Unable to resolve name in add user to security group screen

Hello Everybody,
Today I come to ask for advice from the FIM experts, it was just brought to my attention that when somebody tries to add a user to a security group by using the browse option they are able to search for the member and select them but when they
click on "Ok" the account isnt shown in the Members to add box. However if the person types in the full display name into the "members to add box" the user is successfully resolved.

After some intense research this issue is caused by an recent Microsoft update KB3008923. I have opened an microsoft support case after being informed of this issue. This is caused not by an FIM patch but by and internet explorer update. Please uninstall KB3008923
and your issue will be resolved. Or you can suggest to your users to use chrome with IE tab addon enabled as a walk around solution
I am awaiting microsoft to provide an hotfix for this issue but until then I have just instructed my users to do one of the listed tempory solutions above

Similar Messages

VersaMail - "Unable to resolve name" error for mail server

I've had an intermittent but frequent problem with VersaMail when I try to connect to get my email. I frequently get the following message:
"Unable to resolve name pop.mindspring.com. Check your DNS settings or enter the IP address for your mail server."
I also get it occasionally for my Yahoo.com mail addresses as well, so it's not unique to Mindspring.com. Sometimes it happens a lot, but sometimes I get right in with no problems, so the settings I have appear to work - when they want to. Needless to say, it's frustrating and annoying, so if anyone has a way to resolve this, I'd appreciate knowing it.
Thanks.
Post relates to: Palm TX
This question was solved.
View Solution.

Problem solved! I had Googled for answers and had found an explanation of DNS servers on another forum where someone was having a similar problem. It seems that DNS servers simply take the domain name we use and search for the IP address for that domain name, then hook us up to that IP address. The error message I was getting was that I needed to check my DNS settings or enter the IP address, so it seemed only logical to me that if I could bypass those goofy DNS servers with their "now I'll do it, now I won't" bad attitude, perhaps I could connect directly with the mail servers. Your tip on how to find the IP address of the mail servers by pinging them was the missing piece I needed. I deleted the POP and SMTP server names for each account I'd set up in VersaMail, replacing them with the appropriate IP addresses, and I can now connect reliably with any of the servers, first time, every time - and lightning fast.
Thanks for your help!
Post relates to: Palm TX

Cannot Add user to CMC Group when they are a member of LDAP group

On PreProduction Server CMC
Softerra LDAP browser used to verify user is a member of LDAP group
User does not show as a member of that group in the CMC
Cannot add user to LDAP group showing in CMC, the same group shows the member in LDAP browser
On Production Server CMC
For kicks I logged into the CMC on Production and I found the user is correctly showing as a member of the Group
Why doesn't the groups in CMC show what is actually showing in the LDAP browser?

Hi,
Check if you have also mapped in both servers the same groups. It might be that there are some groups missing in the Pre-prod.
Also, try restarting the CMS. I have seen similar issues that are solved after forcing the recreation of the graph.
If after the restart you still can't see the groups, check the mapping on the LDAP server. It might be that both servers do not use the same attribute mappings.
Regards,
Julian

Not able to Add users to Secutity Groups in ADS

Hi all,
I am successfully able to create the user in ADS in OU & users. I am not able to add them to the any group which is ADS. can any body help me out? it is much appreciated.
Sriram

AD gropus are managed by Windows Ad teams. You cannot add users to Ad group from CMC directly.
Ask your windows team to add users to particular AD group and then update the Windows Ad authenctication from CMC to reflect in BO

Add user in OID group from SOA Suite

Hello All,
I want to add users in OID groups from a SOA application (BPEL process), is there any way to achieve this?
Thanks

It has the functions to add: Use this function from Group class.
addUniquemember
public void addUniquemember(javax.naming.directory.DirContext ctx, java.lang.String dn) throws UtilException
Adds the DN as a uniquemember of this group
Parameters:
ctx - a valid DirContext
dn - the DN representing the object to be added
Reference Links:-
LDAPGroup (Oracle Internet Directory API Reference)
Group (Oracle Internet Directory API Reference)

Can I add Users and/or Groups?

Hi,
Can I add Users and/or Groups in a Realm from my webapplication?
(not using administrative console....but from my code)
Tanks by
Angelo.

Yes.
"Angelo" <[email protected]> wrote:
>
Hi,
Can I add Users and/or Groups in a Realm from my webapplication?
(not using administrative console....but from my code)
Tanks by
Angelo.

