Transformer tags and checking user group memberships

Similar Messages

• AD - import users and check AD group membership

  Hi I'm relatively useless with PowerShell and I am wanting to write a script that will do the following and am just getting stuck with part B.
  Part A- import a list of users from a CSV
  Part B- check if the users are members of an ad group and if so remove from group A and add to group B 
  Can anyone point me in the best direction ? that would be amazing.

  Hi,
  I happen to have something already written that will do what you're after:
  Import-Csv .\userList.csv | ForEach {
  $userDetails = Get-ADUser -Identity $_.Username -Properties memberOf
  If ($userDetails.memberOf -contains 'CN=Test Group 1,OU=Security Groups,DC=domain,DC=com') {
  Remove-ADGroupMember -Identity 'Group A' -Members $userDetails.SamAccountName -Confirm:$false -WhatIf
  Add-ADGroupMember -Identity 'Group B' -Members $userDetails.SamAccountName -Confirm:$false -WhatIf
  This will require in input CSV file with a header of Username that contains the usernames to test. You'll also need to update the names of the groups for 'Group A' and 'Group B' along with the DN of the group to test against.
  Remove the -WhatIf parameters from the Remove/Add lines if you're happy with what you see in the output.
  Don't retire TechNet! -
  (Don't give up yet - 12,830+ strong and growing)

• What  is difference between user group and reference user group?

  hi
  guys,
          what  is difference between user group and reference user group? 
  your regards
    p.suresh

  Hi ,
  Chk the link below for your clarifiacation.
  http://help.sap.com/erp2005_ehp_03/helpdata/EN/5c/c1c81c445f11d189f00000e81ddfac/frameset.htm
  Hope it helps.
  Regards,
  Amit
  Edited by: Amit Kotwani on Sep 2, 2008 2:15 PM

• Higher Education and Research User Group Meeting 2009 - Presentations

  All,
  please note the new blog on the BPX for Higher Education entry page. It provides the link to the presentations shown at the Higher Education and Research User Group (HERUG)  Meeting of this year. In addition the event schedule informs about the planned 2010 User Group Meeting in Singapore.
  http://www.sdn.sap.com/irj/bpx/highered
  Tina
  Edited by: Tina Bach on Nov 16, 2009 3:31 PM

  Ray.R wrote:
  When we did ours in Ottawa, we had Laura place it on top during the week of the meeting.
  And by having people like us post to this thread, it keeps bumping it up.
  pssst... Ray, its up there already! She is everywhere!
  Thank you Laura!
  Ben
  Ben Rayner
  I am currently active on.. MainStream Preppers
  Rayner's Ridge is under construction

• Defference between usergroup and reference user group

  Hi,
  Please any one tell me the defference between usergroup and reference user group.
  Thanks,
  hcm

  Please make use of forum search.
  Donnie

• User Group Membership change Alert

  As a system administrator, I will like to be alerted when a user's group membership has changed on the domain. Can Spiceworks compare the imported memberships in its database with AD and alert me when they do not match? Below is an image of the information that SW imports which could be used for this comparison.
  This topic first appeared in the Spiceworks Community

  Assuming you know the dn of the groups to remove the person from and add them to, and the dn of the person to move, you should be able to do something similar to:
  Attributes attrs = new BasicAttributes(true);
  Attribute uniquemember = new BasicAttribute("uniquemember");
  uniquemember.add("uid=user,o=domain.com"); //add user to move to attribute
  attrs.put(uniquemember);
  DirContext ctx = //connect to your ldap dir
  try{
       ctx.modifyAttributes(groupToRemoveFromDN, ctx.REMOVE_ATTRIBUTE, attrs);
       ctx.modifyAttributes(groupToAddToDN, ctx.ADD_ATTRIBUTE,attrs);
  catch (NamingException ne) {
       //return error appropriately
  try{
       ctx.close();
  catch (NamingException ne) {
       //do what you want with error
  }You also might want to check out the JNDI tutorial at http://java.sun.com/products/jndi/tutorial/index.html
  --Nicole

• Extracting user group membership to a spreadsheet - tip?

  Hello,
  This is a tip that works for me.
  Sometimes I need to extract the Group Membership names for a user or users.
  What I do is have PTSpy running when I find their name from an administrative search. Clicking on the user name opens up the EDIT USER page where you can see the users groups.
  At this point look in PTSpy for the line:
  Create query: '/* QUERY_DYNAMIC_USERGROUPS:ANSI */ SELECT DISTINCT(a.ObjectID), a.Name, a.IsLocalized      FROM PTUSERGROUPS a, PTUSERLINKS b      WHERE a.ObjectID=b.GroupID           AND b.UserID=?           AND (b.ISSTATIC=? AND b.ISDYNAMIC=?) ORDER BY a.ObjectID DESC'
  followed by 3 lines:
  setInt, index: 0, value: 0001. <--user ID
  setInt, index: 0, value: 1. <--Static Group Membership
  setInt, index: 0, value: 0. <--Dynamic
  Copy and drop that into SQL Query Analyser, plug in the value provided and save it to a spreadsheet or just copy and paste it.
  If you want find dynamic groups - there is a similar query in the PTspy log - look for the /*QUERY_DYNAMIC_USERGROUPS:ANSI
  in PTSpy log
  If anyone has anything else to add - please do!
  Thanks,
  V
  Computers are like Old Testament gods; lots of rules and no mercy. ~Joseph Campbell

