Understanding LDAP Security Groups - Need assistance...
Hi,
Can someone walk me through a simple step-by-step outline of how to adjust LDAP security groups so that they work properly with report objects and folders. I've added a number of LDAP groups to our server and see the user accounts in them but am having difficulty understanding how to apply these groups to the right folders and have access behave correctly. As an example I have a couple groups where a few users are in LDAP under MKTDEPT and others are under SYSUSR. A few users are in both. I want to give MKTDEPT view rights to a folder whereas SYSUSR gets schedule rights. I'm having an issue with teh Everyone group in that I have to set it to at least 'view' for anyone to see anything. This is even though the MKTDEPT and SYSUSER user security is set lower. So what's the best approach to get this to work right? Any steps or documents that could help me out would be terrific.
Thanks,
Dom
Dominic,
Most of the information you need is in the Administration Guide.
That said, here's how I would do it:
Lets say MKTDEPT has users A,B,C,D,E and SYSUSER has users B,C,D,H,J. Lets call the folder you want to assign rights to as (rather unimaginatively) FolderA.
For FolderA, set the following rights.
Everyone Group --> No Access
MKTDEPT --> View
SYSUSER --> Schedule
The problem now is dealing with users that belong to both group. For this, I would create a new (Enterprise) group called MKTSYS and add the common users to that group. This group would get Schedule rights to FolderA.
Also, as a practice, it is best to create Enterprise copies of your LDAP groups (especially since you have users that can belong to multiple LDAP groups). So, you would have
*MKTDEPTENT which contains users in the MKTDEPT LDAP group.
SYSUSERENT which contains users in the SYSUSER LDAP group.*
I would then add these groups to the list of groups with access to FolderA.
So, the list of groups with access to FolderA would be:
Everyone
MKTDEPTENT
SYSUSERENT
MKTSYS
and the rights would be:
Everyone Group --> No Access
MKTDEPTENT --> View
SYSUSERENT --> Schedule
MKTSYS --> Schedule
Please note that the Everyone Group does not need to have View access. That said, the Everyone Group does need to be in the access list for FolderA.
Also, while this method of replicating LDAP group structure in BO creates additional administrative work, I am of the opinion that it is a small price to pay to prevent unauthorized access.
Hope this helps,
Srinivas
Similar Messages
-
Create different network share shortcut in desktop for different security groups using GPO
Hi,
I have an OU named TECH that contains two different security groups ENG and PRESS.
When users in ENG group logs in desktop should show a network share \\server1\eng-share and
when users in PRESS group logs in desktop should show a network share \\server1\press-share.
How to create a GPO for this ?
regards, FaisalYou could use group policy preferences shortcuts. You would create a shortcut to each of these shares and then use Item Level Targeting. The target would point to the security group needed.
If my answer helped you, check out my blog:
DeployHappiness. Subscribe by
RSS or
email. -
Hi,
While installing the FIM, 5 security groups needs to be created on the active directory. Are these five groups needs to created same as mention in the FIM documents
FIMSyncAdmins
FIMSyncOperators
FIMSyncJoiners
FIMSyncBrowse
FIMSyncPasswordSet
Can we add prefix or suffix any word in the above groups to follow the naming convention.
Like FIMGroup-FIMSyncAdmins-abc. Will it impact if rename the 5 security groups name before installation of FIM?
Can we rename the security groups after installation and again run the FIM setup to replicate the new security groups?
Thanks
HarryHello Harry,
Of course you can rename this group before installing FIM, with no impacts.
And yes you can rename it after installation: you MUST run the install again.Ensure that you will backup the FIM encryption key before doing any actions!
Regards,
Sylvain -
Need info regarding Oracle UCM Accounts and Security Groups behaviour
Need information regarding Oracle UCM Accounts and Security Groups behaviour.