Add users to a group from another Active Directory domain

Hi Folks,
I need add users in a group the active directory through the FIM 2010 R2.
My scenery it is:
Domain A with FIM 2010 R2 provisioning users for Domain B;
I need get users the Domain B and add in group in Domain C.
What's better way, create FIM portal for them, or create aditional script/development for FIM 2010 R2.
Thanks a lot!
Wilsterman Fernandes

There are two approaches to do it.
1st - easier - using FIM Portal/Service - just create a criteria based group that would be created in Domain C.
2nd - more difficult, but you don't need FIM Service/FIM Portal - just export all users to one table in SQL and create a view, where a group and members (users from Domain B) are. It would be cheaper as you don't have to have FIM Service to do it. But if
you have it, first is easier.
If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

User's Security Groups

Is there a way to view user's security groups with mxl script. Iwant to output every user's security groups and check if there isany user on the server that is not assigned to at least onesecurity gruop. Thanks,Jacob

also DISPLAY PRIVILEGE USER ALL; will list all privileges granted to a user directly. Any line that isn't "no access" means that the user has privileges assigned outside a group. I periodically do ann audit on our systems to ensure we have't got any direct users that have privileges granted outside groups. Of course anyone tagged individually as a supervisor will come up on this check.

People Picker can resolve users and security group from another domain but no validation for groups

Dear all,
Here is the scenario of our issue:
We are migrating from Domain A to Domain B and in Domain A we currently have a SharePoint 2013 on which we want to set permissions for users and groups that have already migrated to Domain B.
A bi-directional trust exist between the two domains and all applications relying on trust and resolving IDs from on domain to another are working fine (Windows RDS for instance)
The "bug" that we have is when using the PeoplePicker, it can resolve without any issue a user account in Domain A or B, and a security group (type global, I haven't tried local or universal yet) from domain A or B. But for the security groups
only (it works well for users), when I click on "Save" to validate the add of the group to the site permissions, I have the following error:
I have seen a lot of similar issues on the web but no answer so far that work :(
Example: https://social.technet.microsoft.com/forums/sharepoint/en-US/74e8d14b-a0f4-4e21-8cfa-b1a937247160/cant-provision-security-to-old-domain-users
If you have any question that could help you to understand it, do not hesitate.
Thanks a lot in advance for your help ! :)

Can you give the snippet from the ULS log where you're seeing this error?
Trevor Seward
Follow or contact me at...
&nbsp&nbsp
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

Add users to Windows logon screen (server 2008 R2)

Hello
Our one server was setup to display 3 user names in the logon screen, vs just the username / domain options to fill out.
The settings have been blown away somehow, and i need to re-add a few users to the logon screen.
I have tried the suggestions with no luck. Most sites recommend Interactive Logon: Do not display last user name gpo
setting. This did not work for me.
Any help would be appreciated.
Thanks

Hi Giermo,
Please try to modify the regeistry to achieve this, please also note Always make a backup of the Windows Registry before you modify any settings:
Open regedit
Press Windows+R
Type regedit + enter
Navigate to [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList]
You will probably want to right-click on “ProfileList” and click export to save the entire subtree in case something goes wrong.
You will find several subfolders or “keys” named something like “S-1-x-xx…”, open them one at the time
Each should contain at least the three value-sets, “Flags”, “ProfileImagePath” and “State”, some will contain more
Look at the end of ProfileImagePath for the name of the user represented by the key
You will usually have one for each user on the system, and one for each of the three system entries ‘systemprofile’, ‘LocalService’ and ’NetworkService’
Delete any key (i.e. the whole “S-1-x-xx” folder) that does not contain at least those three values. Also delete any empty key named default.
Reference from:
Windows 7 Welcome Screen doesn't display user account
Best Regards,
Anna

Add user to sharepoint group using REST API

I am trying to add a user to sharepoint group with following code
serviceUrl= Appweb + "/_api/SP.AppContextSite(@target)/web/sitegroups("+GroupId+")/users?@target='host web'";
$.ajax({
url: serviceUrl,
type: "POST",
contentType: "application/json; charset=utf-8",
dataType: 'json',
body: "{'__metadata': { 'type': 'SP.User' },'LoginName':'i:0#.f|membership|'+email }",
headers: {"accept":"application/json;odata=verbose",
"content-type": "application/json;odata=verbose",
"X-RequestDigest":$("#__REQUESTDIGEST").val()
async: false,
success: function (data) {
alert('success');
error: function (data) {
alert('fail');
The request goes to error function. Response of the request is Microsoft.SharePoint.Client.InvalidClientQueryException and message is A node of type 'EndOfInput' was read from the JSON reader when trying to read the start of an entry. A 'StartObject' node was
expected
I tried the sample from following link but fail it
https://msdn.microsoft.com/en-us/library/office/dn531432.aspx

