User Group Membership change Alert

As a system administrator, I will like to be alerted when a user's group membership has changed on the domain. Can Spiceworks compare the imported memberships in its database with AD and alert me when they do not match? Below is an image of the information that SW imports which could be used for this comparison.
This topic first appeared in the Spiceworks Community

Assuming you know the dn of the groups to remove the person from and add them to, and the dn of the person to move, you should be able to do something similar to:
Attributes attrs = new BasicAttributes(true);
Attribute uniquemember = new BasicAttribute("uniquemember");
uniquemember.add("uid=user,o=domain.com"); //add user to move to attribute
attrs.put(uniquemember);
DirContext ctx = //connect to your ldap dir
try{
     ctx.modifyAttributes(groupToRemoveFromDN, ctx.REMOVE_ATTRIBUTE, attrs);
     ctx.modifyAttributes(groupToAddToDN, ctx.ADD_ATTRIBUTE,attrs);
catch (NamingException ne) {
     //return error appropriately
try{
     ctx.close();
catch (NamingException ne) {
     //do what you want with error
}You also might want to check out the JNDI tutorial at http://java.sun.com/products/jndi/tutorial/index.html
--Nicole

Similar Messages

  • Policies assigned to groups - membership changes not working

    I have a single ZESM IR8 server setup.
    All security throughout my environment, ZESM and otherwise, is based on group membership.
    If I change a user from one group to another group this change does not reflect in their policy assignment.
    Scenario: GroupA = standard user policy, GroupB = power user policy.
    UserA was first in Group A and therefore got the standard user policy.
    UserA now requires the power user policy.
    Remove UserA from GroupA and add UserA to GroupB (in iManager).
    UserA does NOT get the "power user" policy that is assigned to GroupB
    Am aware that I can assign the policy at a user level but this is NOT an option in my environment. All security assignments MUST happen at a group level.

    What you observed is the expected behavior.
    ZESM doesn't updates group membership in real time once a policy has been published. I've described this behavior on previous posts.
    What the MC does behind the scenes when you click "Publish" on a container or group object is to assign the policy individually to each member/user. For groups, it resolves membership at the time the policy is published then the MC iterates among each member assigning the policy to each of them. That's why you don't see updates once the policy is published.
    Try Updating the published policy to see if that works. From the docs:
    Updating a Published Policy
    Once a policy has been published to the user(s) or computer(s), simple updates can be maintained by editing the components in a policy, and re-publishing. For example, if the ZENworks Endpoint Security Management Administrator needs to change the WEP key for an access point, the adminstrator only needs to edit the key, save the policy, and click Publish. The affected end-users and computers receive the updated policy (and the new key) at their next check-in.
    >>>
    From: laurabuckley<[email protected]>
    To:novell.support.zenworks.endpoint-security-management
    Date: 12/15/2009 7:16 AM
    Subject: Policies assigned to groups - membership changes not working
    I have a single ZESM IR8 server setup.
    All security throughout my environment, ZESM and otherwise, is based on
    group membership.
    If I change a user from one group to another group this change does not
    reflect in their policy assignment.
    Scenario: GroupA = standard user policy, GroupB = power user policy.
    UserA was first in Group A and therefore got the standard user policy.
    UserA now requires the power user policy.
    Remove UserA from GroupA and add UserA to GroupB (in iManager).
    UserA does NOT get the "power user" policy that is assigned to GroupB
    Am aware that I can assign the policy at a user level but this is NOT
    an option in my environment. All security assignments MUST happen at a
    group level.
    laurabuckley
    laurabuckley's Profile: http://forums.novell.com/member.php?userid=122
    View this thread: http://forums.novell.com/showthread.php?t=395870

  • SAP Query, user groups, revoking 'change' rights

    Hi,
    I have a problem regarding SAP Queries and revoking the change rights. This is what I have done:
    1. Created the new user group in SQ03
    2. Created the new InfoSet (SQ02), assigned it to the above UG (SQ03)
    3. Created the new user, assigned it to the UG in SQ03 and removed the Change checkbox (revoke change rights)
    4. Logged on as the new user
    5. Started SQ01, switched user group to the new one
    6. Created the new SAP query based on the new InfoSet, run the query
    As I understand the principles of user groups and queries, I wasn't supposed to be allowed to do the step 6 as the new user, as it was revoked the change rights. Why wasn't I stopped?
    I searched for reply in previous posts - everybody agrees on principles, but I didn't find explanation on why it doesn't work.
    Thanks in advance!
    KR,
    Igor

    The table AQGDBBN seems to display a mapping of User Group with use rindeed but the results are less than the actual assignment. And the mapping does not have the Z query usergroups that have users assigned in SQ03.
    Anything that I may be missing?
    Thanks,
    Kashif

  • Extracting user group membership to a spreadsheet - tip?