Oracle UCM version: 11.1.1.5.0
Steps:
1. Log in with "weblogic" user and created a content with id "content1"
2. Applied "@acc1(R)" and "TestGroup1" to the cotent created in step 1
3. Log out
4. Log in as "acc1user1", the user is not able to see the "content1"
5. Log out
6. Log in as "role1user1", the user is not able to see the "content1"
Account and Group information:
1. User "acc1user1" is part of "@acc1(R)"
2. User "role1user1" is part of "role1(R)" and is mapped to "TestGroup1" in UCM
Expected:
Both "acc1user1" and "role1user1" should be able to see "content1" as they have at least Read permission.
Please help me understand why the users are not able to see the content.ACLs, like Accounts, are optional security setting which may add on some extra functionality to mandatory security groups. Likewise, the resulting permission is taken as an intersection of SG and ACLs.
But in the second part the number of set of users is huge (approx say 600)I don't get this completely. Does this mean that those "sets of users" (users who see the same data) are distinct and that there is 600 of such groups?
If you read thoroughly the manual I sent earlier, there is a recommendation that there should be maximum 50 security groups, and you should use accounts, should this number be exceeded. This means you could have all the documents in one security group (and have one common role with Read permission), but combine it with accounts. ACLs are not a good choice here - their performance and manageability is much worse than of accounts. ACLs are primarily used if you expect security settings to change during the lifetime (e.g. a project manager adds temporarily rights to access an item to another user, and revokes it when the user finishes his or her work).
Note that accounts as well as permissions of users within accounts can also be mapped externally (from LDAP/AD) and it usually follows some kind of org chart.
I'd feel more comfortable not to speak about users, security groups, roles, etc., but about some real-life objects and scenarios. -
Script needed to query last logon for users within an AD security group
Hi all,
I'm looking for a vbscript that will query a specific AD security group, and export the following information into an Excel document:
1. Full name of the user.
2. A timestamp of the last logon for each user.
Any help would be great.At the moment I'm using a batch script to attempt to query a few different security groups. Below is a line from the script:
dsquery group -samid <group name> | dsquery * -filter "&(objectClass=person)(ObjectCategory=user)" -attr cn lastLogonTimestamp
There a two issues with the command.
1. The results aren't being pulled from the security group specified.
2. The timestamp is in an unreadable format. I've understand this needs to be converted?
The Powershell option looks handy, but sadly the clients environment is Server 2003 based with no Powershell option. -
I have two forest With Trust works Fine .
I have file server in ORG – A ( Forest ) with 2003 R2 Standard
I have a File server in ORG - B ( Forest ) With Windows server 2012 ( New Server for Migration )
I have 1000 + folders with each different permission sets on ORG-A. We are using Security groups for providing permission on the share Folders on ORG A
I need to Migrate all the folders from ORG – A to ORG – B.
I am looking for an automated method of creating Security Groups on AD during the Migration, Once the Migration is Done, I can add the required users to the security groups manually.
Example.
Folder 1 on ORG – A has Security Group Called SEC-FOLDER1-ORGA
I need an automated method of Copying the files to ORG – B and Creating a new security Groups on ORG –B Forest with the same permission on parent and child Folders. I shall Add the users manually to the Group.
Output Looks Like
Folder 1 on ORG – B has Permission called SEC-FOLDER1-ORGB ( New Security Group )
Also I need a summarized report of security Group Mapping, Example – Which security Group on ORGA is mapped with Security Group Of ORGBHi,
I think you can try ADMT to migrate your user group to target domain/forest first. Once user groups are migrated, you can use Robocopy to copy files with permission - that permission will continue be recognized in new domain as you migrated already.
Migrate Universal Groups
http://technet.microsoft.com/en-us/library/cc974367(v=ws.10).aspx
If you have any feedback on our support, please send to [email protected] -
HT201209 I need assistance with trying to figure out how to change my security code answer
I need assistance with trying to figure out how to change my security code answer
If you mean the answers to your security questions, then f
rom http://support.apple.com/kb/HT5665 :
If you have three security questions and a rescue email address
sign in to My Apple ID and select the Password and Security tab to send an email to your rescue email address to reset your security questions and answers (the steps half-way down that page should give you a reset link)
If you have one security question and you know your Apple ID passwordsign in to My Apple ID and select the Password and Security tab to reset your security question.
