Trouble Creating Security Groups

Similar Messages

• FIM 2010 R2: Creating Security Groups in portal : OU

  Hi,
  We want to create security groups in the FIM Portal and then sync them to AD. Now the groups could belong to different OUs in AD so is there a way to assign the OU in the portal ?
  Can I customise the "Create Security Group" pop-up to have an input field called "OU" which can then be appended to the account name of the group to come up with the DN ?
  Or perhaps someone has tried some other ideas for this scenario ?
  Thanks

  Hi,
  Take care that you import the DN of the OUs as a string into the portal. DisplayName is good for that for example.
  Add a reference attribute to resource type "group" that will hold the reference to a OU resource type and a string attribute for the OU container.
  After the above steps from @Sylvain ceate MPRs which triggers a workflow on modification of that reference attribute (create of group will also modify this attribute so only this MPR is needed).
  The workflow should than set the string OU attribute ob group (//target/ouStringAttr) with the DN sting of the selected OU resource type, like that: //target/ouRefAttr/DisplayName
  You can then use this ouStringAttr in your outbound symc rule.
  Beside the ouStringAttr solution it is also possible to work with //WorkflowData/String variables that you can use in workflows when applying an outbound sync rule to objects (creating ERE) but I find above solution a bit more easier to implement.
  Regards
  Peter
  Peter Stapf - ExpertCircle GmbH - My blog:
  JustIDM.wordpress.com

• Automatically create security groups from list of OU's

  Here I'm looking to create security groups automatically form the list of OU's available in active directory and add OU users to receptive groups.
  Help me to do this in power shell. THanks in advance.

  Hi,
  You can use Get-ADOrganizationalUnit to get a list of OUs in AD and then use New-ADGroup to create groups. You can then use Get-ADUser with the -SearchBase parameter to find your list of users who exist in the particular OUs. Finally, you can use Add-ADGroupMember
  to add these users to the groups.
  http://ss64.com/ps/get-adorganizationalunit.html
  http://ss64.com/ps/new-adgroup.html
  http://ss64.com/ps/get-aduser.html
  http://ss64.com/ps/add-adgroupmember.html
  Don't retire TechNet! -
  (Don't give up yet - 12,950+ strong and growing)

• File Server Migration - For ORG A Forest to ORG B Forest ( Need to create and Map Security Group automatically on new Migrated Folders - Please Help

  I have two forest With Trust works Fine .
  I have file server in ORG – A ( Forest ) with 2003 R2 Standard
  I have a File server in ORG  - B ( Forest ) With Windows server 2012 ( New Server for Migration )
  I have 1000 + folders with each different permission sets on ORG-A. We are using Security groups for providing permission on the share Folders on ORG A
  I need to Migrate  all the folders from ORG – A to ORG – B.
  I am looking for an automated method of creating Security Groups on AD during the Migration, Once the Migration is Done, I can add the required users to the security groups manually.
  Example.
  Folder 1 on ORG – A has Security Group Called SEC-FOLDER1-ORGA
  I need an automated method of Copying the files to ORG – B and Creating a new security Groups on ORG –B Forest with the same permission on parent and child Folders. I shall Add the users manually to the Group.
  Output Looks Like
  Folder 1 on ORG – B has Permission called SEC-FOLDER1-ORGB ( New Security Group )
  Also I need a summarized report of security Group Mapping, Example – Which security Group on ORGA is mapped with Security Group Of ORGB

  Hi,
  I think you can try ADMT to migrate your user group to target domain/forest first. Once user groups are migrated, you can use Robocopy to copy files with permission - that permission will continue be recognized in new domain as you migrated already. 
  Migrate Universal Groups
  http://technet.microsoft.com/en-us/library/cc974367(v=ws.10).aspx
  If you have any feedback on our support, please send to [email protected]

• Security Group Creation in Specific OU and Create Network Share For the Security Group