  Hi,
  To identify members of a local group by using a command line, refer to:
  1. Open Command Prompt.
  2. To list members of a group, type: net localgroup "groupname"
  Note: You must include the quotation marks.
  For example, export the members of the local group Administrators to a text file named group.txt, refer to:
  net localgroup “Administrators” > C:\group.txt
  You can also write a script as you want.
  Best Regards,
  Nina Liu
  TechNet Subscriber Support in forum
  If you have any feedback on our support, please contact
  [email protected]  
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
  Thanks this does seem to work. It does seem that just copying the command does not work because of the quotes, and that you have to manually type the quotation marks into the command prompt, I'm thinking they are picked up as a different character when you
  copy paste from a html page or other document.

• SAML 2.0 and AD Security Group Membership

  In ADFS 2.0, as a part of the token, I can pass the AD
  security groups the user is in. Does SAP SSO have the ability to send and
  receive SAML 2.0 tokens with AD security group membership?

  Hi Jeff,
  SAP SAML 2.0 Identity Provider is able to include any group (or role) assignment of the user (available in the NetWeaver AS Java UME) as SAML Attribute in the generated SAML 2.0 Assertion.
  These group assignments of the user can be local (maintained in local UME database) or remote ones if the UME is configured with other Data Source.
  So in order to be able send the AD group assignments of the user you need to change the NetWeaver UME Data Source to your AD. More information how to do that you can find at this page: Identity Management - SAP Library.
  Then in your Identity Provider you can configured so called "Authorization-Based Assertion Attributes" in the "Identity Federation" tab of your trusted Service Provider configuration. An example with such attributes is provided at this page: Configuring Identity Federation with Transient Users - Identity Provider for SAP Single Sign-On and SAP Identity Managem… (although the page is for Transient federation these attributes are supported for all supported NameID formats).
  Regarding the receiving part:
  In SAP SAML 2.0 Service Provider of NetWeaver AS Java received SAML 2.0 Attribute can be either assigned to any UME attribute of the authenticated user, or to be used in rules that assign specific role(s) or group(s) to the user. For more details see these pages: Configuring Federation Type Persistent Users (Advanced) - User Authentication and Single Sign-On - SAP Library and Configuring Federation Type Virtual Users - User Authentication and Single Sign-On - SAP Library
  Regards,
  Stefan

• Provisionusers.cmd and Migrate users/groups from Planningweb

  Hi
  Is the functionality of Provisionusers.cmd and migrateusers/groups from planning web similar?
  I feel Provsionsuers.cmd is an alternative way to migrateusers/groups from planning web.
  Please correct me if i am wrong.
  Thanks and regards
  krishnatilak

  Hi,
  The provisionusers utility basically syncs planning and essbase with the provisioning of users/groups in shared services.
  If you run the utility and a user exists in shared services but has not been created in the planning database the user will be added.
  If the user does not exist in the essbase security file then they are added.
  If it is a user that exists and has security settings on members in planning then these filters are pushed down to essbase.
  It should also remove users/groups from planning if they have been deprovisioned in shared services.
  Cheers
  John
  http://john-goodwin.blogspot.com/

• Power Users group membership

  Hello.
  When debugging App-V virtualized application (java one), I found that if user is a member of "Power Users" it's VFS written to folder APPV_ROOTS instead of APPV_ROOT, and this user at same time lacks permissions to write to this folder. That causes
  application to crash with IO exception.
  Why this happens and how to fix that?

  Now this is coming back to me.  This actually came up in one of Tim Mangan's classes.  If you look at the AppV5SP2 Application Publishing and Client Interaction white paper it says:
  "The S signifies the restricted location when the virtual service requests the change as a different elevated user from the logged on users. The non-S location stores user based changes."
  My theory is the App-V 5 client doesn't distinguish from the logged on user who has elevated privileges and a different user with elevated privileges.  See this example as further evidence.
  Using Tim's AppV Personalization tool to track the whole COW stuff, here are 2 screenshots, the first of an admin, the second of a standard user (not power user, just user)
  ADMIN
  A key written inside the VE to HKLM actually went to a COW location in  HKLM.  The filewrite to the PVAD location went to APPV_ROOTS
  USER
  In the same test repeated with a non admin user, the registry write went to the HKCU COW location, and to APPV_ROOT.
  I couldn't convince my group here to put in a MS ticket for this as it doesn't affect us currently, but to be honest I'm surprised more people aren't having issues with this.  This issue would also mean users with admin rights can't roam writes to HKLM
  properly in a VDI scenario.
  If I had to guess Power Users makes the client believe it is an elevated request, but the DIR requires admin rights to write to.  If you inspect the permissions on the APPV_ROOTS folder you may be able to confirm that.
  The short answer for you would probably be to update the package to HF4 with VFS write enabled and see if that resolves your issue.  If you can, a call to MS would be a good option also.