Hi,
Per my understanding, you might want to add an user to a SharePoint group in host web from a SharePoint Hosted App using REST API.
Here is a working demo for your reference:
var hostweburl;
var appweburl;
$(document).ready(function () {
//Get the URI decoded URLs.
hostweburl = decodeURIComponent(getQueryStringParameter("SPHostUrl"));
appweburl = decodeURIComponent(getQueryStringParameter("SPAppWebUrl"));
// Resources are in URLs in the form:
// web_url/_layouts/15/resource
var scriptbase = hostweburl + "/_layouts/15/";
// SP.RequestExecutor.js to make cross-domain requests
$.getScript(scriptbase + "SP.RequestExecutor.js", loadPage);
// Utilities
// Retrieve a query string value.
// For production purposes you may want to use a library to handle the query string.
function getQueryStringParameter(paramToRetrieve)
var params = document.URL.split("?")[1].split("&");
for (var i = 0; i < params.length; i = i + 1)
var singleParam = params[i].split("=");
if (singleParam[0] == paramToRetrieve) return singleParam[1];
function addUsersInGroup() {
var executor;
// Initialize the RequestExecutor with the app web URL.
executor = new SP.RequestExecutor(appweburl);
executor.executeAsync({
url: appweburl + "/_api/SP.AppContextSite(@target)/web/sitegroups(8)/users?@target='" + hostweburl + "'",
method: "POST",
contentType: "application/json; charset=utf-8",
dataType: 'json',
body: "{'__metadata': { 'type': 'SP.User' },'LoginName':'i:0#.f|membership|[email protected]'}",
headers: {
"Accept": "application/json; odata=verbose",
"content-type": "application/json;odata=verbose",
"X-RequestDigest":$("#__REQUESTDIGEST").val()
success: addUsersInGroupSuccessHandler,
error: addUsersInGroupErrorHandler
function addUsersInGroupSuccessHandler(data)
console.log(data);
var jsonObject = JSON.parse(data.body);
console.log(jsonObject);
function addUsersInGroupErrorHandler(data)
console.log(data);
var jsonObject = JSON.parse(data.body);
console.log(jsonObject);
Thanks
Patrick Liang
TechNet Community Support
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
[email protected].

How to add user in administrator group of project server 2010 with powershell command ?

I want to add one user in Administrator group of Project Server .
Please let me know how to do this through power shell command.

Hello,
You would need to use the PSI in your PowerShell commands. Here is a .Net example to get you started, convert this to PowerShell:
http://blogs.msdn.com/b/ajjose/archive/2013/05/24/creating-a-project-server-user-and-adding-user-to-a-group-through-psi.aspx
Examples of PowerShell and the PSI can be found here in some of the scripts:
http://gallery.technet.microsoft.com/scriptcenter/Update-Server-Lookup-table-bb1ae14f
http://gallery.technet.microsoft.com/scriptcenter/Create-Server-2010-2013-19bd3cc7
http://gallery.technet.microsoft.com/scriptcenter/Bulk-create-Server-Sites-784f7b29
These wont do what you need but will give you an idea of using the PSI in PowerShell
Paul
Paul Mather | Twitter |
http://pwmather.wordpress.com | CPS

Am I trying to add users to a group correctly?!

Experts (Dave?!):
As posted yesterday, I'm finally able to log in to the RHS Admin Console.
I've been testing the Users areas. I'm having trouble adding users to a group other than the RobAdmin. Please let me know what/if I'm doing wrong. My procedure:
1) Access the Users panel:
2) Click the upper Add to add new group writers:
3) Click OK. The writers group appears in the Group pulldown:
4) Type in new user Kurt:
5) Click Add. Note how the selected group snaps back to RobAdmin!
6) Click Yes to confirm the user addition:
7) Observe how Kurt is now added to the RoboAdmin group. (D'oh!).
8) Observer how Kurt is NOT added to the writers group. (D'oh d'oh!)
Is the above the expected behavior? If so, how does one add users to a non-RobAdmin group?!?!?
Thanks in advance!.
-Kurt

