Understanding LDAP Security Groups - Need assistance...

Similar Messages

• Create different network share shortcut in desktop for different security groups using GPO

  Hi,
   I have an OU named TECH that contains two different security groups ENG and PRESS.
  When users in ENG group logs in desktop should show a network share \\server1\eng-share and 
  when users in PRESS group logs in desktop should show a network share \\server1\press-share.
  How to create a GPO for this ?
  regards, Faisal

  You could use group policy preferences shortcuts. You would create a shortcut to each of these shares and then use Item Level Targeting. The target would point to the security group needed.
  If my answer helped you, check out my blog:
  DeployHappiness. Subscribe by
  RSS or
  email. 

• Rename of FIM Security Groups

  Hi,
  While installing the FIM, 5  security groups needs to be created on the active directory. Are these five groups needs to created same as mention in the FIM documents
  FIMSyncAdmins
  FIMSyncOperators
  FIMSyncJoiners
  FIMSyncBrowse
  FIMSyncPasswordSet
  Can we add prefix or suffix any word in the above groups to follow the naming convention.
  Like FIMGroup-FIMSyncAdmins-abc. Will it impact if  rename the 5 security groups name before installation  of FIM?
  Can we rename the security groups after installation and again run the FIM setup to replicate the new security groups?
  Thanks
  Harry

  Hello Harry,
  Of course you can rename this group before installing FIM, with no impacts.
  And yes you can rename it after installation: you MUST run the install again.Ensure that you will backup the FIM encryption key before doing any actions!
  Regards,
  Sylvain

• Need info regarding Oracle UCM Accounts and Security Groups behaviour

  Need information regarding Oracle UCM Accounts and Security Groups behaviour.
  Oracle UCM version: 11.1.1.5.0
  Steps:
  1. Log in with "weblogic" user and created a content with id "content1"
  2. Applied "@acc1(R)" and "TestGroup1" to the cotent created in step 1
  3. Log out
  4. Log in as "acc1user1", the user is not able to see the "content1"
  5. Log out
  6. Log in as "role1user1", the user is not able to see the "content1"
  Account and Group information:
  1. User "acc1user1" is part of "@acc1(R)"
  2. User "role1user1" is part of "role1(R)" and is mapped to "TestGroup1" in UCM
  Expected:
  Both "acc1user1" and "role1user1" should be able to see "content1" as they have at least Read permission.
  Please help me understand why the users are not able to see the content.

  ACLs, like Accounts, are optional security setting which may add on some extra functionality to mandatory security groups. Likewise, the resulting permission is taken as an intersection of SG and ACLs.
  But in the second part the number of set of users is huge (approx say 600)I don't get this completely. Does this mean that those "sets of users" (users who see the same data) are distinct and that there is 600 of such groups?
  If you read thoroughly the manual I sent earlier, there is a recommendation that there should be maximum 50 security groups, and you should use accounts, should this number be exceeded. This means you could have all the documents in one security group (and have one common role with Read permission), but combine it with accounts. ACLs are not a good choice here - their performance and manageability is much worse than of accounts. ACLs are primarily used if you expect security settings to change during the lifetime (e.g. a project manager adds temporarily rights to access an item to another user, and revokes it when the user finishes his or her work).
  Note that accounts as well as permissions of users within accounts can also be mapped externally (from LDAP/AD) and it usually follows some kind of org chart.
  I'd feel more comfortable not to speak about users, security groups, roles, etc., but about some real-life objects and scenarios.

• Script needed to query last logon for users within an AD security group

  Hi all,
  I'm looking for a vbscript that will query a specific AD security group, and export the following information into an Excel document:
  1. Full name of the user.
  2. A timestamp of the last logon for each user.
  Any help would be great.

  At the moment I'm using a batch script to attempt to query a few different security groups. Below is a line from the script:
  dsquery group -samid <group name> | dsquery * -filter "&(objectClass=person)(ObjectCategory=user)" -attr cn lastLogonTimestamp
  There a two issues with the command.
  1. The results aren't being pulled from the security group specified.
  2. The timestamp is in an unreadable format. I've understand this needs to be converted?
  The Powershell option looks handy, but sadly the clients environment is Server 2003 based with no Powershell option.

