Triggering Group Membership Rules against all users

Similar Messages

• Google drive does not work with specific group but works with all users group!!

  Hi,
  Why Google drive does not work with specific group but works with all users group?
  My rule :  Internal > external > all users = works fine
  But
                 Internal > external > A group = not working !!

  Hi,
  if you require user authentication in Firewall policy rules, the clients must bei Webproxy clients (for HTTP / HTTPS) or TMG clients (for TCP/UDP):
  http://technet.microsoft.com/en-us/library/bb794762.aspx
  regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.galileocomputing.de/3276?GPP=MarcGrote

• OIM Group membership rules

  Hi Friends,
  I want to create groups in oim on the basis of complex rules(It requires some Java coding) but for attaching group membership rule we use Rule Designer and in rule designer we can't user adapter that means no java code.
  What is the solution for this problem?
  One solution could be create entity adapter for group membership and execute it on pre-update.
  Thanks
  Edited by: user10968321 on Oct 28, 2009 7:06 AM

  The entity adapter on the user form in pre or post update mode is the standard way to solve complex membership rules.
  Works well as long as you can accept a slight performance decrease on user updates (including things like password resets). Make sure your code is decently fast.
  Good luck
  /Martin

• *** SPAM *** - rule for all users

  hello.
  is it possible to create one rule to all users that move all emails with *** SPAM *** in subject line to specific folder eg SPAM? or push one rule to all users?
  SLES10+GW8
  regards
  Mirek

  On 3/29/2012 9:36 AM, leroyjjr wrote:
  >
  > Michael Bell;2186127 Wrote:
  >> On 3/29/2012 1:16 AM, mmadej wrote:
  >>>
  >>> Thank you,
  >>> I can change only subject, no add X-spam header.
  >>>
  >>> 3. every user create rule - simple and free
  >>>
  >>> regards
  >>> Mirek
  >>>
  >>>
  >> Well you have more talented users than most. ;)
  >
  > Michael,
  > Will that also work for GroupWise2012 on SLES11/OES11 as
  > well?
  >
  > Leroy Joseph
  > Visual Click Software
  > 'eDirectory Management and Reporting | DSRAZOR for eDirectory'
  > (http://www.visualclick.com/content/d...edirectory.htm)
  >
  >
  will WHICH work?
  1. yes, built into admin snapins, and gwia
  2. yes, but you'll need a windows workstation to run vertigo on, because
  it uses a mixture of soap and admin api, the latter only beig
  available on windows
  3. yes, but it depends on user education.

• OIM 9.1.0.2 Group Membership Removal for Disabled Users

  Hello
  In OIM 9.1.0.2, when a user is disabled, they are removed from the groups they are a member of within 24 hours. i was wondering if this is a set time and if so, can this be extended to a specified time so membership can be left for a week before it is removed from the user. If you can let me know on this I would appreciate it.
  Thanks
  Nick

  Today, when accounts are disabled, within 24 hours all the group memberships are removed on the OIM side. I would like to change the interval for the cleanup so that when an account is disabled, all the existing group (role) memberships stay assinged to the account then after 30 days of the account being disabled, the group (role) memberships are removed. Not sure if this would be an ORM thing or OIM, but I think it would be OIM since ORM still has the role mappings for users when they are disabled.
  Thanks
  Nick

• Mountain Lion upgrade effects mail rules for all users

  After upgrading to Mountain Lion, the mail rules appear to be "shared" for all user on our Mac. When a user adds a rule, everyone sees this rule.  Some mail rules are lost in the process.  How can we fix this?

  If it is hanging on the 'upgrading database' portion please see this discussion and the solution posted by registerednderd at the bottom of the first page.  It worked for me at least to get past the 'upgrading database' hangup and then to import the old messages.
  https://discussions.apple.com/thread/4137441

• After mapping groups, should I deny all users on ACS ?

  I've created and mapped security groups in active directory DomainWirelessOK and DomainVPNOK. I mapped those to ACS_Wireless and ACS_VPN.
  In my production environment, currently all users on ACS authenticate using "Default Group".
  What's the best way to let only users of ACS_VPN and ACS_Wireless have acccess to resources ? Should I "deny" access to Default group ? Is there any specific order you would setup this ?
  Also, if you have suggestions on how I can test this avoiding system disruption please let me know. I thought that I could perhaps include the IP address of few selected Access Points to confirm that mappings work accordingly ?