  Hi,
  We would really want to create a PowerShell script that creates a specific Security Group within a selected Organisation Unit.
  Brief Scenario;
  We have created several Organisation Units. Each Organisation Unit contains another Organisation Unit called users. 
  +OU=Netherlands
  ++OU=Company A
  +++OU=users
  ++OU=Company B
  +++OU=users
  And so forth.
  If we run the PowerShell script it should create a list of all the Companies in container Netherlands. After the list is created it creates an output like 1. Company A; 2. Company B. (Forearch ..)
  The script asks for user input where to create the Security Group. If user selects option 2, a security group Called "Company B" is being created. All the users located in the Organisation Unit users within Company B are joined to that group. (Sets
  option 2 as a value like Security Group = "$Company B", create Security Group "Universal, Global (option), and get all users from container users and join them)
  Then without user interaction a share is being created. Granting Domain Administrators full access and the Security Group which has just been created.
  Is somebody able to help me with this kind of script?
  Thank you in advance,
  With kind regards,
  Danny Locorotondo

  Already gathered some information. Have this as a result. Now I need to figure out how to put the results into a list, so the user can select the group. As far as now I am stuck.
  Import-Module ActiveDirectory
  Function SelectCollectionRelease 
      [CmdletBinding()]
      Param
          [Parameter(Mandatory=$true,
                     Position=0,
                     HelpMessage='Enter the Release of the Collection. By example: Alfa,Beta or Charlie')]
          $CollectionRelease
      IF(!$CollectionRelease)
          write-host "`n You did not select a proper Collection Release" -foregroundcolor "red"
  SelectCollectionRelease 
      Elseif($CollectionRelease)
      [string] $OUPath = "OU=$CollectionRelease,OU=VDI,OU=carsystems,DC=carsysdev,DC=local"
  if (!([adsi]::Exists("LDAP://$OUPath"))) 
  write-host "`n Collection Release does not exists" -foregroundcolor "red"
  SelectCollectionRelease 
  else
  write-host "`n Collection Release exists." -foregroundcolor "green"
  write-host "`n Selected $OUPath ..." -foregroundcolor "yellow"
  Get-ADGroup -SearchBase "OU=$CollectionRelease,OU=VDI,OU=carsystems,DC=carsysdev,DC=local" -filter {GroupCategory -eq "Security"} | Format-List -Property Name
      Else
          //$SecurityGroup = Get-ADGroup -SearchBase "OU=$CollectionRelease,OU=VDI,OU=carsystems,DC=carsysdev,DC=local" -filter {GroupCategory -eq "Security"} -and (ObjectClass -eq "user")
  SelectCollectionRelease 

• How do I create a group in contacts?

  I am having trouble creating a group email contact list on my iPad2.

  While you can create contact groups on icloud.com, if you want to send emails to an entire group on your iPad, you'll need an app to do this (like Speed Names; I'm sure there are others).

• How to read contents of files that do not fall under public security group?

  Hi,
  I need to read the contents of a WCM based xml file that does not fall under public security.
  The process is like this:
  First the user makes chnages to the content.
  The workflow will be triggred based on the security group metadata that is associated with the content.
  Once the content is finally approved our workflow calls a custom idoc script.
  First we tried directly reading the xml contents from the idoc script which was still in the context of workflow. But since content item is still in workflow I was not able to read the changes. So I created a separate content publisher thread and read the DOC_INFO and checked for the dStatus value. If the value is RELEASED then I reading contents by calling ssIncludeXml idoc script.
  This was working fine for public content. But now the requirement is that all content cannot be public. Content authors should not be able to edit the content that does not belong to their group, So we created security groups (and roles) and are associating that groups to the relavent content.
  Beacuse of this change I am not not able to read the non public content. The call to DOC_INFO_BY_NAME service, which gives all the content files' metadata, is expecting the user to be logged in to give the details.
  I tried calling the CHECKIN service with sysadmin and captured the cookies returned by that service and use cookies for the DOC_INFO_BY_NAME service call. But the service call was faling. It is throing the 401 forbidden error with the message that user needs to be logged in to get the details.
  How to address this problem. Someone please help.
  Note: I also tried using ridc for this. I was able to get it working but since it is executing in the context of server ridc api is changing server's environment properties like HTTP_HOST, HTTP_CGIPATHROOT etc. It also seemed like system was becoming non functional after using ridc. When I called check-in the system metadata values like security group are no more loading. Not sure if ridc is the culprit here but worried that it might be causing this issue.
  Regards,
  Pratap