• File Server Migration - For ORG A Forest to ORG B Forest ( Need to create and Map Security Group automatically on new Migrated Folders - Please Help

  I have two forest With Trust works Fine .
  I have file server in ORG – A ( Forest ) with 2003 R2 Standard
  I have a File server in ORG  - B ( Forest ) With Windows server 2012 ( New Server for Migration )
  I have 1000 + folders with each different permission sets on ORG-A. We are using Security groups for providing permission on the share Folders on ORG A
  I need to Migrate  all the folders from ORG – A to ORG – B.
  I am looking for an automated method of creating Security Groups on AD during the Migration, Once the Migration is Done, I can add the required users to the security groups manually.
  Example.
  Folder 1 on ORG – A has Security Group Called SEC-FOLDER1-ORGA
  I need an automated method of Copying the files to ORG – B and Creating a new security Groups on ORG –B Forest with the same permission on parent and child Folders. I shall Add the users manually to the Group.
  Output Looks Like
  Folder 1 on ORG – B has Permission called SEC-FOLDER1-ORGB ( New Security Group )
  Also I need a summarized report of security Group Mapping, Example – Which security Group on ORGA is mapped with Security Group Of ORGB

  Hi,
  I think you can try ADMT to migrate your user group to target domain/forest first. Once user groups are migrated, you can use Robocopy to copy files with permission - that permission will continue be recognized in new domain as you migrated already. 
  Migrate Universal Groups
  http://technet.microsoft.com/en-us/library/cc974367(v=ws.10).aspx
  If you have any feedback on our support, please send to [email protected]

• HT201209 I need assistance with trying to figure out how to change my security code answer

  I need assistance with trying to figure out how to change my security code answer

  If you mean the answers to your security questions, then f
  rom http://support.apple.com/kb/HT5665 :
  If you have three security questions and a rescue email address
  sign in to My Apple ID and select the Password and Security tab to send an email to your rescue email address to reset your security questions and answers (the steps half-way down that page should give you a reset link)
  If you have one security question and you know your Apple ID passwordsign in to My Apple ID and select the Password and Security tab to reset your security question.
  If you have one security question, but don't remember your Apple ID passwordcontact Apple Support for assistance. Learn more about creating a temporary support PIN to help Apple confirm your identity when you contact Apple Support.
  If you can’t reset them via the above instructions (you won't be able to add a rescue email address until you can answer your questions) then you will need to contact iTunes Support / Apple in your country to get the questions reset.
  Contacting Apple about account security : http://support.apple.com/kb/HT5699
  When they've been reset (and if you don't already have a rescue email address) you can then use the steps half-way down this page to add a rescue email address for potential future use : http://support.apple.com/kb/HT5312

• Help needed unravelling 2003 Server Security Groups

  Hi I have just taken over managing a set of six domains for a care home network.
  The domains have previously been managed by different people.
  I am not overwhelmed by documentation but most of the AD structures are not that complex; so it’s easy enough to work it out.
  There is one site where the admin was part way through a migration from Server 2003 to Server 2008 R2 where there is a little bit more of a challenge.
  There are 54 Security Groups for 72 Users!
  Most of them are organised in such a way that the membership of a Security Group is comprised of other Security Groups: so to find out who has rights to access what you often have to go through 3 different Security Groups before you get to see any users.
  Before I can complete the data migration I need to unravel the Security Group structure and simplify it.  
  Does anyone have any suggestions as to how I can easily find details of membership and rights without manually searching through every Security Group? Ideally I’d like to be able to export this to a CSV file or Excel.
  Cheers
  Micky Mc

  Hi Vivian
  Due to the aforementioned time issues I only get to spend a couple of hours on site in this place and I didn’t want to install the programme remotely in case it was
  too much for the old 2003 Server.
  The link to http://www.manageengine.com/products/ad-manager/active_directory_group_reports.html was
  a great tip and after a relatively short period of time I was able to get a nice spreadsheet showing me the intricacies of my crazy convoluted security groups. Now all I need to do is sit down with a highlighter pen and fathom it out!!!
  Thanks very much for your help
  Cheers
  Micky Mc

• How to change the values in custom profiles based on security group ??