  Hi
  If you add a 3rd mapping to map everything else to "No access" that would lockout members of other AD groups.
  Additionally, create two NDGs - one for VPN and one for WLAN. In each ACS group you can setup Network Access Restrictions (NARs) such that the VPN group only has access to the VPN NDG and the same for WLAN.
  If a WLAN user authenticated via a device in the VPN NDG they would be rejected & vice versa. This assumes the groups are mutually exclusive which they probably arent. So you might needs to make each of the 2 ACS groups have access to both NDGs.
  Darran

• Retrieving User groups and email for all users in a group

  Hi Everyone,
  I need to create an ADF application to retrieve all the groups in OID, the user would select a group and it should list down all the email addresses in that group.
  Can you suggest what is the best way to achieve this. My main concern is how to retrieve groups and email addresses from OID. I was unable to find APIs for it.
  Your suggestions are greately appreciated.
  Thanks,
  Husain

  In a multi-user environment, a user install a dreamweaver extension,but just the user who install the extension can use it.
  Is there a way that administrator install the extension and make this extension available for other users in multi-user environment(e.g. the Windows 7)
  Dreamweaver had this capability many releases ago, but it has been dropped, so it's no longer available.
  Regards,
  Randy Edmunds
  Dreamweaver Development
  Adobe Systems, Inc.

• AD Group Membership with User From Domain Outside of Forest

  Here's one to twist your brain around -
  I have kerberos authentication using Active Directory working between a client's web browser and my web-app hosted in JBoss. I also have limited authorization working by checking group memberships using LDAP. This currently only works if all users are in the same domain. The ever-helpful adler_steven has detailed in another thread (http://forum.java.sun.com/thread.jspa?threadID=603815&tstart=15) how to do a group membership check for all Users/Groups in a single forest using the Global Context.
  I need to go beyond the domain and even beyond the forest and try to authorize a user from a trusted domain by checking if the user is a member of a group in my domain. Authentication works fine using kerberos. It's the authorization by group check I am having trouble with. I believe there are two ways to approach this:
  Approach #1
  Access the MS-specific PAC in the kerberos token from the client to get the group SIDs. The structure of the PAC is nicely defined in this article: http://appliedcrypto.com/spnego/pac/ms_kerberos_pac.html. However, I have no idea how to access the decrypted token. I pass the encrypted token that I receive from the browser to myGssContext.acceptSecContext(...) to complete the authentication.
  Question: Does anyone know how to get the decrypted kerberos ticket from there, specifically the authorization-data field?
  Approach #2
  Try to walk through the Active Directory structures in both domains using LDAP. In the domain group that I am checking, I can see a member attribute that references a foreignSecurityPrincipal object. The CN of this object happens to be the objectSID of the user I am looking for in the remote domain. Unfortunately, I have to check the remote domain server directly to verify that. The foreignSecurityPrincipal object itself does not contain any hint about what user it refers to aside from the SID (no originalDomainName attribute or something similar). It is feasible that I could walk the chain of references back to the remote domain AD server. That would require that my configuration include a list of remote domain servers to check (since I could have users from multiple trusted domains) and that my JBoss server have access to those servers.
  Question: Does anyone know of some other LDAP-related way of finding information about a user from a remote, trusted domain without having to hit the server for that domain directly?
  adTHANKSvance
  Eric