  Sorry, I posted too much details while posting this question. I was saying "not able to read *non* public content".
  Anyway, I was able to resolve the issue. I was able to authenticate with sysadmin credentials in the request to service using basic authentication and was able to read doc info with that credential.
  But I realized there is more than option for reading secure content.
  - I could set user name as sysadmin in the m_environment (if I am in the context of a service) and the call the DOC_INFO_BY_NAME service.
  - I can post an HTTP request to DOC_INFO_BY_NAME service with sysadmin credentials and do basic authorization via the connection. (This is what i have done successfully as of now )
  - I could add guest role to all security groups with R (read) privileges.
  I will look into all options and implement the one which is more apt.
  Regards,
  Pratap

• Security group guidance

  Hello,
  I'm having all sorts of troubles getting security groups working within SharePoint. I'm aware of the various timeouts and caching that occur and have changed my WindowsTokenLifeTime to 30 minutes to pick up security group changes faster. However, I have
  some areas in SharePoint where even after days, users in security groups with access to a site, library, or document still do not have access and they don't show up in Check Permissions. Also, I have some instances where a user, as a member of a security group
  with access to a file, has access one day and then the next day does not. This happens for multiple users in multiple locations and I have no idea what's going on. 
  Is there any guidance other than this about using AD security groups in SharePoint? 
  http://technet.microsoft.com/en-us/library/cc261972(v=office.15).aspx
  This is really messing with my head. 
  Our farm is SharePoint 2013 SP1. Some of my security groups have nested security groups, some don't, and both have these issues. 
  Thanks,
  Aaron

  I'm going to have to re-open this in a Reporting forum because this is so confusing.
  So our setup is SSRS2012 on SharePoint 2013. We are doing item level permissions, which means we have an AD security group
  Reports-All with Read to the Reports folder, then each actual report has unique permissions. We have a report with the
  ProjectManagers AD security group on it with Read (plus some other stuff to let them manage subscriptions), and another AD security group
  ProjectUsers with just Read access so they can open the reports. The data source used by this report has the AD security group I mentioned before,
  Reports-All, with Read.
  At a SharePoint level, things appear to work. When a user in ProjectManagers
  or ProjectUsers browses to the library, they see only the 3 reports that those two security groups have permission to see (out of a lot more in the library). That means SharePoint is reading those security group memberships correctly
  as far as I can tell.
  The issue is when a user in ProjectManagers or ProjectUsers
  clicks on a report, they get a reporting server based error message, and the ULS logs have an error specific to the user trying to run the report.
  Microsoft.ReportingServices.Diagnostics.Utilities.AccessDeniedException: The permissions granted to user 'MyDomain\MyUser' are insufficient for performing this operation. (Fault Detail is equal to Microsoft.ReportingServices.ServiceContract.RsExceptionInfo)
  If I add that specific user with Read permissions to the report and the data source, they are then able to run the report without errors. It seems like some Report Server component is not liking the fact that I'm using security groups. 
  Even though I'm going to put this elsewhere I figured I'd expand on my situation here in case it's an obvious solution to someone.

• Sync Project Online Security Group to SharePoint Security Groups

  Hi,
  Is there any way to sync prject server security group(Custom) into SharePoint Security Groups.
  My scenario is: I created a document library, I want to apply project server security on it, based on project server security groups, for that currently I created a custom group in sharepoint and manualy added the users into that group. That doesn't looks
  good, because if my project online group will change, than manually I have to change sharepoint group too. So what I want is, that sharepoint group is automatically synced with project online group.
  Or is there any other way to assign project online security in document library?
  Thanks
  PSN

  No there is no workaround other then creating a group on Office 365 server.
  SharePoint Online lets you create security groups via the Admin Overview page
  http://technet.microsoft.com/en-us/magazine/hh395478.aspx
  Just found a 3rd part. check if it can help
  http://en.share-gate.com/blog/migrate-to-office-365-configure-sharepoint-to-use-active-directory
  Active Directory Synchronization: Allows you to sync your Active Directory Objects such as users and groups to your Office 365 account. This is a one-way synchronization, which means you continue to manage users On-Premises, and your changes
  will appear on Office 365 SharePoint. However, authentication and passwords are still managed by Office 365. It will be required for Password Sync and Single Sign On (see below).
  If this helped you resolve your issue, please mark it Answered

• Project Server 2010: PWA Removing Default Project Site Security Groups When Creating a New Project