Kurt, I hope the robo team is reading this, because I think this problem has been going on for a long while. What happens for us is, you can create the group, then add the user, then the group disappears from the drop-down upon refresh. I remember John Daigle looked at it a while back and was puzzled. It's the only part of server that isn't working right for us now, but it's a real pain--I can't create groups or add users.
David
HTML11/Server 9

Exchange 2010 Unable to Assign Full Access Permissions using a Security Group

I've been running into this issue lately. I cannot seem to use groups to allow full access to mailboxes. When I add them from the EMC, it will show up when you go to "Manage Full Access Permission...". After waiting a day and even restarting
the Information Store service, the permissions do not take effect. When I view the msExchDelegateListLink attribute of the mailbox account, the group is not listed.
When I grant a user full permission, it works and updates the attribute. However, on occasion when I revoke the full access permission for a user is doesn't always remove that user from the msExchDelegateListLink attribute. So the mailbox
will still appear in Outlook, but the user isn't able to see new emails.
Any ideas on what may be going wrong?
Environment:
Exchange Server 2010 SP1 Standard
Windows Server 2008 R2 Standard
Outlook 2010 SP1 (tried without SP1 as well)
I was looking over Add-MailboxPermission on Technet (http://technet.microsoft.com/en-us/library/bb124097.aspx) and I noticed that it doesn't mention adding groups. Is this not possible?

