Target Audience with Domain Security Group

Similar Messages

• Using domain security groups in exchange security groups for Office 365

  Hi
  Is there a way to use O365 domain security groups in O365 exchange security groups. This can be done between O365 domain security groups and O365 SharePoint groups.
  BR // Ille

  Sorry I missed your reply.
  I don't believe there is a way to do this yet, security groups used within exchange need to be mail-enabled security groups, these can't then be edited from the office365 portal, just the Exchange administrative centre portal.
  It looks like you currently still need to keep these separate.
  If you use DirSync and sync from your own domain then it is possible, since you manage the groups from your AD rather than Offfice365, but currently just in o365 there doesn't appear to be a way to do this.
  Regards,
  Denis Cooper
  MCITP EA - MCT
  Help keep the forums tidy, if this has helped please mark it as an answer
  Blog: http://www.windows-support.co.uk 
  Twitter:   LinkedIn:

• Item level targeting not hitting nested security group

  Hi guys,
  Got two security groups (A & B). Group B is a member of A.
  We've applied item level targeting with security groups. We've chose a bunch of drive maps to apply to Group A (which I was hoping would apply to Group B also.
  The drive maps appear for the users of Group A but not Group B. Is this expected behaviour?
  Any help appreciated. Thanks

  Hi guys,
  Got two security groups (A & B). Group B is a member of A.
  We've applied item level targeting with security groups. We've chose a bunch of drive maps to apply to Group A (which I was hoping would apply to Group B also.
  What is your forest functional level? I am not sure, but if I recall correctly if your forest functional level is 2008 R2, I guess you should experience no problems. Otherwise you need a workaround solution like a custom script and etc.
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?

• Terminal Server Licensing Problems with GPO Security Group License Server

  Hello,
  I have two fresh installs of W2K12R2.
  One is RD Session Host and the other one is the License Server. Everything is fine until I active the GPO Security Group License Server. After that the License Server gives no licenses
  to die clients (we have User und Device CALs). TS Licensing Diagnostic’s shows no errors, the number of available licenses is displayed correctly, even the state of GPO Security Group License Server is correctly shown as "active" and die
  Membership in the Group "RDS-Endpointserver" is "Yes". Eventlog shows no Errors. Log in on the session host is even possible, maybe because the RDS-Service is in evaluation time.
  If the GPO Security Group License Server is disabled again, the server starts to serve licenses as expected.
  I don’t know what I can do anymore, never had problems with exact the same setup under W2K8, but with W2K12 is the second time I notice this issue.
  Thanks for your ideas,
  Andreas

  Hi Andreas,
  Thank you for posting in Windows Server Forum.
  Sorry to inform but there is no official document for server 2012 related to this event, you can go through below article for reference.
  You cannot use a security group to add computer accounts to the Terminal Server Computers group. You must add each computer account explicitly. To verify whether an RD Session Host server is allowed to request RDS CALs from the Remote Desktop license server,
  you can use the IsSecureAccessAllowed method of Win32_TSLicenseServer class. For more details about this method, click here.
  1. License Diagnosis tool returns error "License server <computer name> cannot issue RDS CALs to the Remote Desktop Session Host Server because the 'License server security group' Group
  Policy setting is enabled."
  2.Control the Issuance of RDS CALs
  Note: You should only enable this policy setting when the license server is a member of a domain. You can only add computer accounts for RD Session Host servers to the RDS Endpoint Servers group when the license server is a member of a domain.
  Hope it helps!
  Thanks, 
  Dharmesh

• How to checkin document with 'Projects' security group

  Hi everyone,
  i want to checkin a document thru a java class, and set it to Projects security group, also i want to set folder, userlist, grouplist...
  Does anyone know how to define these things in java class before execute the CHECKIN service, or there are any extra service needed to run?
  Thanks