  You should be able to work back from the foreignSecurityPrincipal object :-) He says with a wry smile..
  This post prompts me to think whether one day someone will draw the entity relationship diagram for AD. Oh well, I've been procrastinating for years, a few more won't hurt !
  If it was a user from within the same forest, you should just be able to perform a search against a GC using the objectSID as the search filter. I've forgotten, but I don't think they will be represented as foreign security principals.
  Have a look at the post titled JNDI, Active Directory and SID's (Security Identifiers) available at
  http://forum.java.sun.com/thread.jspa?threadID=585031&tstart=150 that describes how to search for an object based on their SID.
  Now if it is a user from another forest, with which you have a trust relationship, then we begin the navigation excercise.
  You'll need obtain the user's SID (either from the cn or from the objectSID attributes) from the foreignSecurityPrincipal object. For example CN=S-1-5-21-3771862615-1804478405-1612909269-2143,CN=ForeignSecurityPrincipals,DC=antipodes,DC=com
  objectSID=S-S-1-5-21-3771862615-1804478405-1612909269-2143Then obtain the domain RID, eg.S-1-5-21-3771862615-1804478405-1612909269Next you will have to recurse each of the crossRef objects in the Partitions container, in the configuration naming context (which you will find listed in the RootDSE). The crossref objects that represent trusted domains or forests will have values for their trustParent attributes. A sample query would be something like//specify the LDAP search filter
  String searchFilter = "(&(objectClass=crossRef)(trustParent=*))";
  //Specify the Base for the search
  String searchBase = "CN=Partitions,CN=Configuration,DC=antipodes,DC=com";For each crossRef object, you can then use the dnsRoot attribute to determine the dns domain name of the forest/domain (if you want to later use dns to search for the dns name,ip address of the domain controllers in the trusted domains/forests), and then use the nCName attribute to determine the distinguished name of the trusted forest/domain.dnsRoot = contoso.com
  ncName = dc=contoso,dc=comPerform another bind to the ncName for the trusted domain/forest and retrieve the objectSID attribute, which will be the domain's RID. You may want to cache this information as a lookup table to match domain RID's with domain distingusihed names and dns names.String ldapURL = "ldap://contoso.com:389";
  Attributes attrs = ctx.getAttributes("dc=contoso,dc=com");
  System.out.println("Domain SID: " + attrs.get("objectSID").get());Once you find out which domain matches the RID for the foreignSecurityPrincipal, you can then perform a search for the "real user" .And then finally you should have the user object that represents the foreign security principal !
  Just one thing to note. Assume that CONTOSO and ANTIPODES are two separate forests. If you bind as CONTOSO\cdarwin against the CONTOSO domain, the tokenGroups attribute (which represents teh process token) will contain all of the group memberships of Charles Darwin in the CONTOSO domain/forest. It will not contain his memberships if any, of groups in the ANTIPODES forest. If Charles Darwin accesses a resource in ANTIPODES, then his process token used by the ANTIPODES resource will be updated with his group memberships of the ANTIPODES forest. Also you can have "orphaned foreignn security principal", where the original user object has been deleted !
  BTW, If I was doing this purely on Windows, IIRC, you just use one API call DsCrackNames, to get the "real user", and then the appropriate ImpersonateUser calls to update the process token etc..
  Good luck.

• Extracting user group membership to a spreadsheet - tip?

  Hello,
  This is a tip that works for me.
  Sometimes I need to extract the Group Membership names for a user or users.
  What I do is have PTSpy running when I find their name from an administrative search. Clicking on the user name opens up the EDIT USER page where you can see the users groups.
  At this point look in PTSpy for the line:
  Create query: '/* QUERY_DYNAMIC_USERGROUPS:ANSI */ SELECT DISTINCT(a.ObjectID), a.Name, a.IsLocalized      FROM PTUSERGROUPS a, PTUSERLINKS b      WHERE a.ObjectID=b.GroupID           AND b.UserID=?           AND (b.ISSTATIC=? AND b.ISDYNAMIC=?) ORDER BY a.ObjectID DESC'
  followed by 3 lines:
  setInt, index: 0, value: 0001. <--user ID
  setInt, index: 0, value: 1. <--Static Group Membership
  setInt, index: 0, value: 0. <--Dynamic
  Copy and drop that into SQL Query Analyser, plug in the value provided and save it to a spreadsheet or just copy and paste it.
  If you want find dynamic groups - there is a similar query in the PTspy log - look for the /*QUERY_DYNAMIC_USERGROUPS:ANSI
  in PTSpy log
  If anyone has anything else to add - please do!
  Thanks,
  V
  Computers are like Old Testament gods; lots of rules and no mercy. ~Joseph Campbell

  Hi,
  To identify members of a local group by using a command line, refer to:
  1. Open Command Prompt.
  2. To list members of a group, type: net localgroup "groupname"
  Note: You must include the quotation marks.
  For example, export the members of the local group Administrators to a text file named group.txt, refer to:
  net localgroup “Administrators” > C:\group.txt
  You can also write a script as you want.
  Best Regards,
  Nina Liu
  TechNet Subscriber Support in forum
  If you have any feedback on our support, please contact
  [email protected]  
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
  Thanks this does seem to work. It does seem that just copying the command does not work because of the quotes, and that you have to manually type the quotation marks into the command prompt, I'm thinking they are picked up as a different character when you
  copy paste from a html page or other document.