  Hi,
  i am facing problem for my requirement, can anybody help me for below scenario...
  i have custom check in profiles , there are content types and sub types. sub type nothing but a categories on for particular content type. For example i have News content type , same in the below subtypes drop down list are press release, events, articles etc.
  what i want to do is, when i open custom checkin profile, subtype values need to be changed( some values in subtype should hide) based on security group changes .
  In the Sub type listed values, some values need to hide only when i choose different security groups.. sub types values should display based on the particular security group only. when ever i change the security group, drop down Values in subtypes needs to change.
  hope understand my requirement.
  How to achieve this task. Any help would be greatly appreciated.
  Thanks,
  yt

  Hi,
  Thanks alot. its working fine
  Can we configure DCL Relation two times in one information filed ??? i should not create not more than fields to this requirement.
  Type -> subtype = DCL already existed
  Now, i want to Create DCL to
  Subtype ---> Security group
  As per my requirement, if i change the security group in checkin form, values should be change in the SubType drop down list.
  Created checkin profile there was DCL relation to " Type and "Sub Type" . now i want to map Relation ( DCL ) for subtype to security group.
  i was trying do for DCL for subtype and security group. but there was already existing DCL created for subtype information field (Relation configuration done for content type). even though i was trying to do for DCL in Security group information field. but, i could not find security group information field in configuration manager.
  Now what should i do ?? how to create DCL to subtype and security group ??
  Help would be appreciated.
  yt

• LDAP security provider and web service authentication

  Background: we are currently developing web services to our existing weblogic application. Our users can configure user/password authentication in one of three ways: database, LDAP, or SSO. Setting SSO aside, we need to implement the same authentication for database and LDAP that we use in our existing logon servlet in our web services. In our servlet we detect which they are configured for and, if database, authenticate the encrypted password to a database table we have for user id/password. If LDAP we use weblogic.servlet.security.ServletAuthentication and the weak() method to authenticate.
  We've to use SOAP headers to communicate username/password from the client to the web service. We want to code a SOAP message handler to grab the username/password and do the authentication there. We've successfully put something together that handles the database authentication no problem and are now struggling with how to handle the LDAP authentication. We distribute a LDAP security provider we've coded for LDAP authentication. I guess what I am looking for is an equivalent functionality provided with weblogic.servlet.security.ServletAuthentication. Note that I realize the weblogic.servlet.security package has been deprecated starting with Weblogic 9.0 but cannot find what functionality replaces it. Any help there would be appreciated as well.
  Note that I am fairly new to web service development (about 10 months now) and definitely new to web service security and Weblogic security. I tried digging into the volumes of documentation out there regarding these two topics but am simply having a difficult time sorting it all out and figuring out how to do what I want to do.
  Thanks in advance!
  Julia

  Hi,
  Add Provider (LDAP Credentials) in Admin console Security Realm --> defaultrealm -->Providers. Configuring Ldap in Admin Console will enable Admin Server to connect to LDAP. All the LDAP preconfigured Users/Groups will be available in Users and Groups Tab of Security Realms >defaultrealm >Users and Groups. Add Roles using Security Realms >defaultrealm > Roles and Policies > Global Roles > Roles. Add Role Conditions to the role by specifying users/groups configured in LDAP. If your webservice runs with SSL Anotate the Webservice file something like this below.
  @RolesAllowed({
  @SecurityRole(role="test")
  @Policy(
  uri="policy:Wssp1.2-2007-Https-UsernameToken-Plain.xml",
  attachToWsdl=true)
  Here the role is Preconfigired role in AdminConsole. Add the following tag in the soapenv:header.
  <soapenv:Header>
  <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
  <wsse:UsernameToken>
  <wsse:Username>test</wsse:Username>
  <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</wsse:Password>
  </wsse:UsernameToken>
  </wsse:Security>
  </soapenv:Header>

• How to move members of a certain OU from one security group to distribution group?

  Looking for a powershell script that could move members from a certain OU that are members of a certain security group to a distribution group. Anyone point me in the right direction?