If you have one security question, but don't remember your Apple ID passwordcontact Apple Support for assistance. Learn more about creating a temporary support PIN to help Apple confirm your identity when you contact Apple Support.
If you can’t reset them via the above instructions (you won't be able to add a rescue email address until you can answer your questions) then you will need to contact iTunes Support / Apple in your country to get the questions reset.
Contacting Apple about account security : http://support.apple.com/kb/HT5699
When they've been reset (and if you don't already have a rescue email address) you can then use the steps half-way down this page to add a rescue email address for potential future use : http://support.apple.com/kb/HT5312 -
Help needed unravelling 2003 Server Security Groups
Hi I have just taken over managing a set of six domains for a care home network.
The domains have previously been managed by different people.
I am not overwhelmed by documentation but most of the AD structures are not that complex; so it’s easy enough to work it out.
There is one site where the admin was part way through a migration from Server 2003 to Server 2008 R2 where there is a little bit more of a challenge.
There are 54 Security Groups for 72 Users!
Most of them are organised in such a way that the membership of a Security Group is comprised of other Security Groups: so to find out who has rights to access what you often have to go through 3 different Security Groups before you get to see any users.
Before I can complete the data migration I need to unravel the Security Group structure and simplify it.
Does anyone have any suggestions as to how I can easily find details of membership and rights without manually searching through every Security Group? Ideally I’d like to be able to export this to a CSV file or Excel.
Cheers
Micky McHi Vivian
Due to the aforementioned time issues I only get to spend a couple of hours on site in this place and I didn’t want to install the programme remotely in case it was
too much for the old 2003 Server.
The link to http://www.manageengine.com/products/ad-manager/active_directory_group_reports.html was
a great tip and after a relatively short period of time I was able to get a nice spreadsheet showing me the intricacies of my crazy convoluted security groups. Now all I need to do is sit down with a highlighter pen and fathom it out!!!
Thanks very much for your help
Cheers
Micky Mc -
How to change the values in custom profiles based on security group ??
Hi,
i am facing problem for my requirement, can anybody help me for below scenario...
i have custom check in profiles , there are content types and sub types. sub type nothing but a categories on for particular content type. For example i have News content type , same in the below subtypes drop down list are press release, events, articles etc.
what i want to do is, when i open custom checkin profile, subtype values need to be changed( some values in subtype should hide) based on security group changes .
In the Sub type listed values, some values need to hide only when i choose different security groups.. sub types values should display based on the particular security group only. when ever i change the security group, drop down Values in subtypes needs to change.
hope understand my requirement.
How to achieve this task. Any help would be greatly appreciated.
Thanks,
ytHi,
Thanks alot. its working fine
Can we configure DCL Relation two times in one information filed ??? i should not create not more than fields to this requirement.
Type -> subtype = DCL already existed
Now, i want to Create DCL to
Subtype ---> Security group
As per my requirement, if i change the security group in checkin form, values should be change in the SubType drop down list.
Created checkin profile there was DCL relation to " Type and "Sub Type" . now i want to map Relation ( DCL ) for subtype to security group.
i was trying do for DCL for subtype and security group. but there was already existing DCL created for subtype information field (Relation configuration done for content type). even though i was trying to do for DCL in Security group information field. but, i could not find security group information field in configuration manager.
Now what should i do ?? how to create DCL to subtype and security group ??
Help would be appreciated.
yt -
LDAP security provider and web service authentication
Background: we are currently developing web services to our existing weblogic application. Our users can configure user/password authentication in one of three ways: database, LDAP, or SSO. Setting SSO aside, we need to implement the same authentication for database and LDAP that we use in our existing logon servlet in our web services. In our servlet we detect which they are configured for and, if database, authenticate the encrypted password to a database table we have for user id/password. If LDAP we use weblogic.servlet.security.ServletAuthentication and the weak() method to authenticate.