  Hi
  I am putting the snippet on how to do a checkin for content RIDC :
  public class TestRIDCCheckin {
  * @param args
  public static void main(String[] args) {
  // Create a new IdcClientManager
  IdcClientManager manager = new IdcClientManager ();
  try{
  // Create a new IdcClient Connection using idc protocol (i.e. socket connection to Content Server)
  IdcClient idcClient = manager.createClient ("idc://hostname for ucm:intradocserverport");
  // Create new context using the 'sysadmin' user
  IdcContext userContext = new IdcContext ("sysadmin");
  // Create an HdaBinderSerializer; this is not necessary, but it allows us to serialize the request and response data binders
  HdaBinderSerializer serializer = new HdaBinderSerializer ("UTF-8", idcClient.getDataFactory ());
  // Databinder for checkin request
  DataBinder dataBinder = idcClient.createBinder();
  dataBinder.putLocal("IdcService", "CHECKIN_UNIVERSAL");
  //dataBinder.putLocal("dDocName","TestRIDCCheckin");
  dataBinder.putLocal("dDocTitle", "Test RIDC Checkin");
  dataBinder.putLocal("dDocType", "ADACCT");
  dataBinder.putLocal("dDocAccount", "");
  dataBinder.putLocal("dSecurityGroup", "Public");
  dataBinder.addFile("primaryFile", new File("/home/oracle/cis"));
  dataBinder.putLocal is used set the metadata and details for the content .
  Hope this helps
  Thanks
  Srinath
  Edited by: srinathmenon on Aug 20, 2010 1:23 PM

• New security group then added into either built in administrator or domain admin group

  I am having windows 2012 R2 DC so i need to create administrator group please let me know if we create new security group then added into either built in administrator or domain admin group it will work? i have tried but not working any other alternative
  methods to get admin access

  Controlling local group membership could be done by GPOs:
  Using Group Policy Restricted Groups: http://social.technet.microsoft.com/wiki/contents/articles/20402.active-directory-group-policy-restricted-groups.aspx
  Using a startup script that adds a domain group as member of a local group: http://technet.microsoft.com/en-us/library/bb490706.aspx
  If you have manually added a domain security group to local Administrators group of a computer and you still see that the members are not admins then you can do the following:
  Logoff and logon again and see if that helps
  If you are using a universal group then you be having a problem with the membership. More details here: http://www.windowsdevcenter.com/pub/a/windows/2004/06/15/fsmo.html. You can try converting the group to a global one for testing.
  Adding a user to Domain Admins group will make you, by default, a local administrator on domain-joined Windows Systems. This is because, domain admins are, by default, members of local Administrators group. However, you should make the membership of Domain
  Admins group very limited and only for users who do global domain administration.
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• How to see/use Target Audience column in SharePoint Designer Workflow (SharePoint 2013 Online, Designer Workflow)

  Hello,
  I'm attempting to use use the Target Audiences field in a SPD 2013 workflow, in this case just attempting to log the value to history for testing purposes.  This is failing saying the column does not exist.
  I enabled Audience Targeting on the list then create a simple workflow to log the value to history when the item changes.
  I change an item and the workflow starts, but when it gets to any action looking at "Current Item:Target Audiences" it stops and says:
  HTTP BadRequest to <site url>/_api/web/lists(guid'XXXXXXXX')/Items(4)?%24select=ID%2CTarget_x0020_Audiences 
  The field or property 'Target_x0020_Audiences' does not exist. 
  But it does.  It is listed in the list setting and enabled for the content type.
  I ran the listed API through an API program and sure enough, Target Audience is not listed in the results object.
  I'm 99% sure I've enabled this and that the field is present and the workflow is valid.  I ran the same situation on two lists to ensure it wasn't a hiccup, same results.
  Is this a know issue?  I couldn't find anything obvious online saying you cannot see this field via workflow, most of what i found said this would work.
  Thanks an advance for any input.

  Thanks so much Lisa, for the clarification.
  I understand what you have explained, and have seen several similar explanations that have lead to my confusion.  Can you elaborate a bit, maybe for the sake of future information seekers?
  I understand that audiences can be defined using the rules operations in Central Admin, but it seems another standard function is to just directly assign existing SharePoint groups.  I think this is what you mean above, but this is also the point of
  my misunderstanding.
  In this particular setup I have only used existing SharePoint groups with no audiences defined in Central Admin.  List Item A has a target audience of SharePoint group X, just that simple of a setup.
  Assuming the above is valid, I would then like to see or alter the groups via SPD workflow.
  Based on the following posts, I was under the impression this may be possible (but obviously not fully clear and thus I posted this):
  https://social.msdn.microsoft.com/Forums/sharepoint/en-US/5eb984ba-55a3-4da7-a904-c34b2fece84c/how-do-i-set-the-target-audience-using-sharepoint-designer-workflow
  http://www.sharepoint-tips.com/2011/01/setting-target-audiences-with-code.html
  (sorry about lack of links, my account must still require verification)
  So in SPD, I set a simple action such as "Log Current Item:Target Audience to history" (note the I am able to select target audience in SPD like any other field with no errors).  At this point I am assuming everything is valid as SPD is treating
  the field like any other string field.  When executed the error in the above post comes up.
  So to confirm your explanation, this is not supported?  Even though the field is available for selection by design, it is not capable of use and known to produce errors in all cases of its use?  The first post above is 100% wrong and you cannot
  use SPD to set/view the target audience field?  The second post is also wrong as it seems to present the fields as available for alteration using string concatenation?
   If in fact the field is present by design, but also impossible to use by design, is this potentially a bug as the field is not supposed to be available if it will always produce the error when used with no error in SPD during compile?
  Thank you again for the reply and I hope we might be able to provide a rock solid answer to this for future seekers. 