  It is easy to determine the members of a group. My concern is that once you know the users, it can be tricky to determine their parent OU in a script. There are ways to parse the user distinguishedName, but some are unreliable (the names of OU's, and even
  DC components, can include commas, for example). The most reliable method would be to bind to the user object with the [ADSI] accelerator and invoke the Parent method, but even then you must parse the result since it will be an ADsPath rather than a DN.
  My approach would be to use Get-ADUser to find all users in a specified OU that are direct members of a specified group. Even here I assume you are only concerned with users (not contacts or groups or computers). I also must assume that no users have the
  group specified as their "primary" group. The code I would suggest to  retrieve all users in an OU that are members of a group:
  Get-ADUser -SearchBase "ou=Sales,ou=West,dc=MyDomain,dc=com" -LDAPFilter "(memberOf=cn=MyGroup,ou=West,dc=MyDomain,dc=com)"
  This does not find users in the OU that are members of the group due to group nesting. However, if that matters, it can be handled using another LDAP syntax filter. In that case use:
  Get-ADUser -SearchBase "ou=Sales,ou=West,dc=MyDomain,dc=com" -LDAPFilter "(memberOf:1.2.840.113556.1.4.1941:=cn=MyGroup,ou=West,dc=MyDomain,dc=com)"
  The "1.2.840.113556.1.4.1941" part is a special chain matching rule that results in a recursive match to handle group nesting. You can also devise a filter to include membership as the "primary" group. You could even use Get-ADObject
  instead  of Get-ADUser if you need to include contacts (or computers or groups), but I assume that is unnecessary.
  The next steps, to remove from one group and add to another, would follow.
  Richard Mueller - MVP Directory Services

• Populate the EmployeeID attribute of a user, based on their security group membership in Active Directory

  Hey guys, I need to create a script that assigns a value to the EmployeeID of every user that is a member of a particular AD security group.
  For example, there are the following groups - Accounting_01, Accounting_02, Accounting_03. The script has to read what members there are in these groups and assign to the people of Accounting_01 an EmployeeID of 01, to the people of Accounting_02 an EmployeeID
  of 02, and to the people of Accounting_03 an EmployeeID of 03.
  I have a script that adds a user to a security group, based on the value of a certain attribute, but not the other way around. Have you written such a script? Thanks in advance

  I haven't tried the code, because I don't have AD cmdlets.
  But I see some discrepancies between the documentation and your code.
  Looking at http://technet.microsoft.com/en-us/library/hh852287.aspx (Set-ADUser cmdlet) we can read for the
  -Replace<Hashtable> parameter: ... Use this parameter
  to replace one or more values of a property that cannot be modified using a cmdlet parameter ...
  But the OP referred to EmployeeID, which is a Set-ADUser cmdlet parameter (look for -EmployeeID),
  thus, cannot be used with -Replace<Hashtable> parameter (as per the documentation).
  Also, the documentation states for this same
  -Replace<Hashtable> parameter: ... To modify
  an object property, you must use the LDAP display name ...
  And the LDAP display name for EmployeeID is employeeID, and not employeeid as in your code (although I'm
  not sure if LDAP display name
  is case sensitive).
  As you say your code works correctly, I
  suspect that you created a new property named employeeid, which is not the same referenced by the parameter
  -EmployeeID.
  The documentation merely says that it can be used to modify attributes that do not have their own parameter. If they were to include a parameter for every AD attribute the list would be huge. It doesn't imply that -replace cannot be used instead of the defined
  parameters.
  I must admit that I didn't realise that -EmployeeID could be used as I didn't consult the documentation before I wrote the code but I can confirm that using the method I posted the employeeID attribute was modified. It didn't create a second attribute with
  different letter casing.

• DirectAccess Installation Errors Involving Security Group

  So I've read that it's best practice to filter DirectAccess GPO Affects to a single Security group instead of the "All Commputers" Group in AD. So I've done this. I created a group called 'DirectAccess' and set that as the target. When I attempt
  to generate the GPO in the DirectAccess Wizard, I recieve this error:
  "Security Group MyDomain\DirectAccess cannot be found"
  "The Operation Failed. All of the Specified Security Groups are invalid."
  So it looks like the group is invisible to my Server? The only thing I can think of is my AD Structure is sitting on some 2008 R2 boxes and this server is 2012 R2 box. Is there a requirement for AD to be at 2012 Operational Level for DirectAccess to work
  in 2012 server R2?
  --Aaron

