object that exist both in the directory and in the Database:)
  Selected: Compare Time Stamp.
  In the tab: (Objects the only exist in the Directory.)
  Selected : Create in Database.
  In the tab(Objects that only Exist in the Database:
  Selected: Ignore Object.
  Result from the report shows that connection to LDAP server is fine and ‘0’(zero) objects in Directory.
  The program does not create any new user in the Solution Manager system.
  Any help on this issue greatly appreciated.
  Thanks & Regards,
  Harish

  where did you see this error ? is there anymore details.
  i think the account you are using for Sync does not have Replicate Directory Changes permission in AD. follow below article and give Replicate directory changes permission.
  http://technet.microsoft.com/en-us/library/hh296982(v=office.15).aspx
  Thanks, Noddy

• Ask for Domain Password when using a Certificate from within Active Directory CS

  We are using certificates created by Active Directory Certificate Services, and stored within AD.  We can sign documents with the certificates, but would like the added layer of security to have Acrobat prompt the user to enter their AD password again to apply the signature.  The reasoning...if a user walks away from their computer and does not lock it, anyone can come up and create and sign a document with the other person's signature.  If we can prompt the user for authentication again when they click Sign, this problem would be avoided.
  Thanks

  Thanks for the reply, but where exactly is this set?  What program?  Is this within Windows or LiveCycle?
  Again, we're dealing with certificates that are stored in the Active Directory Certificate Store, not on the local machine.
  Thanks again.

• I am getting a Changing Password Failed error when I try to join an active directory

  I had a working AD configuration under Snow Leopard. When I upgraded to Mountain Lion, my account was no longer in sync with the domain. I got the red dot on the login screen and my domain password was out of sync. I unhooked from the domain at that point. This was several months ago.
  However, over the last few weeks, I keep finding myself locked out of the domain. I suspect it's something on my Mac that is trying to use my old credentials. I was hoping to rejoin the domain and see if I could get my account back in sync. When I get a domain admin to enter his password on the Directory Utility join screen, it first notes that the computer account already exists in the domain. I tell it to continue, but I can't get past this point:
  2013-06-24 14:21:20.729935 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - Computer account either already exists or DC is already Read/Write
  2013-06-24 14:21:20.732774 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - existing record found 'CN=MYMACHINE,OU=Default,OU=Workstations,OU=MyCity,OU=North America,DC=GLOBAL,DC=OURCORP,DC=NET'
  2013-06-24 14:21:20.732822 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - switching to cache 'MEMORY:0x7faef36ed770'
  2013-06-24 14:21:20.733141 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - Trying to find service kdc for realm GLOBAL.OURCORP.NET flags 2
  2013-06-24 14:21:20.734196 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - connecting to 12
  2013-06-24 14:21:20.734221 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - connecting to host: tcp 10.22.94.212:kerberos (1.2.3.4)
  2013-06-24 14:21:20.741380 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - host completed: tcp 10.22.94.212:kerberos (1.2.3.4)
  2013-06-24 14:21:20.741416 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - krb5_sendto_context done: 0
  2013-06-24 14:21:20.741619 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - trying to set password
  2013-06-24 14:21:20.741637 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - trying to set password using: MS set password in realm GLOBAL.OURCORP.NET
  2013-06-24 14:21:20.741648 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - using TCP since the ticket is large: 1560
  2013-06-24 14:21:20.741665 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - Trying to find service change_password for realm GLOBAL.OURCORP.NET flags 2
  2013-06-24 14:21:20.742867 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - connecting to 12
  2013-06-24 14:21:20.742908 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - connecting to host: tcp 10.22.94.212:kpasswd (1.2.3.4)
  2013-06-24 14:21:20.745231 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - host completed: tcp 10.22.94.212:kpasswd (1.2.3.4)
  2013-06-24 14:21:20.745250 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - krb5_sendto_context done: 0
  2013-06-24 14:21:20.745398 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - set password using MS set password returned: 0 result_code 3
  2013-06-24 14:21:20.745417 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - Changing password failed for '[email protected]' with error '' (3)
  2013-06-24 14:21:20.745426 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - setting Computer Password FAILED for existing record - 5103
  2013-06-24 14:21:20.745818 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - ODNodeCustomCall failed with error 'Credential operation failed' (5103)

  Reggierror,
  Had the same issue and discovered that I made my AD object name too long (16 instead of 15 character which is the limit) You might want to try making the computer object name shorter if you can.