  I looked for this specific issue with Project Server 2010/PWA/SharePoint and could not find an exact answer... hopefully someone can help.
  We are currently using Project Server 2010 and have a number of project site templates that are used dependent upon the enterprise project type selected. Each of these project site templates have unique permissions which should create the default security
  groups on the project site upon publishing/syncing:
  <Project Name> Members
  <Project Name> Owners
  <Project Name> Visitors
  <Project Name> Project Managers (Project Web App Synchronized)
  <Project Name> Team Members (Project Web App Synchronized)
  Web Administrators (Project Web App Synchronized)
  Whether a user creates a project through PWA or Project Pro 2010 and imports the project into PWA, we get a weird result in the Site Permissions of the newly created project site. PWA will remove all default security groups from the project site template
  and add a whole list of users in the Site Permissions list without groups. 
  Once the project is published and the project site is created, we can then go back and add those default security groups back in the project Site Permissions and even add a couple of custom groups without them being removed on all subsequent project syncs
  or publishing. 
  How do we get PWA to not overwrite the project site templates' security groups and place each user in the proper default security groups? At the same time, how is PWA adding a number of users into the Project Site Permissions?
  Thanks in advance.

  Paul,
  Thanks for that information. Right now we are using the Test environment to turn the Auto-sync feature back on. I suspect that the reason this is happening is due to PWA groups/categories/security templates. There may be more than one PWA group that is "overwriting"
  the default project site groups upon initial creation of the project. We will look further into the security settings to tighten up the policies. 

• How to create a site and add security groups through code: scripts, csom, ... ?

  Hi,
  I'm new to CSOM and are looking for a way to create sites in SharePoint Office365 and especially add user to it with a specific role eg. 'visitor' or 'owner'.
  I use this code to add sites from a csv file, so far so good.
  But now I want to add security groups based on the csv file and assign a role. The security groups allready exists.
  and also how to add a user with a 'owner' role for some sites.
  That would make my life easier :-)
  so thank you in advance!
  # load assemblies
  #[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client")
  #[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client.Runtime")
  Add-Type -Path "c:\Program Files\Common Files\microsoft shared\Web Server Extensions\15\ISAPI\Microsoft.SharePoint.Client.dll"
  Add-Type -Path "c:\Program Files\Common Files\microsoft shared\Web Server Extensions\15\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"
  # site collection
  $siteUrl = “https://mysharepoint.com”
  # admin
  $username = "[email protected]"
  $password = Read-Host -Prompt "Enter password" -AsSecureString
  # get clientcontext as object
  $ctx = New-Object Microsoft.SharePoint.Client.ClientContext($siteUrl)
  # assign credentials to clientcontext object
  $credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($username, $password)
  $ctx.Credentials = $credentials
  # create site from template 'teamsite' => STS#0
  $data = Import-Csv "c:\tools\CSOM\vakwerking_test.csv"
  foreach ($row in $data) {
  $webCreationInformation = New-Object Microsoft.SharePoint.Client.WebCreationInformation
  $webCreationInformation.Url = $row.vakwerkingurl
  $webCreationInformation.Title = $row.vakwerkingnaam
  $webCreationInformation.WebTemplate = "STS#0"
  $webCreationInformation.UseSamePermissionsAsParentSite = $false
  $newWeb = $ctx.Web.Webs.Add($webCreationInformation)
  Write-Host "Title" $newWeb.Title
  #send to sharepoint
  $ctx.Load($newWeb)
  $ctx.ExecuteQuery()

  Hi,
  The command above about creating a group only works for the root site of the site collection, because the scope of the user group is site collection level, these groups
  can be used in all the sites in this site collection.
  With the existing groups in the root site, we can add users into them and grant specific permissions of a specific sub site to these groups.
  Here is a demo about how to assign permission to a group using Client Object Model(though in C#) for your reference:
  http://www.c-sharpcorner.com/UploadFile/54db21/set-permission-to-group-in-sharepoint-2010-programmatically/
  Best regards,
  Patrick
  Patrick Liang
  TechNet Community Support

• How to create a security group to manage a Distribution list in exchange 2013

  Hi folks,
  We have AD synced with Online Exchange 2013. Dirsync is installed on AD. We would like to create a security group for a Distribution list(for instance: distribution list name is [email protected] and it is managed via a security group named "abc" ).
  How can this be achieved? I do see an option under Online Exchange console using browser-> Groups to create a new security group but it doesn't allow me to add the group created in AD-instead it ask us to create a new one. If we create a new one in Exchange
  online console- will it publish to our local AD?