We've to use SOAP headers to communicate username/password from the client to the web service. We want to code a SOAP message handler to grab the username/password and do the authentication there. We've successfully put something together that handles the database authentication no problem and are now struggling with how to handle the LDAP authentication. We distribute a LDAP security provider we've coded for LDAP authentication. I guess what I am looking for is an equivalent functionality provided with weblogic.servlet.security.ServletAuthentication. Note that I realize the weblogic.servlet.security package has been deprecated starting with Weblogic 9.0 but cannot find what functionality replaces it. Any help there would be appreciated as well.
Note that I am fairly new to web service development (about 10 months now) and definitely new to web service security and Weblogic security. I tried digging into the volumes of documentation out there regarding these two topics but am simply having a difficult time sorting it all out and figuring out how to do what I want to do.
Thanks in advance!
JuliaHi,
Add Provider (LDAP Credentials) in Admin console Security Realm --> defaultrealm -->Providers. Configuring Ldap in Admin Console will enable Admin Server to connect to LDAP. All the LDAP preconfigured Users/Groups will be available in Users and Groups Tab of Security Realms >defaultrealm >Users and Groups. Add Roles using Security Realms >defaultrealm > Roles and Policies > Global Roles > Roles. Add Role Conditions to the role by specifying users/groups configured in LDAP. If your webservice runs with SSL Anotate the Webservice file something like this below.
@RolesAllowed({
@SecurityRole(role="test")
@Policy(
uri="policy:Wssp1.2-2007-Https-UsernameToken-Plain.xml",
attachToWsdl=true)
Here the role is Preconfigired role in AdminConsole. Add the following tag in the soapenv:header.
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken>
<wsse:Username>test</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header> -
How to move members of a certain OU from one security group to distribution group?
Looking for a powershell script that could move members from a certain OU that are members of a certain security group to a distribution group. Anyone point me in the right direction?
It is easy to determine the members of a group. My concern is that once you know the users, it can be tricky to determine their parent OU in a script. There are ways to parse the user distinguishedName, but some are unreliable (the names of OU's, and even
DC components, can include commas, for example). The most reliable method would be to bind to the user object with the [ADSI] accelerator and invoke the Parent method, but even then you must parse the result since it will be an ADsPath rather than a DN.
My approach would be to use Get-ADUser to find all users in a specified OU that are direct members of a specified group. Even here I assume you are only concerned with users (not contacts or groups or computers). I also must assume that no users have the
group specified as their "primary" group. The code I would suggest to retrieve all users in an OU that are members of a group:
Get-ADUser -SearchBase "ou=Sales,ou=West,dc=MyDomain,dc=com" -LDAPFilter "(memberOf=cn=MyGroup,ou=West,dc=MyDomain,dc=com)"
This does not find users in the OU that are members of the group due to group nesting. However, if that matters, it can be handled using another LDAP syntax filter. In that case use:
Get-ADUser -SearchBase "ou=Sales,ou=West,dc=MyDomain,dc=com" -LDAPFilter "(memberOf:1.2.840.113556.1.4.1941:=cn=MyGroup,ou=West,dc=MyDomain,dc=com)"
The "1.2.840.113556.1.4.1941" part is a special chain matching rule that results in a recursive match to handle group nesting. You can also devise a filter to include membership as the "primary" group. You could even use Get-ADObject
instead of Get-ADUser if you need to include contacts (or computers or groups), but I assume that is unnecessary.
The next steps, to remove from one group and add to another, would follow.
Richard Mueller - MVP Directory Services -
Hey guys, I need to create a script that assigns a value to the EmployeeID of every user that is a member of a particular AD security group.
For example, there are the following groups - Accounting_01, Accounting_02, Accounting_03. The script has to read what members there are in these groups and assign to the people of Accounting_01 an EmployeeID of 01, to the people of Accounting_02 an EmployeeID
of 02, and to the people of Accounting_03 an EmployeeID of 03.