• AD security group issues in SharePoint 2013 Integrated Mode

  Hello,
  Sorry if this is the wrong forum, I'm not sure if this is a SharePoint issue or a Reporting Services configuration issue (or if it should be in a SharePoint forum regardless).
  I have SSRS2012 on SharePoint 2013 in integrated mode. We are doing item level permissions, which means we have an AD security group Reports-All with
  Read to the Reports document library, then each actual report has unique permissions. We have a report with the ProjectManagers AD
  security group on it with Read (plus some other stuff to let them manage subscriptions), and another AD security group ProjectUsers with
  just Read access so they can open the reports. The data source used by this report has the AD security group I mentioned before, Reports-All,
  with Read.
  At a SharePoint level, things appear to work. When a user in ProjectManagers or ProjectUsers browses
  to the library, they see only the 3 reports that those two security groups have permission to see (out of a lot more in the library). That means SharePoint is reading those security group memberships correctly as far as I can tell.
  The issue is when a user in ProjectManagers or ProjectUsers clicks
  on a report, they get a reporting server based error message, and the ULS logs have an error specific to the user trying to run the report.
  Microsoft.ReportingServices.Diagnostics.Utilities.AccessDeniedException: The permissions granted to user 'MyDomain\MyUser' are insufficient for performing this operation. (Fault Detail is equal to Microsoft.ReportingServices.ServiceContract.RsExceptionInfo)
  If I add that specific user with Read permissions to the report and the data source, they are then able to run the report without errors. It seems like some Report Server component is not liking the fact that I'm using security groups. 
  Has anyone seen this behavior with AD security groups? Any ideas on why my environment does not want to work properly with those even though AD security groups are working fine for other non-Reporting Services files?
  Thanks,
  Aaron

  Hi aaronzott,
  According to your description, you configured SSRS 2012 of SharePoint integrated mode. You added read permission to reports and data source to AD security group Reports-All, then added just read permission to ProjectManagers and ProjectUsers groups. When
  users in ProjectManagers or ProjectUsers groups click report, the error message occurred. After you added Read permissions to the report and the data source to the groups, they can preview the report without errors.
  Report definition permissions are defined through List permissions on the library that contains the report, but we can set permissions on individual reports if we want to restrict access. Set properties on a report including data source connection information,
  processing options, and parameter properties. Edit Items on the library that contains the report or on the individual report. We also need to have view permissions on a shared data source (.rsds) to select it for use with the report.
  For more information about Set Permissions for Report Server Operations in a SharePoint Web Application, please refer to the following document:
  http://msdn.microsoft.com/en-us/library/bb326286(v=sql.110).aspx
  If you have any more questions, please feel free to ask.
  Thanks,
  Wendy Fu
  If you have any feedback on our support, please click
  here.

• SAML 2.0 and AD Security Group Membership

  In ADFS 2.0, as a part of the token, I can pass the AD
  security groups the user is in. Does SAP SSO have the ability to send and
  receive SAML 2.0 tokens with AD security group membership?

  Hi Jeff,
  SAP SAML 2.0 Identity Provider is able to include any group (or role) assignment of the user (available in the NetWeaver AS Java UME) as SAML Attribute in the generated SAML 2.0 Assertion.
  These group assignments of the user can be local (maintained in local UME database) or remote ones if the UME is configured with other Data Source.
  So in order to be able send the AD group assignments of the user you need to change the NetWeaver UME Data Source to your AD. More information how to do that you can find at this page: Identity Management - SAP Library.
  Then in your Identity Provider you can configured so called "Authorization-Based Assertion Attributes" in the "Identity Federation" tab of your trusted Service Provider configuration. An example with such attributes is provided at this page: Configuring Identity Federation with Transient Users - Identity Provider for SAP Single Sign-On and SAP Identity Managem… (although the page is for Transient federation these attributes are supported for all supported NameID formats).
  Regarding the receiving part:
  In SAP SAML 2.0 Service Provider of NetWeaver AS Java received SAML 2.0 Attribute can be either assigned to any UME attribute of the authenticated user, or to be used in rules that assign specific role(s) or group(s) to the user. For more details see these pages: Configuring Federation Type Persistent Users (Advanced) - User Authentication and Single Sign-On - SAP Library and Configuring Federation Type Virtual Users - User Authentication and Single Sign-On - SAP Library
  Regards,
  Stefan