• SAP User Authentication via Windows Active Directory

  The non-profit company I work for as an SAP Security Admin has been using SAP since 1999.  We are currently running ECC 6.0, BI 7.0, and CRM 7.0.  With fewer than 300 SAP users, we have not implemented CUA, so each of our multiple clients in these systems is managed independently. 
  The company recently licensed and implemented some non-SAP software to be used by all of our employees (~1200) in keeping track of & catagorizing their work time; a very handy feature of this software is that it depends upon Windows Active Directory for user authentication.  Therefore, each employee logs into this time-keeping package by entering his/her standard PC userID & password.  If you can log onto your PC, you can log into the time-keeping software. 
  That got me thinking & researching, because our SAP users - especially those who have access to three or more SAP clients - must maintain their passwords independently in each SAP client that they hope to access in the future.  I'm certainly not the first person who has thought of how nice it would be to permit SAP users to log into all SAP clients across the landscape in which they have defined userIDs, using the same password that they are using to log into their PCs (i.e., the password that is stored & maintained in Windows Active Directory).  My quest has led me to find presentations on this topic that typically involve modules we aren't using & very complicated configurations that we really lack the time & resources to employ; or, to third-party solution providers who claim to be certified SAP partners who would love to sell us more software to provide this convenience, usually irelated to single sign-on, LDAP, etc.  The lowest pricing tier for such software usually would cover many times the number of SAP users we have to serve here - and it feels like trying to push in a tack using a sledgehammer.  It is true that we have not used the same userID for our PCs that we have defined in SAP, so there would need to be some way to translate from one to the other, but our PC password rules are consistent with those we have configured in SAP clients, so it seems to me it should be very simple.   Can anyone lead me to a more straightforward solution?  If not, can you articulate why this has to be so complicated using SAP software when it seems so simple using relatively inexpensive timekeeping sotware?

  >
  Gagan Deep Kaushal wrote:
  > Hi Tim,
  >
  > Its nice to see video.
  >
  > Is that mean using different username on OS and SAP level still we can achieve SSO.
  >
  > Correct if if am wrong.
  > The only thing we need to maintain SNC name.
  Once installed, yes. This is all you need to maintain when users are added. You can even use LDAP if you like to sync all user info between SAP and MS AD domain, but this cannot sync the password, so using SNC authentication instead of using SAP passwords is ideal.
  >
  > So for user test1 i can manage name as p:test2.....  ??
  Yes, that is correct. The mapping is maintained using standard SAP user management, such as su01. The user in AD domain might have long account name, e.g. "firstname.verylonglastname" which is too big for use as a SAP username so you can map this long AD account name onto a SAP user called FIRSTLAST in one or more SAP clients.
  >
  > I think that is what Ronald is also looking, user name need not to be same.
  >
  > Regards,
  > Gagan Deep Kaushal

• Oracle Enterprise User, OVD and MS Active Directory (AD)

  Hi,
  I need to authenticate Oracle Users from MS Active Directory.
  If I create an Oracle Enterprise User, can I just use OVD or do I need also OID ?
  If the answer is YES, I just need OVD do I need just to install OVD or do I need any other installation from OIM in order for it to work?
  Thanks in advance for answering this post : )
  CMT

  Hi,
  I am not sure that you are correct.
  In the meantime, some one mentioned a white paper to read: "Directory Services Integration with Database Enterprise User Secuirty. In page 10 it mentions a scenario: EUS deployment using Active Directory and OVD
  (without OID).
  The cons mentioned are: Need to extend AD schema to include EUS meta-data (which I am not sure how its done).