  Update: I had this closed a while ago. Microsoft was finally able to set it up in my environment. I will post the Closure email they sent me detailing the steps needed to successfully install DirectAccess:   **Note I have changed all my Server/AD
  information to match M$'s Contoso dummy domain
  Issue:
   Unable to configure Direct Access Server (DA_EDGE). Error: Security group CONTOSO\DirectAccess Clients cannot be found..
  Troubleshooting:
   We collected logs from the Direct Access server while configuring Direct Access.
  logman create trace ETWTrace -ow -o c:\ETWTrace.etl -p {AAD4C46D-56DE-4F98-BDA2-B5EAEBDD2B04} 0xffffffffffffffff 0xff -nb 16 16 -bs 1024 -mode 0x2 -max 2048 –ets
  logman update trace ETWTrace -p {62DFF3DA-7513-4FCA-BC73-25B111FBB1DB} 0xffffffffffffffff 0xff –ets
  Configured Direct Access
  logman stop ETWTrace -ets
   We could not find information which could give us clue about the cause of the issue. We found that it was not able to find the group.
  2464: 04: 2014-06-24 11:56:18.627 VERBOSE: Validating security group (CONTOSO\dagroup1) in the domain...
  2464: 04: 2014-06-24 11:56:18.707 NTE: Security group CONTOSO\dagroup1 cannot be found.
   We Collected Network Capture but could not find anything in LDAP Search Request Packet about the same.
   We found that DC has 2 NIC and both were getting Domain Profile.
   We removed the DMZ NIC and kept only NIC connected to LAN.
   We again tried to configure Direct Access however it still came up with error.
   We involved Directory Services team to take a look at the issue however in logs we were not able to find anything.
   We collected Process Monitor and got it analyzed by the on the Direct Access Server and found that we were not able to create GPO. However it does not give clue as to how its failing.
  11:58:51.6421023 PM RAMgmtUI.exe 1836 CreateFile
  \\DC.contoso.com\SysVol\contoso.com\Policies\{D937469B-6E34-4A7F-9405-F9F97DC200E0} NAME NOT FOUND Desired Access: Read Attributes, Read Control, Dis, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
  11:58:51.6446131 PM RAMgmtUI.exe 1836 CreateFile
  \\DC.contoso.com\SysVol\contoso.com\Policies\{D937469B-6E34-4A7F-9405-F9F97DC200E0} NAME NOT FOUND Desired Access: Read Control, Dis, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
  11:58:51.6472327 PM RAMgmtUI.exe 1836 CreateFile
  \\DC.contoso.com\SysVol\contoso.com\Policies\{D937469B-6E34-4A7F-9405-F9F97DC200E0} NAME NOT FOUND Desired Access: Read Data/List Directory, Synchronize, Dis, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete,
  AllocationSize: n/a
  11:58:51.6500318 PM RAMgmtUI.exe 1836 CreateFile
  \\DC.contoso.com\SysVol\contoso.com\Policies\{D937469B-6E34-4A7F-9405-F9F97DC200E0} NAME NOT FOUND Desired Access: Read Attributes, Delete, Synchronize, Dis, Options: Directory, Synchronous IO Non-Alert, Open Reparse Point, Attributes: n/a, ShareMode: Read,
  Write, Delete, AllocationSize: n/a
   We did research internally and decided to configure Direct Access with Domain Computers Security Group (Using PowerShell command) and change it from GPMC – DirectAccess Client Settings GPO to “Direct-Access-Clients” security group and updated
  Group Policy on Direct Access Server.
  Install-RemoteAccess -NoPrerequisite -Force -PassThru -ServerGpoName 'contoso.com\DirectAccess Server Settings' -ClientGpoName 'contoso.com\DirectAccess Client Settings' -DAInstallType 'FullInstall' -InternetInterface 'Internal' -InternalInterface 'Internal'
  -ConnectToAddress 'EDGE.contoso.com' -DeployNat -Verbose -ComputerName 'DA_EDGE.contoso.com'
   We Also configured Certificate Authentication, and Exception for “EDGE.contoso.com'” in NRPT ising poweshell.
  Add-DAClientDnsConfiguration -DnsSuffix 'EDGE.contoso.com' -Verbose -ComputerName 'DA_EDGE.contoso.com'
  Set-DAClient -Downlevel 'Enabled' -Verbose -ComputerName 'DA_EDGE.contoso.com'
   Once Direct Access got configured we were able to update GPO and connect client from outside.
   On Windows 7 client machine we found IP Helper Service disabled and after enabling the service we were able to connect on that as well.
  Resolution:
   We configured Direct Access with Domain Computers Security Group (using PowerShell command) and changed the security group from GPMC – DirectAccess Client Settings GPO to “Direct-Access-Clients” security group and updated Group Policy on Direct
  Access Server.
  Install-RemoteAccess -NoPrerequisite -Force -PassThru -ServerGpoName 'contoso.com\DirectAccess Server Settings' -ClientGpoName 'contoso.com\DirectAccess Client Settings' -DAInstallType 'FullInstall' -InternetInterface 'Internal' -InternalInterface 'Internal'
  -ConnectToAddress 'EDGE.contoso.com' -DeployNat -Verbose -ComputerName 'DA_EDGE.contoso.com'
  Commands for troubleshooting Direct Access Clients connectivity:
   To check client status:
  netsh dns show state
   To check effective NRPT on the client:
  netsh name show eff
   To Check status of IPHTPS Interface:
  netsh int http show int
   To Check status of Teredo Interface:
  netsh int teredo show state
   To Check Windows Firewall Profile on the client:
  netsh advf show cu
   To Check IPSec Main Mode Security Association:
  netsh advf mon show mmsa
   To Check IPSec Quick Mode Security Association:
  netsh advf mon show qmsa
  Related Articles:
  Manage DirectAccess Clients Remotely
  http://technet.microsoft.com/library/jj574200.aspx
  Remote Access
  http://technet.microsoft.com/en-US/network/dd420463
  Remote Access (DirectAccess, Routing and Remote Access) Overview
  http://technet.microsoft.com/en-us/library/hh831416
  Remote Access (DirectAccess) Prerequisites
  http://technet.microsoft.com/en-us/library/dn464273.aspx
  DirectAccess Offline Domain Join
  http://technet.microsoft.com/en-us/library/jj574150.aspx
  Plan the DirectAccess Infrastructure
  http://technet.microsoft.com/en-us/library/jj574101.aspx
  Configure the DirectAccess Server
  http://technet.microsoft.com/en-us/library/jj574180.aspx
  Configuring and Implementing DirectAccess with Windows Server 2012
  http://technet.microsoft.com/en-us/video/tdbe13-configuring-and-implementing-directaccess-with-windows-server-2012.aspx