I have a script that adds a user to a security group, based on the value of a certain attribute, but not the other way around. Have you written such a script? Thanks in advanceI haven't tried the code, because I don't have AD cmdlets.
But I see some discrepancies between the documentation and your code.
Looking at http://technet.microsoft.com/en-us/library/hh852287.aspx (Set-ADUser cmdlet) we can read for the
-Replace<Hashtable> parameter: ... Use this parameter
to replace one or more values of a property that cannot be modified using a cmdlet parameter ...
But the OP referred to EmployeeID, which is a Set-ADUser cmdlet parameter (look for -EmployeeID),
thus, cannot be used with -Replace<Hashtable> parameter (as per the documentation).
Also, the documentation states for this same
-Replace<Hashtable> parameter: ... To modify
an object property, you must use the LDAP display name ...
And the LDAP display name for EmployeeID is employeeID, and not employeeid as in your code (although I'm
not sure if LDAP display name
is case sensitive).
As you say your code works correctly, I
suspect that you created a new property named employeeid, which is not the same referenced by the parameter
-EmployeeID.
The documentation merely says that it can be used to modify attributes that do not have their own parameter. If they were to include a parameter for every AD attribute the list would be huge. It doesn't imply that -replace cannot be used instead of the defined
parameters.
I must admit that I didn't realise that -EmployeeID could be used as I didn't consult the documentation before I wrote the code but I can confirm that using the method I posted the employeeID attribute was modified. It didn't create a second attribute with
different letter casing. -
DirectAccess Installation Errors Involving Security Group
So I've read that it's best practice to filter DirectAccess GPO Affects to a single Security group instead of the "All Commputers" Group in AD. So I've done this. I created a group called 'DirectAccess' and set that as the target. When I attempt
to generate the GPO in the DirectAccess Wizard, I recieve this error:
"Security Group MyDomain\DirectAccess cannot be found"
"The Operation Failed. All of the Specified Security Groups are invalid."
So it looks like the group is invisible to my Server? The only thing I can think of is my AD Structure is sitting on some 2008 R2 boxes and this server is 2012 R2 box. Is there a requirement for AD to be at 2012 Operational Level for DirectAccess to work
in 2012 server R2?
--AaronUpdate: I had this closed a while ago. Microsoft was finally able to set it up in my environment. I will post the Closure email they sent me detailing the steps needed to successfully install DirectAccess: **Note I have changed all my Server/AD
information to match M$'s Contoso dummy domain
Issue:
Unable to configure Direct Access Server (DA_EDGE). Error: Security group CONTOSO\DirectAccess Clients cannot be found..
Troubleshooting:
We collected logs from the Direct Access server while configuring Direct Access.
logman create trace ETWTrace -ow -o c:\ETWTrace.etl -p {AAD4C46D-56DE-4F98-BDA2-B5EAEBDD2B04} 0xffffffffffffffff 0xff -nb 16 16 -bs 1024 -mode 0x2 -max 2048 –ets
logman update trace ETWTrace -p {62DFF3DA-7513-4FCA-BC73-25B111FBB1DB} 0xffffffffffffffff 0xff –ets
Configured Direct Access
logman stop ETWTrace -ets
We could not find information which could give us clue about the cause of the issue. We found that it was not able to find the group.
2464: 04: 2014-06-24 11:56:18.627 VERBOSE: Validating security group (CONTOSO\dagroup1) in the domain...
2464: 04: 2014-06-24 11:56:18.707 NTE: Security group CONTOSO\dagroup1 cannot be found.
We Collected Network Capture but could not find anything in LDAP Search Request Packet about the same.
We found that DC has 2 NIC and both were getting Domain Profile.
We removed the DMZ NIC and kept only NIC connected to LAN.
We again tried to configure Direct Access however it still came up with error.
We involved Directory Services team to take a look at the issue however in logs we were not able to find anything.