• User roles from external active directory

  Hi,
  I am using my own active directory and not the embedded LDAP on weblogic.
  On weblogic server, there the role names and the Provider configured
  at path Home >Summary of Security Realms >myrealm >Users and Groups > Groups tab
  The provider is configured at path
  Home >Summary of Security Realms >myrealm >Users and Groups >Providers
  Under 'Provider specific' tab, I have configured the Host, Port, Principal, Credentials etc.
  I want to get these roles for the user who is login to the app.
  I tried to follow the steps on http://biemond.blogspot.com/2008/12/using-weblogic-provider-as.html, However, when I run the 'Configure ADF Security' wizard I don't get the 'Identity Store' and 'LDAP Identity Store'.
  Can someone please guide me on this with the proper steps and some specific jars if required for this?

  I don't think these links are useful for me. Here is what I am trying to do. Not sure this is right way to do this. I am really stuck on this and need quick help. Please help.
    public boolean isInitiatorRole(String userName) {
        System.out.println("++++ Calling isInitiatorRole()");
        boolean hasRole = false;
        Hashtable factEnv = new Hashtable();
        Hashtable storeEnv = new Hashtable();
        IdentityStoreFactoryBuilder builder = new IdentityStoreFactoryBuilder();
        IdentityStoreFactory adFactory =null;
        IdentityStore idStore =null;
        System.setProperty("javax.net.ssl.trustStore", "/xxx/local/apps/oracle/SOA/jrmc-3.1.2-1.6.0/jre/lib/security/cacerts");
        System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
        String   storeLocation1 = System.getProperty("javax.net.ssl.trustStore")!=null?System.getProperty("javax.net.ssl.trustStore"):"###";
        String   storePass1 = System.getProperty("javax.net.ssl.trustStorePassword")!=null?System.getProperty("javax.net.ssl.trustStorePassword"):"###";
  // creating the factory instance
        factEnv.put(ADIdentityStoreFactory.ST_SECURITY_PRINCIPAL,"ABCD");
        factEnv.put(ADIdentityStoreFactory.ST_SECURITY_CREDENTIALS,"*****");
        factEnv.put(ADIdentityStoreFactory.ST_LDAP_URL, "ldap://xxx-xxxx-01.xxx.com:389/");
        factEnv.put("java.naming.security.protocol","SSL");
    // creating the store instance
        storeEnv.put(ADIdentityStoreFactory.ST_SUBSCRIBER_NAME,  "CN=itfusion,OU=Service Accounts,OU=Security,DC=adweb,DC=bmc,DC=com");
        System.out.println("++ AFTER setting prop storeLocation1:"+ storeLocation1 +  "   ++ storePass1:"+ storePass1);
          try {
              System.out.println("++++ TRY LOOP");
  //          System.out.println("++++ User from context: " +ADFContext.getCurrent().getSecurityContext().getUserRoles());
              adFactory  =  builder.getIdentityStoreFactory("oracle.security.idm.providers.ad.ADIdentityStoreFactory", factEnv);
              if(adFactory != null){
                System.out.println("++++ adFactory not null");
              }else{
                System.out.println("++++ adFactory  null");
              idStore= adFactory.getIdentityStoreInstance(storeEnv);
              if(idStore != null){
                System.out.println("++++ idStore not null");
              }else{
                System.out.println("++++ idStore  null");
              User user;
              user = idStore.searchUser(userName);          
                if(user != null){
                    System.out.println("++++ User not null");
                    RoleManager roleManager;
                    roleManager = idStore.getRoleManager();
                    SearchResponse resp;
                    resp = roleManager.getGrantedRoles(user.getPrincipal(), true);
                    System.out.println("++++ IN WHILE LOOP");
                    while( resp.hasNext() ) {
                        System.out.println("++++ IN WHILE LOOP");
                        Identity id = resp.next();
                        String roleName = id.getName();
                        if(roleName != null){
                          System.out.println("Role Name:" + roleName);
                        }else{
                          System.out.println("Role Name is null");
        //                if( roleName != null && roleName.toUpperCase().indexOf("INITIATOR")>0) {
        ////                  if( roleName != null && roleName.toUpperCase().indexOf("XXXXX")>0) {
        //                    hasRole = true;
        //                    break;
                  }else{
                    System.out.println("User is null");
          } catch (IMException e) {
              log.info("??? Error occured while checking the role for Initiator");
          return hasRole;
  }