• How to change mail-enabled security group to security group

  Hi,
  As a test I have configured on the properties page of a security group an email adres. By doing this converted a security group to a mail-enabled security group. Also this group has been transferd to Office 365. But after testing I want to make the distribution
  groups on the Exchange in Office 365. So I deleted the emaila dres of the security group, but it still synchronized to Office 365 as a mail-enabled security group. How can I change in AD the mail-enabled security group to a security group?
  Thanks in advance

  Hi StijnS,
  For the O365 question there are Office 365 technical forums available at
  http://community.office365.com/en-us/f/default.aspx.
  The related article:
  Office 365 Forum Assistant
  http://blogs.technet.com/b/neilhobson/archive/2011/09/20/office-365-forum-assistant.aspx
  Hope this helps.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• How to associate more than one security group for UCM documents?

  When checking in a document we are only able to associate one security group to documents. In our case, a particular document can be seen by more than one group e.g a document can be seen bu both finance and marketing groups.
  How can we associate more than one group for documents?
  Our requirement is related to search. We want to display the documents to the end user based on the security group that is associated with the document. We are planning to use IDM and have all the groups/roles that are possible in the end site (also delivered by same ldap) available in UCM so that when checking in the documents we can associate desired groups who can see these documents.
  Regards,
  Pratap

  One thing before all, is that I suggest that you think through your security model before implementing it in UCM. You should ask yourself questions like :
  - Is security really based on department ?
  - Why two departments need to have access to the same category of document ?
  - Is it really security that I need or classification ? Is it a problem if Accouting have access to Finance or you just don't want Marketing documents in a finance related search ?
  - Maybe what you want is that finance guys to have access to marketing document.
  Without a clear business security model, it's hard to find a UCM security model as it is impossible to associate 2 security groups to one document.