We collected Process Monitor and got it analyzed by the on the Direct Access Server and found that we were not able to create GPO. However it does not give clue as to how its failing.
11:58:51.6421023 PM RAMgmtUI.exe 1836 CreateFile
\\DC.contoso.com\SysVol\contoso.com\Policies\{D937469B-6E34-4A7F-9405-F9F97DC200E0} NAME NOT FOUND Desired Access: Read Attributes, Read Control, Dis, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
11:58:51.6446131 PM RAMgmtUI.exe 1836 CreateFile
\\DC.contoso.com\SysVol\contoso.com\Policies\{D937469B-6E34-4A7F-9405-F9F97DC200E0} NAME NOT FOUND Desired Access: Read Control, Dis, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
11:58:51.6472327 PM RAMgmtUI.exe 1836 CreateFile
\\DC.contoso.com\SysVol\contoso.com\Policies\{D937469B-6E34-4A7F-9405-F9F97DC200E0} NAME NOT FOUND Desired Access: Read Data/List Directory, Synchronize, Dis, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete,
AllocationSize: n/a
11:58:51.6500318 PM RAMgmtUI.exe 1836 CreateFile
\\DC.contoso.com\SysVol\contoso.com\Policies\{D937469B-6E34-4A7F-9405-F9F97DC200E0} NAME NOT FOUND Desired Access: Read Attributes, Delete, Synchronize, Dis, Options: Directory, Synchronous IO Non-Alert, Open Reparse Point, Attributes: n/a, ShareMode: Read,
Write, Delete, AllocationSize: n/a
We did research internally and decided to configure Direct Access with Domain Computers Security Group (Using PowerShell command) and change it from GPMC – DirectAccess Client Settings GPO to “Direct-Access-Clients” security group and updated
Group Policy on Direct Access Server.
Install-RemoteAccess -NoPrerequisite -Force -PassThru -ServerGpoName 'contoso.com\DirectAccess Server Settings' -ClientGpoName 'contoso.com\DirectAccess Client Settings' -DAInstallType 'FullInstall' -InternetInterface 'Internal' -InternalInterface 'Internal'
-ConnectToAddress 'EDGE.contoso.com' -DeployNat -Verbose -ComputerName 'DA_EDGE.contoso.com'
We Also configured Certificate Authentication, and Exception for “EDGE.contoso.com'” in NRPT ising poweshell.
Add-DAClientDnsConfiguration -DnsSuffix 'EDGE.contoso.com' -Verbose -ComputerName 'DA_EDGE.contoso.com'
Set-DAClient -Downlevel 'Enabled' -Verbose -ComputerName 'DA_EDGE.contoso.com'
Once Direct Access got configured we were able to update GPO and connect client from outside.
On Windows 7 client machine we found IP Helper Service disabled and after enabling the service we were able to connect on that as well.
Resolution:
We configured Direct Access with Domain Computers Security Group (using PowerShell command) and changed the security group from GPMC – DirectAccess Client Settings GPO to “Direct-Access-Clients” security group and updated Group Policy on Direct
Access Server.