• Domain Admin Group account for installing BHOLD Core

  I was trying to install BHOLD Core on a test lab setup. Technet documentation says that to install BHOLD Core, you should login with an account which is a member of Domain Admin Group. Is this mandatory? If only Model Generator is required, should we still
  login with Domain Admin Group account? Can somebody clarify?

  Hi
  Yes you can login to the server with an account that is part of that group.
  Hope this helps. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• How can I diagnose or resolve missing AD groups for target audience rules

  Hello everyone,
  I'm having some problems with the target audiences I have set up in my SharePoint 2010 farm. I have set up a single rule for each target audience in Central Administration, pointing to a group in Active Directory. Up until a couple of weeks ago I had no
  problem using the people picker to look up AD grups and everything seemed to be working, but now I am suddenly not able to find any groups in AD.
  The User Profile Synchronisation is running without any errors. I have already performed a full synchronisation and compiled all audiences with no luck. I have also checked the property called peoplepicker-searchadforests with stsadm and that appears to
  be correct as well. If I try and look up the same AD group in a peoplepicker on one of the site collections it is immediately displayed with no errors. All of the AD groups I'm using are global security groups and the ULS log contains no errors from when the
  target audience compilation started until it ended.
  What puzzles me is that AD groups on our test environment can be found in the peoplepicker in Central Administration without any problems, despite the fact that the target audience rule fails with the message "Non-existent Membership group...".
  It would seem to me that SharePoint does not look up the security groups directly in AD but rather somewhere else - a lot of posts suggests that SharePoint stores information about target audience it in the ProfileDB but I haven't been able to find which table.
  I know I'm leaving out a lot of other details but what I really need to know is how I can investigate this issue further, e.g. does SharePoint in fact look up the groups in the ProfileDB and if so from what table? Is there any kind of tool or technique I
  can use to actually see what happens in SharePoint from the moment I try and search for an AD group in the people picker?

  Hi SharePointMC,
  Thank you for the info - I didn't know about $wa.PeoplePickerSettings :-)
  I have compared all the properties from PeoplePickerSettings between our prod- and test environment and the only difference I found was that the domain was added to "distributionlistsearchdomains" on prod but not on test. Adding the value in test did not
  reproduce the issue though.
  I'm not sure if I can see somewhere which account was used to set up the people picker but the account I used to look up AD-groups is not locked out and there is no filter set for peoplepicker-searchadcustomfilter. If there is a way to see which account
  was used to set up the people picker I would very much like to know.
  However I did manage to find some clue in the profile database. It turns out that querying the MemberGroup table I was able to locate all target audiences on our test environment (not counting the "all site users"), but I was not able to find any of the
  groups in prod. If the peoplepicker is indeed looking for the AD groups in ProfileDB then that might explain why I cannot find any groups.
  The question is how I can persue this further - how does SharePoint update the Profile database and what would be a good place to look for any errors?

• Navigation links are visible to all groups even after applying specific target audience group in to links at sharepoint 2010 publishing site

  Hi ,
     Any one please help me on why the global navigation links are visible to all group users  even after applying a specific target audience group to the link. I Checked , User profile service  and User profile synchronizing services
  and they are running fine. Test environment is running fine even both the services are not running. Please let me know is any relation should be there between target audience and User profile services?
     I am wondering that the Target Audience is not working in global navigation suddenly in production server and the same is working in test server.
  Thanks & Regards,
  NareshRaju YV,
  Infosys.

  Hi NareshRaju,
  Did you add SharePoint Groups to Target Audience ? if yes please refer http://social.technet.microsoft.com/Forums/sharepoint/en-US/7862f182-c6a2-4d2e-9025-b11514575ac3/audience-targeting-for-navigation-link-issue?forum=sharepointgenerallegacy and
  you will get solution
  Let us now if this helps, thanks
  Regards,
  Pratik Vyas | SharePoint Consultant |
  http://sharepointpratik.blogspot.com
  Posting is provided AS IS with no warranties, and confers no rights
  Please remember to click Mark As Answer if a post solves your problem or
  Vote As Helpful if it was useful.