I never got a proper fix.
I worked around it by creating a script which gets the members of an AD Mail Enabled security group, and updates the full access based on the groups members.
Here's a script I'm running every hour which updates permissions. It's probably not the most efficient script ever, but it works. It has several benefits
1. Managers of the distribution group can add/remove mailbox members using OWA or through the address list
2. New members of groups are added to FULL Access Permissions
3. Members removed from the groups are removed from FULL access permissions
4. Automapping works :)
5. Maintains a log of access added / removed / time taken etc.
Obviously I have had to remove domain related information, replace with whatever your domain requirements are, and PLEASE debug it properly in your environent first, don't complain to me if it wipes out a load of access for you or something like that!
It takes about 5 minutes to run in my environement. Some formatting seems to have got messed up on here, sorry. I hope it is of use!
# Mailbox Permissions Setter for Exchange #
# v1.1 #
# This script will loop through all mailboxes in Exchange and find any where #
# the type is 'SHARED'. These should be determined to be a GROUP/SHARED mailbox #
# and access to these mailboxes are controlled by a single ACL, e.g. 'ACL_Shared_Mailbox'. #
# This script will add any members of these ACLs directly to the Full Access Permissions #
# of the mailbox and also remove them if they no longer need the access. #
# Script created by Jon Read, Technical Administration
# Recent Changes
# 15/11/2012
# 1.1 Added exclusions for ACLs that we don't want automapping to happen for
# 12/11/2012
# 1.0 Initial script
#Do not change these values
Add-PSSnapin *Ex*
$starttime = Get-Date
$logfile = "C:\accesslog.txt"
$logfile2 = "C:\accesslog2.txt"
$totaladditionstomailboxes = 0
$totalremovalsfrommailboxes = 0
$totalmailboxesprocessed = 0
$totalmailboxesskipped = 0
# Exclude any ACLs that shouldn't be processed here if they are used for a non-standard purpose and
# we don't want FULL access mapping to happen. Seperate array values with commas
$ExcludedACLArray = "DOMAIN\ACL_ExcludedExample"
Write-Output " " >> $logfile
Write-Output " " >> $logfile
Write-Output "#----------------------------------------------------------------#" >> $logfile
Write-Output "# Mailbox Permissions Setter for Exchange #" >> $logfile
Write-Output "# v1.1 #" >> $logfile
Write-Output "#----------------------------------------------------------------#" >> $logfile
Write-Output " " >> $logfile
Write-Output " " >> $logfile
Write-output "Start time $starttime ">> $logfile
Write-Output " " >> $logfile
Write-Output " " >> $logfile
# Set preferred DCs and GCs
$preferredDC = "preferredDC.domain"
$preferredGC = "preferredGC.domain"
Write-Output " PreferredDC = $preferredDC ">> $logfile
Write-Output " PreferredGC = $preferredGC " >> $logfile
Set-ADServerSettings -PreferredGlobalCatalog $preferredGC -SetPreferredDomainControllers $preferredDC
# The first part of this will ADD permissions to the mailbox, reading from an associated ACL.
# Check for all mailboxes where the type is SHARED. These are the only ones we would
# want to apply group mailbox permissions to.
foreach ($mailbox in get-mailbox -resultsize "unlimited" | where-object {$_.RecipientTypeDetails -eq "SharedMailbox"})
$totalmailboxesprocessed = $totalmailboxesprocessed + 1
Write-Output " " >> $logfile
Write-Output " " >> $logfile
Write-Output "|-------------------------------------------------------" >> $logfile
Write-Output "| MAILBOX ADDITIONS: $mailbox " >> $logfile
Write-Output "|-------------------------------------------------------" >> $logfile
$mailbox=$mailbox.ExchangeGuid.ToString()
# For each of them, get the distribution list applied to the mailbox (Starting DOMAIN\ACL_)
# We then need it to be turned into a string to use later.
#Declared $changes as 0. if this is set to 0 at the end of the mailbox job, we know no changes were made.
$changes = 0
foreach ($distributiongroup in get-mailbox $mailbox | Get-MailboxPermission | Where-Object {$_.User -like "DOMAIN\ACL_*" })
$skipACL = 0
#Get the distribution group and put the name in a useable format
$distributiongroup=$distributiongroup.user.tostring()
Write-Output "Found ACL $distributiongroup" >> $logfile
# Check if this distribution group needs to be excluded and if it shouldn't be processed
# then move onto the next ACL. This will stop FULL access being granted if the mailbox is
# used for a non-standard purpose. See the start of this script
# for where these are excluded (ExcludedACLArray)
foreach ($ACL in $ExcludedACLArray )
if ($distributiongroup -eq $ACL)
$skipACL = 1
Write-Output "ACL $distributiongroup is excluded so skipping mailbox " >> $logfile
$totalmailboxesskipped = $totalmailboxesskipped + 1
if ($skipACL -eq 0)
# Get each user in this group and for each of them, add try to add them to full access permissions.
foreach ($user in Get-DistributionGroupMember -identity $distributiongroup)
# Get the user to try, convert to DOMAIN\USER to use shortly
$user="DOMAIN\" + $user.alias.ToString()
# Check to see if the user we have chosen from the ACL group already exists in the full access
# permissions. If they do, set $userexists to 1, if they do not, leave $userexists set to 0.
# Set $userexists to 0 as the default
$userexists = 0