• OIM 11g R2 Group Membership

  Hi All,
  In OIM 11g R2, when i try to manually add a user to a group (custom or OOTB), i do not see the "Assign" button active and with the absence of the assign button, i could not assign a new user to the group. But, I can see that the Create Rule option is active.
  Does this mean that the group membership in OIM 11g can only happen through Group membership rule satisfaction?
  Please help.
  Thanks,
  Srini

  You can manually add an user to a role in OIM 11gR2. Open identity console --> Click on Roles--> Search
  You will get all the roles listed. Select the role to which you want to add a member. Assign tab will be visible under the Members panel layout in the bottom frame.
  When you click on assign the request catalog opens with the selected target user and the role. You can change the target user or add another target user.
  Then click on submit.
  If this process is done through sysadmin login then directly the member is assigned to the role
  Else it will create a request and after approval is completed the member will be assigned to the role.

• Design question: Change Group membership for a AD resource via SelfService

  Hi all,
  based on the OIM tutorials, I designed OIM that way that an end user can successfully request a resource. Is there a way to allow end users to modify their resource "subscriptions"? For example, I would like to allow end users to change their AD group memberships after the initial provision to the resource.
  From what I have learned from the tutorials, I would assume to create an AD group membership attribute in the user account profile form and propagate changes to that attribute back to AD.
  Or is there a way to allow end users to change their resource data directly under "My Resources" ?

  there is no concept of requesting a modification of an already provisoned account. Like you said this can be achieved thru an attribute on the user's profile and on changing that attribute, downstream applications can be propagated the new value.
  Typically if changes to an already proviisoned account needs to be done in oim and through oim, an oim admin goes to the user's resource profile and clicks on edit on the process form and can edit any data there. in case of ad groups, there will be a child process form that shows the groups that the user is a member of, you can insert(add) new groups or delete existing groups from there and save the form. In the proviisoning porcess of AD you will need to write a porcess task, which should add/remove the user from the specified group in AD on the trigger when a new group is added or an existing group is removed wehn the admin is modifying the user's AD process form/process child forms in oim.

• AD Group membership not updating in Sharepoint Foundation when adding Active Directory group to Sharepoint group

  I have Sharepoint Foundation installed with the latest CU updates.  It is running on a VMware box (Windows Server 2008 R2 Standard) with its backend on a SQL Server 2008 R2 vmware box.  The farm account is a domain user and has been given all appropriate
  replication rights, etc to active directory.
  Everything seems to be working fine except for security integrated with AD groups.  When I go to edit permissions I can add individual AD users just fine and remove them just fine and their access is taken away right away or given to them right away.
   I can also find AD groups in the people picker and add them to the site. When I add new groups to AD, they are found immediately within Sharepoint, and when I delete groups from AD, they are taken out of the people picker right away.  Now comes
  the weird part.  When I add an AD group to the site, all users currently within that AD group are given access to the Sharepoint Site.  This works for the first time only.  Now when I add or remove users from the AD groups, it does not update
  in SharePoint.  For example, I have an AD testuser1 in the AD Group "All Users".  testuser1 does not have access to SharePoint.  So I add  the AD group to the Sharepoint group "Visitors".  testuser1 now has read access to the sharepoint
  site.  Now, I remove testuser1 from the AD group, but testuser 1 still has access to the site even though he is not part of the AD group, nor does he have any individual permissions to the site.  Now, I add testuser2 to the ad group.  testuser2
  does not have access to the site, even though he is part of the ad group.
  It seems that the only time AD group security is working for me is when I first initially add the AD group to the site.  From then on, it's like sharepoint is caching the members of the group and not updating any new adds or deletes from the groups.
   Any ideas?  I am lost on where to go from here as I have tried everything from clearing cache files, rebooting servers, iisresets....