• Can I get the members of Domain Users group (AD specific) with JNDI?

  Hi All,
  I've found these forums very helpful and full of great information, I've been able to retrieve all members of groups that I search for (from the information on this forum), and get the member's attributes such as email addresses through that.
  The question I have is, is there a way to query the Domain Users group, since it's a special group in Active Directory, and retrieve the members of it? So far I have been unsuccessful. Here's a query I found that works on .Net:
  (|(&({ClassFilter})(memberOf={GroupDistinguishedName}))(distinguishedName={G
  roupDistinguishedName}))
  I haven't been able to get it to work with JNDI however. Can anyone point me in the right direction?
  thanks,
  Matt

  It's not so much that the Domain Users is a special group, it's more that because by default, all users have their Primary Group set to Domain Users, that it appears to behave differently.
  So the query that you're trying to execute via JNDI, would be something like:String searchFilter = "(&(objectClass=user)(memberOf=CN=Domain Users,CN=Users,DC=Antipodes,DC=Com))";And of course if everything has been left to defaults, it doesn't return any results.
  Similarly if you look at the member attribute of Domain Users, it will be empty.
  Assuming the defaults, and every user's Primary Group is set to Domain Users, the following query would return all the user's whose primary group is Domain Users:String searchFilter = "(&(objectClass=user)(PrimaryGroupID=513))";Note that 513 is the Relative ID (RID) for Domain Users.
  Now if you set a user's Primary Group to be something other than Domain Users, then the Domain Users group would now have a value
  for it's member attribute and conversely the respective user would now have Domain Users as one of the values of their memberOf attribute.
  So then your query would be something like:
  String searchFilter = "(&(objectClass=User)(|(memberOf=CN=Domain Users,CN=Users,DC=Antipodes,DC=Com)(PrimaryGroupID=513))){code}
  I guess the fundamental question, is why do you need to determine whuch users are members of Domain Users ?
  If this is for usie in an application, where the user has authenticated and you are using group membership to make authorisation decisions, perhaps the constructed tokenGroups attribute may be more useful  as it contains the Security Identifiers (SID) for all the groups the user is a member of ?                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           

• ASA5505 and AD with security group

  Hello,
  i have configured ASA5505 with VPN and with AAA from Active Directory. How i can define Security Group? Now everyone from domain can connect to VPN tunnel. But i need specify users in Security Group in AD.
  regards
  Tomas

  Hi Tomas,
  Please see the document /docs/DOC-9361 In this example, you have to replace "radious.25" with "Idap.memberOf"
  Let us know if you have any more questions.
  Thanks,
  Cisco Moderation Team

• New Group Policy not working on 2008 RDS in 2012 Domain - Security Filtering problem?

  We have a Windows 2008 R2 RDS in a Windows 2012R2 Domain. We want to lockdown the 2008 RDS for Domain users that we have added to a new  security Group--named "Data Collection Users". These users are "Domain Users" and login to the
  2008 RDS using Windows XP SP3 machines to run a specific application -they do not use their local desktops for anything. WE added this group to the local RDU group on the RDS.  We do not have any other users that login to the RDS through terminal,
  including any Domain Admins.
  So far we have done these steps:
  On the DC, created new OU (called Terminal Servers) and moved the RDS into it.
  Opened Group Policy on the DC, and under GP Objects, created a new policy called "TS Users Lockdown".
  Linked the Policy to the OU.
  Under Security Filtering we removed the Authenticated Users, added the RDS computer account (called QS2), added the "Data Collection Users" and chose Allow for "Read" and "Apply Policy"
  Under Security Filtering, for Domain Admins, we chose Deny for "Apply Group Policy"
  We edited the Policy (under Computer Configuration>AT>SYS>GP) to Enable Loopback processing - Replace mode.
  We first tested the policy by trying to remove the "Run" from startup menu and "prohibit access to Control Panel".
  We ran the Group Policy force update from within GP Management - ran successfully.
  We did not reboot the RDS.
  Neither of the settings we tried in Step 7 worked.  Why Not?
  Here are images from the Security Filtering:

  Ok--Do I reboot the RDS or the DC?  or both?
  Does it look like my Security Filtering is correct?  I have seen posts where you should not remove the "Authenticated users"?