foreach ($fullaccessuser in get-mailbox $mailbox | Get-MailboxPermission)
# See if the user exists in the mailbox access list.
# Change $fullaccessuser to a useable string (matching $user)
$fullaccessuser=$fullaccessuser.user.tostring()
if ($fullaccessuser -eq $user)
$userexists=1
# Break out of foreach if the user exists so we don't unnecessarily loop
break
# Now we know if the user needs to be added or not, so run code (if needed) to add
# the user to full access permissions
if ($userexists -eq 0)
Add-MailboxPermission $mailbox –user $user –accessrights "FullAccess"
Write-Output "Added $user " >> $logfile
$changes = 1
$totaladditionstomailboxes = $totaladditionstomailboxes + 1
#Now repeat for other users in the ACL
#if changes were 0, then log that no changes were made
if ($changes -eq 0)
Write-Output "No changes were made." >> $logfile
Write-Output " " >> $logfile
Write-Output " " >> $logfile
Write-Output "---------------------------------------------------------------------------------" >> $logfile
Write-Output " FINISHED ADDING PERMISSIONS" >> $logfile
Write-Output "---------------------------------------------------------------------------------" >> $logfile
Write-Output " " >> $logfile
# The second part of this will REMOVE permissions from the mailbox, reading from an associated ACL.
## Check for all mailboxes where the type is SHARED. These are the only ones we would
## want to apply group mailbox permissions to.
foreach ($mailbox in get-mailbox -resultsize "unlimited" | where-object {$_.RecipientTypeDetails -eq "SharedMailbox"})
Write-Output " " >> $logfile
Write-Output " " >> $logfile
Write-Output "|-------------------------------------------------------" >> $logfile
Write-Output "| MAILBOX REMOVALS : $mailbox " >> $logfile
Write-Output "|-------------------------------------------------------" >> $logfile
$mailbox=$mailbox.ExchangeGuid.ToString()
#Declared $changes as 0. if this is set to 0 at the end of the mailbox job, we know no changes were made.
$changes = 0
# For the current mailbox, get a list of all users with FULLACCESS, and then for each of them
# check if they exist in the ACL
foreach ($fullaccessuser in get-mailbox $mailbox | Get-MailboxPermission | Where-Object {$_.Accessrights -like "FullAccess" })
# Get the security identifier (SSID) of the FULLACCESS user to store for later.
$fullaccessuserSSID=$fullaccessuser.user.SecurityIdentifier.ToString()
$fullaccessuser=$fullaccessuser.User.ToString()
#If user needs to be excluded then skip this bit
#Users added or removed will only start with 07 (07$, 07T, so only run if the user starts with this.
#This stops it trying to remove NT AUTHORITY\SELF and other System entries
if ($fullaccessuser -like "DOMAIN\07*")
# Set $userexists to be 0. if we find the use user needs to remain, then change it to 1.
$userexists=0
# Check if this user exists in the ACL, if not, remove.
foreach ($distributiongroup in get-mailbox $mailbox | Get-MailboxPermission | Where-Object {$_.User -like "DOMAIN\ACL_*" })
$distributiongroup=$distributiongroup.user.tostring()
#Write-Output "Found associated distribution group $distributiongroup" >> $logfile
# Get each user in this group and for each of them, See if it matches the user in the mailbox.
foreach ($user in Get-DistributionGroupMember -identity $distributiongroup)
# Get the user to try, convert to DOMAIN\USER to use shortly
$userguid = $user.Guid.ToString()
$user="DOMAIN\" + $user.alias.ToString()
if ($fullaccessuser -eq $user)
$userexists=1
#we have found the user exists so no need to continue
break
# If userexists = 0, then they are NOT in the ACL, and should be removed from
# the full access permissions. Run the code to remove them from full access.
#CONVERT FULLACCESSUSER TO GUID AND REMOVE $FULLACCESSUSERGUID NOT $USERGUID
if ($userexists -eq 0)
Remove-MailboxPermission -Identity $mailbox –user $fullaccessuserSSID –accessrights "FullAccess" -Confirm:$false
Write-Output "Removed $fullaccessuser " >> $logfile
$changes = 1
$totalremovalsfrommailboxes = $totalremovalsfrommailboxes + 1
# if changes = 0, no changes were made to this mailbox, so log this fact.
if ($changes -eq 0)
Write-Output "No changes were made." >> $logfile
#Put the time in a displayable format
$endtime = Get-Date
$runtime = $endtime - $starttime
$runtime = $runtime.ToString()
$runtime1 = $runtime.split(".")
$totaltime = $runtime1[0]
Write-Output " " >> $logfile
Write-Output " " >> $logfile
Write-Output "|-------------------------------------------------------------------------------------- " >> $logfile
Write-Output "| SCRIPT COMPLETE : STATS " >> $logfile
Write-Output "|-------------------------------------------------------------------------------------- " >> $logfile
Write-Output "| Total Mailboxes Processed : $totalmailboxesprocessed " >> $logfile
Write-Output "| Total Additions : $totaladditionstomailboxes " >> $logfile
Write-Output "| Total Removals : $totalremovalsfrommailboxes " >> $logfile
Write-Output "| Total Mailboxes Skipped due to ACL : $totalmailboxesskipped " >> $logfile
Write-output "| Start time : $starttime ">> $logfile
Write-output "| End time : $endtime ">> $logfile
Write-Output "| **END OF RUN** - Elapsed time : $totaltime " >> $logfile
Write-Output "|---------------------------------------------------------------------------------------" >> $logfile
Write-Output " " >> $logfile