• Getting firstnames and surnames from group membership in AD

  Morning guys..
  I am trying to get a list of the firstname and surnames that are currently in a group on ad.
  I am currently using the following command but I want to tidy it up a bit.
  At the moment I am getting a table with a load of stuff I don't want or need, what pipelining command can I use to only show the first and last names of the accounts?
  This is the command I have so far..
   get-adgroupmember "EXT_Information_Exchange_MODIFY" | format-table | format-wide
  Many Thanks!

  I'd suggest you use the following command:
  get-adgroupmember EXT_Information_Exchange_MODIFY | Get-ADUSer | Select GivenName, SurName
  But this will give you errors where the member is not a user. Therefore this command is better (it filters the pipeline to only user objects):
  get-adgroupmember EXT_Information_Exchange_MODIFY | ? { $_.ObjectClass -eq "user" } | Get-ADUSer | Select GivenName, SurName
  Then you can add your Format-Table commands etc.

• Dulpicate and rename User/Groups

  Whitin the administration it's possible to duplicate a group or user, but I also want to change the name. How can i do this?
  What i actually want is 25 groups with different filters on the same fields.

  Check the following post, it will give you a good start I think: http://oraclebizint.wordpress.com/2008/04/08/oracle-bi-ee-101332-automating-import-of-usersgroups-into-repository-using-udml/

• Custom Install of Acrobat, how to enable / disable Office plugin based on User group membership

  Hi,
  Just configuring Adobe Acrobat X (10.1.5) on Citrix Xenapp 6.5 (Win 2k8 R2)
  I've set up a cusom install and have already removed the context menus and a few other bits and bobs.
  I wondered if it was possible to essentially add the Office plugins in but only for certain users.
  I've removed the plugins successfully by turning off the 5 / 6 features (IE, office , outlook etc)
  Now I just wondered what files / registry entries I could create on login (using Group policy preferences etc) which will add the plugins back in.
  Thanks
  Chris

  okay no replies yet but I've just removed the office / IE features for now, adding the context menu items in for specific users is working good enough at the moment. if anyone does know how to do this just reply to this at any point i'll pick the mail up.
  thanks

• How to verify user LDAP group membership

  Hi,
  we are attempting to determine if a user is a member of a specific LDAP group in our directory and if the user is a member it should return TRUE else FALSE (this is done by defining the LDAP attribute 'CN' (property) which returns a result 'CN=<UserName> or returns 'getting 0 entries'. The query we have is
  (&(cn=<username>)(memberOf=CN=<groupname>,DC=domain,DC=com)).
  Any pointers on how to do this ?
  Thank you.

  You could do a couple of things...
  1) Install dsquery (add remote AD tools to your box) and run something like
  dsquery group -u <user name>
  Username would be their login name, yours is "swaupadh" for example. This would return a listing of all the groups they are in and you could regex through that output for the group you are looking for. Use either the Execute Powershell or Execute Windows Command activity here.
  2) Use powershell functions and powershell capability to check for group membership, something like this:
  function Get-GroupMembership($DN,$group){
      $objEntry = [adsi]("LDAP://"+$DN)
      $objEntry.memberOf | where { $_ -match $group}
  //EXAMPLE CALL
  Get-GroupMembership "Cn=kazun,dc=contoso,dc=com" "Backup Operators"
  Then you can regex through the output for the "True" or "False" word and run with that.
  Either should get you what you want.

• Samba winbind and group membership.

  I have a Solaris 10 (update 4) box (x86) that is joined to an active directory via samba/winbind.
  The users are working fine however their group membership is not.
  Users that should be members of certain groups do not seem to be: in that if I run
  "groups" and check the group member ship for myself I am missing entry of some groups yet I can verify that I should be a member of that group by running getent group "domain\\group name" and seing my username entered.
  winbind has the following parameters set
  winbind enum users = yes
  winbind enum groups = yes
  winbind nested groups = yes
  I am at a loss as to why it picks up some groups and not others.
  Has anyone come across something similar or know how to solve this issue?
  Regards,
  James

  Hi,
  I know this thread is very old but unfortunately I'm facing exactly the same problem under Solaris 10 Sparc. Any ideas? Maybe this issue was solved?
  Regards,
  Oliver