  I think I have at least cornered the problem, but am not 100% sure yet that it is the correct answer.  I think it could be 1 of the following 2 scenarios.
  Scenario 1:  We have 3 web applications setup on our web server ports 80 - Our sharepoint Web app, 2020 - Our My Site Web App, 2040 - Our Search Web app.  We are using host headers (http://sharepoint.***.com) instead of a server name.  So
  we setup our access mappings (Central Admin -> Application Management -> Configure Alternate access mappings) to use the host header (http://sharepoint.***.com) as the default mapping and the server name as the intranet access mapping.  By
  setting the default access mapping to host headers, i noticed that Sharepoint automatically assumes that all web apps are on port 80.  You can see this by going to (Central Admin -> Manage Web Applications).  The port listed all 3 web apps on
  port 80.  So I think when I was doing a profile sync and using mysites, it was messing with my AD security because of this.  What I did was the following.  I went to Central Admin -> Manage Service Applications -> [Name of your user profile
  service] -> Setup my sites.  I made sure that my preferred search center had the correct port number on it (mine originally had no port number), that my my site host had a port (again no port number originally), as well as the personal site location.
   I then saved this.
  Scenario 2:  Our user profile sync had 2 BDC connections that were corrupt and throwing errors.  I rebuilt the connections, remapped them to the proper user profile property.
  I did both of these scenarios above around the same time.  I then restarted all my servers, and at last the AD Group security is now functioning appropriately.  I have done multiple IIS resets and server restarts.  The issue has only reappeared
  once.  After restarting the machine again, we were back to the AD groups functioning correctly.  Because we had the issue reappear once after doing the above, I still do not feel 100% sure that either one of the above corrected the issue completely.
  As long as we are up and running currently, I am moving on to other tasks with this project.  My only concern that it will break again and I will have to revisit it is when we restart the servers....which is never fun.  I will update as I find
  a "true" answer to this issue....  Let me know if any of the above helped you or if you find something I may not have thought of.

• Samba winbind and group membership.

  I have a Solaris 10 (update 4) box (x86) that is joined to an active directory via samba/winbind.
  The users are working fine however their group membership is not.
  Users that should be members of certain groups do not seem to be: in that if I run
  "groups" and check the group member ship for myself I am missing entry of some groups yet I can verify that I should be a member of that group by running getent group "domain\\group name" and seing my username entered.
  winbind has the following parameters set
  winbind enum users = yes
  winbind enum groups = yes
  winbind nested groups = yes
  I am at a loss as to why it picks up some groups and not others.
  Has anyone come across something similar or know how to solve this issue?
  Regards,
  James

  Hi,
  I know this thread is very old but unfortunately I'm facing exactly the same problem under Solaris 10 Sparc. Any ideas? Maybe this issue was solved?
  Regards,
  Oliver

• Group Policy for Remote Desktop Users

  Hi,
  Currently my users use desktops and have user and computer GPOs applied (typical things like logon scripts etc.) at the OU level where they reside e.g. Finance Users, Sales Users etc.
  I am planning a Remote Desktop 2012 environment.
  I have read the following:
  TechNet cc779327
  So, my understanding is that I create a new OU for my Remote Desktop Server only (not users), and create a new security Group for my RD Users and a security group for my RD server.
  Remote Desktop Servers OU
             * RD User GPO (filter on RD User security Group and RD Computer Security Group)
             * RD Computer GPO (filter on RD User security Group and RD Computer Security Group)
  I then apply all computer settings to the RD Computer GPO (loopback processing, Windows installer, hide shortcuts etc.).
  I then apply all user settings to the RD User GPO (app specific, templates etc.)
  Why not consolidate the two GPOs into one?
  If I set computer settings in the computer GPO, and apply it as above to filter to the RD Server group and RD Users Group will this apply to only users un the RD User Group...or ALL users since I added the server to the filter?
  If a user currently gets a setting in their normal OU e.g. Finance logon script, will they still get it on the Remote Desktop? Or do I need to copy that GPO setting to my new RD User GPO also?
  Am I right to add both RD Server and RD User groups to the filter on both RD User and RD Computer GPOs?
  Loopback processing - merge or replace typically for Remote Desktop?

  Hi,
  Thank you for posting in Windows Server Forum.
  Create OU for RDS Server in Active Directory. Create security group for users who will use Remote Desktop Host (i.e. RDS Users). Create GPO (i.e. RDS Server Lock Down). In Security Filtering delete Authenticated Users, add RDS Server Account, and the security
  group created in previous step.
  Please check beneath article might useful for better understanding.
  Lock Down Remote Desktop Services Server 2012
  How to secure your remote desktop server with GPO
  Hope it helps!
  Thanks,
  Dharmesh