  Hi TR,
  Thank you for your question.
  Are there any errors when we could not add group which is in local AD.
  When we could not add group which was created In AD, there are following options we could check:
  If current user who logon Exchange server has enough permission to add it
  The connection between Exchange server and AD
  If we create a new DG in Exchange online, it will be published to local AD.
  We could run the following command to create DG for abc.com:
  New-DistributionGroup -Name "abc" -Alias abc -Type "Security" -MemberJoinRestriction open
  We could refer to the following link to learn more about distribution group:
  https://technet.microsoft.com/en-us/library/bb124513%28v=exchg.150%29.aspx
  If there are any questions regarding this issue, please be free to let me know. 
  Best Regard,
  Jim
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Jim Xu
  TechNet Community Support

• Object Level security by creating catalog groups in OBIEE-10G

  Hi All,
  I have a requirement to display the dashboard based on the user login. Ex. Mike belongs to HR, Smith belongs to Accounts
  When Mike logs in he should see only these three dashboards. HR View, Common data1, common data2. When Smith logs in he should see only these three dashboards. Accounts view, Common data1, commondata2.
  The commondata1 and commondata2 dashboards has common reports for all the departments. The other dashboards are department specific with all different reports. How can I implement this?
  From one of my earlier posts I was advised to do it using Object Level security by creating catalog groups. Can you please provide me end to end instructions on how to create Object level security based on catalog groups.
  Thanks for your time and help.

  Hi,
  Mike to HR
  Smit - Account
  Yes, You achive by Object Level security by creating catalog groups
  1) Create Catalog group and users in RPD part(Ex: Account_grp,HR_grp)
  2)assign user to that particular group(let say Ex: Account_grp= Smith and HR_grp=Mike )
  3) login (Admin user id ) into dashboard page and --->mange dashboard page -->add users to that particular
  dashboard to relevent users and save it then
  try to login that mike and smith user it will work
  kindly refer below link
  http://www.rittmanmead.com/2010/01/obiee-10g-web-catalog-best-practices/
  http://www.rittmanmead.com/2007/05/obiee-and-row-level-security/
  thanks
  Deva

• What is the Behavior.Navigation URL for creating navigation bar links for search scopes for security group and distribution groups?

  ...the search scope is used to subset the SGs and DGs. The search scope itself shows expected results. The search scope filter used is: /Group[Type='Security' or Type='MailEnabledSecurity'][(Domain = 'DomainX') or (Domain = 'DomainY')]
  Tried the following, with the GUID being the resource ID from the search scope for security groups:
  ~/identitymanagement/aspx/customized/CustomizedObjects.aspx?type=Group&searchtype=e8ed98b6-e299-4b8d-bfe5-e4b2adf1cd60
  ~/IdentityManagement/aspx/groups/Groups.aspx?type=Group&searchtype=e8ed98b6-e299-4b8d-bfe5-e4b2adf1cd60
  Thanks

  are you talking about redirect URL in search scope ? FIM will automatically add the searchtype querystring
  for custom groups search scope you can use :
  ~/IdentityManagement/aspx/groups/AllGroups.aspx
  and configure you search scope to use the same UsageKeywords as for the security groups
  and restart your IIS server using the command "IISRESET"
  in your case if you want to create navigation bar link to your group-type search scope use may use this format:
  http://{your fim server}/IdentityManagement/aspx/groups/AllGroups.aspx?searchtype={your searchscope guid}&content=%2a
  ex : http://fimserver/IdentityManagement/aspx/groups/AllGroups.aspx?searchtype=47e0a973-0ab4-46f5-815f-f5028c1af58e&content=%2a

• Create different network share shortcut in desktop for different security groups using GPO

  Hi,
   I have an OU named TECH that contains two different security groups ENG and PRESS.
  When users in ENG group logs in desktop should show a network share \\server1\eng-share and 
  when users in PRESS group logs in desktop should show a network share \\server1\press-share.
  How to create a GPO for this ?
  regards, Faisal

  You could use group policy preferences shortcuts. You would create a shortcut to each of these shares and then use Item Level Targeting. The target would point to the security group needed.
  If my answer helped you, check out my blog:
  DeployHappiness. Subscribe by
  RSS or
  email.