DBMS_LDAP adding user to security group on Active Directory

Hi forum members,
I am accessing and manipulating Active Directory using the DBMS_LDAP package and its API's.
My initial code is to add a new entry in our MUsers group.After establishing the session and binding it , I supply the required credentials and the user , ex: 366944 is created successfully in the MUsers group which is a global users group.
My package then calls another function to now add the same user to the MGroups group and under that the Researcher security group.
When I do a search on the "Researcher" group this is the result : (I have deleted a few irrelevant entries)
ATTIBUTE_NAME: objectClass = top
ATTIBUTE_NAME: objectClass = group
ATTIBUTE_NAME: cn = Researcher
ATTIBUTE_NAME: member = CN=3,OU=MUsers,DC=xxx,DC=yyy
ATTIBUTE_NAME: member = CN=2,OU=MUsers,DC=xxx,DC=yyy
ATTIBUTE_NAME: member = CN=1,OU=MUsers,DC=xxx,DC=yyy
ATTIBUTE_NAME: distinguishedName =
CN=Researcher,OU=MGroups,DC=xxx,DC=yyy
ATTIBUTE_NAME: instanceType = 4
ATTIBUTE_NAME: whenCreated = 20100315150614.0Z
ATTIBUTE_NAME: whenChanged = 20100322172413.0Z
ATTIBUTE_NAME: uSNCreated = 97190
ATTIBUTE_NAME: uSNChanged = 102960
ATTIBUTE_NAME: name = Researcher
ATTIBUTE_NAME: objectGUID = ?P??|F?
?Q?'
ATTIBUTE_NAME: objectSid =
ATTIBUTE_NAME: sAMAccountName = $1B1000-EVVA2O0MRRBE
ATTIBUTE_NAME: sAMAccountType = 268435456
ATTIBUTE_NAME: groupType = -2147483646
ATTIBUTE_NAME: objectCategory =
CN=Group,CN=Schema,CN=Configuration,DC=xxx,DC=yyy
My add_in_group function is : (I am hardcoding certain values for simplicity)
FUNCTION add_in_group
(ldap_session dbms_ldap.SESSION
RETURN PLS_INTEGER
IS
lv_vals dbms_ldap.string_collection;
lv_array dbms_ldap.mod_array;
ln_retval PLS_INTEGER;
l_group VARCHAR2(256);
BEGIN
-- Initialize the varray for the modify command
lv_array := dbms_ldap.create_mod_array(10);
IF lv_array = NULL THEN
dbms_output.put_line('Error add_in_group: lv_array not initialized.');
NULL;
END IF;
dbms_output.put_line ('lv_array successfully initialized');
-- Populate the varray
lv_vals(1) := 'CN=366944,OU=MUsers,DC=xxx,DC=yyy';
dbms_ldap.populate_mod_array(lv_array,DBMS_LDAP.MOD_ADD,'member',lv_vals);
--Populate the object class variables
lv_vals(1) := 'group';
BEGIN
DBMS_LDAP.populate_mod_array(lv_array,DBMS_LDAP.MOD_ADD,'objectclass',lv_vals);
EXCEPTION
WHEN OTHERS THEN
DBMS_OUTPUT.PUT_LINE('Populating object classes failed');
END;
--BEGIN
-- Group Modification
l_group := 'cn=Researcher,OU=Mgroups,DC=xxx,DC=yyy';
BEGIN
ln_retval := dbms_ldap.modify_s(ldap_session, l_group, lv_array);
--EXCEPTION
--WHEN OTHERS THEN
--dbms_output.put_line ('Error in modify_s ');
END;
-- Free the varray
dbms_ldap.free_mod_array(lv_array);
RETURN ln_retval;
EXCEPTION
WHEN OTHERS THEN
dbms_output.put_line('add_in_group : '|| SQLCODE||' '||SQLERRM);
RETURN -1 ;
END add_in_group;
My error is :
ORA-31202: DBMS_LDAP: LDAP client/server error: Already exists. 00000562:
UpdErr: DSID-031A0F4F, problem 6005 (ENTRY_EXISTS), data 0
The error descriptions reads like this :
Indicates that the add operation attempted to add an entry that already exists, or that the modify operation attempted to rename an entry to the name of an entry that already exists.
In this case , I am using the modify_s operation.I am supplying the credentials of the researcher group and trying to set the 'member' attribute as the user already existing in a diff group(MUsers).
The researcher group already has 3 uers , namely ,1,2 and 3 as members . These users are also part of MUsers group.
Hence I am not trying to rename any entry to the name of an entry that already exists.
Any help on this would be appreciated.

Hi,
I tried the same code that you have mentioned and did some changes as follows and now able to add members to a group.
remove the section that contains the following commands, then it will work
h5. lv_vals(1) := 'group';
h5. DBMS_LDAP.populate_mod_array(lv_array,DBMS_LDAP.MOD_ADD,'objectclass',lv_vals);
Thanks & Best Regards,
Indika

Unable to resolve name in add user to security group screen

Similar Messages

Maybe you are looking for