Install-RemoteAccess -NoPrerequisite -Force -PassThru -ServerGpoName 'contoso.com\DirectAccess Server Settings' -ClientGpoName 'contoso.com\DirectAccess Client Settings' -DAInstallType 'FullInstall' -InternetInterface 'Internal' -InternalInterface 'Internal'
-ConnectToAddress 'EDGE.contoso.com' -DeployNat -Verbose -ComputerName 'DA_EDGE.contoso.com'
Commands for troubleshooting Direct Access Clients connectivity:
To check client status:
netsh dns show state
To check effective NRPT on the client:
netsh name show eff
To Check status of IPHTPS Interface:
netsh int http show int
To Check status of Teredo Interface:
netsh int teredo show state
To Check Windows Firewall Profile on the client:
netsh advf show cu
To Check IPSec Main Mode Security Association:
netsh advf mon show mmsa
To Check IPSec Quick Mode Security Association:
netsh advf mon show qmsa
Related Articles:
Manage DirectAccess Clients Remotely
http://technet.microsoft.com/library/jj574200.aspx
Remote Access
http://technet.microsoft.com/en-US/network/dd420463
Remote Access (DirectAccess, Routing and Remote Access) Overview
http://technet.microsoft.com/en-us/library/hh831416
Remote Access (DirectAccess) Prerequisites
http://technet.microsoft.com/en-us/library/dn464273.aspx
DirectAccess Offline Domain Join
http://technet.microsoft.com/en-us/library/jj574150.aspx
Plan the DirectAccess Infrastructure
http://technet.microsoft.com/en-us/library/jj574101.aspx
Configure the DirectAccess Server
http://technet.microsoft.com/en-us/library/jj574180.aspx
Configuring and Implementing DirectAccess with Windows Server 2012
http://technet.microsoft.com/en-us/video/tdbe13-configuring-and-implementing-directaccess-with-windows-server-2012.aspx -
How to change mail-enabled security group to security group
Hi,
As a test I have configured on the properties page of a security group an email adres. By doing this converted a security group to a mail-enabled security group. Also this group has been transferd to Office 365. But after testing I want to make the distribution
groups on the Exchange in Office 365. So I deleted the emaila dres of the security group, but it still synchronized to Office 365 as a mail-enabled security group. How can I change in AD the mail-enabled security group to a security group?
Thanks in advanceHi StijnS,
For the O365 question there are Office 365 technical forums available at
http://community.office365.com/en-us/f/default.aspx.
The related article:
Office 365 Forum Assistant
http://blogs.technet.com/b/neilhobson/archive/2011/09/20/office-365-forum-assistant.aspx
Hope this helps.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
How to associate more than one security group for UCM documents?
When checking in a document we are only able to associate one security group to documents. In our case, a particular document can be seen by more than one group e.g a document can be seen bu both finance and marketing groups.
How can we associate more than one group for documents?
Our requirement is related to search. We want to display the documents to the end user based on the security group that is associated with the document. We are planning to use IDM and have all the groups/roles that are possible in the end site (also delivered by same ldap) available in UCM so that when checking in the documents we can associate desired groups who can see these documents.
Regards,
PratapOne thing before all, is that I suggest that you think through your security model before implementing it in UCM. You should ask yourself questions like :
- Is security really based on department ?
- Why two departments need to have access to the same category of document ?
- Is it really security that I need or classification ? Is it a problem if Accouting have access to Finance or you just don't want Marketing documents in a finance related search ?
- Maybe what you want is that finance guys to have access to marketing document.
Without a clear business security model, it's hard to find a UCM security model as it is impossible to associate 2 security groups to one document.
Maybe you are looking for
-
My Iphone Is Speaking my name and time only , i can't acess anything else . i have try to reboot my phone but its not responding.
-
Html code(source code) for a web page
hi all i want to get the source code for a web page throgh my java program .please can you tell me how to do it. thanks
-
Looking to set up a public voicemail box
Hi guys, I'm looking to set up a public voicemail box that users can call into to check messages. I want to have a few users with admin privledges that can add/delete messages, and everyone else with read-only access. Is this possible?
-
InDesign CS6 pixelated workspace on MacBook Pro Retina
I've recently purchased a Retina MacBook Pro and the Adobe CS6 (Design/Web Premium) I've updated all the Adobe CS6 programs as they all had pixelated workspaces. After the update, InDesign CS6 (version 8.0.2) is still pixelated... Is there a reason w
-
[svn] 4001: Adding support for asdoc in flex ant tasks
Revision: 4001<br />Author: [email protected]<br />Date: 2008-11-03 13:46:13 -0800 (Mon, 03 Nov 2008)<br /><br />Log Message:<br />-----------<br />Adding support for <asdoc> in flex ant tasks<br /><br />QE Notes: Tests need to be added to the