    Hello,
    This is a tip that works for me.
    Sometimes I need to extract the Group Membership names for a user or users.
    What I do is have PTSpy running when I find their name from an administrative search. Clicking on the user name opens up the EDIT USER page where you can see the users groups.
    At this point look in PTSpy for the line:
    Create query: '/* QUERY_DYNAMIC_USERGROUPS:ANSI */ SELECT DISTINCT(a.ObjectID), a.Name, a.IsLocalized      FROM PTUSERGROUPS a, PTUSERLINKS b      WHERE a.ObjectID=b.GroupID           AND b.UserID=?           AND (b.ISSTATIC=? AND b.ISDYNAMIC=?) ORDER BY a.ObjectID DESC'
    followed by 3 lines:
    setInt, index: 0, value: 0001. <--user ID
    setInt, index: 0, value: 1. <--Static Group Membership
    setInt, index: 0, value: 0. <--Dynamic
    Copy and drop that into SQL Query Analyser, plug in the value provided and save it to a spreadsheet or just copy and paste it.
    If you want find dynamic groups - there is a similar query in the PTspy log - look for the /*QUERY_DYNAMIC_USERGROUPS:ANSI
    in PTSpy log
    If anyone has anything else to add - please do!
    Thanks,
    V
    Computers are like Old Testament gods; lots of rules and no mercy. ~Joseph Campbell

    Hi,
    To identify members of a local group by using a command line, refer to:
    1. Open Command Prompt.
    2. To list members of a group, type: net localgroup "groupname"
    Note: You must include the quotation marks.
    For example, export the members of the local group Administrators to a text file named group.txt, refer to:
    net localgroup “Administrators” > C:\group.txt
    You can also write a script as you want.
    Best Regards,
    Nina Liu
    TechNet Subscriber Support in forum
    If you have any feedback on our support, please contact
    [email protected]  
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thanks this does seem to work. It does seem that just copying the command does not work because of the quotes, and that you have to manually type the quotation marks into the command prompt, I'm thinking they are picked up as a different character when you
    copy paste from a html page or other document.

  • Power Users group membership

    Hello.
    When debugging App-V virtualized application (java one), I found that if user is a member of "Power Users" it's VFS written to folder APPV_ROOTS instead of APPV_ROOT, and this user at same time lacks permissions to write to this folder. That causes
    application to crash with IO exception.
    Why this happens and how to fix that?

    Now this is coming back to me.  This actually came up in one of Tim Mangan's classes.  If you look at the AppV5SP2 Application Publishing and Client Interaction white paper it says:
    "The S signifies the restricted location when the virtual service requests the change as a different elevated user from the logged on users. The non-S location stores user based changes."
    My theory is the App-V 5 client doesn't distinguish from the logged on user who has elevated privileges and a different user with elevated privileges.  See this example as further evidence.
    Using Tim's AppV Personalization tool to track the whole COW stuff, here are 2 screenshots, the first of an admin, the second of a standard user (not power user, just user)
    ADMIN
    A key written inside the VE to HKLM actually went to a COW location in  HKLM.  The filewrite to the PVAD location went to APPV_ROOTS
    USER
    In the same test repeated with a non admin user, the registry write went to the HKCU COW location, and to APPV_ROOT.
    I couldn't convince my group here to put in a MS ticket for this as it doesn't affect us currently, but to be honest I'm surprised more people aren't having issues with this.  This issue would also mean users with admin rights can't roam writes to HKLM
    properly in a VDI scenario.
    If I had to guess Power Users makes the client believe it is an elevated request, but the DIR requires admin rights to write to.  If you inspect the permissions on the APPV_ROOTS folder you may be able to confirm that.
    The short answer for you would probably be to update the package to HF4 with VFS write enabled and see if that resolves your issue.  If you can, a call to MS would be a good option also.

  • Custom Install of Acrobat, how to enable / disable Office plugin based on User group membership

    Hi,
    Just configuring Adobe Acrobat X (10.1.5) on Citrix Xenapp 6.5 (Win 2k8 R2)
    I've set up a cusom install and have already removed the context menus and a few other bits and bobs.
    I wondered if it was possible to essentially add the Office plugins in but only for certain users.
    I've removed the plugins successfully by turning off the 5 / 6 features (IE, office , outlook etc)
    Now I just wondered what files / registry entries I could create on login (using Group policy preferences etc) which will add the plugins back in.
    Thanks
    Chris

    okay no replies yet but I've just removed the office / IE features for now, adding the context menu items in for specific users is working good enough at the moment. if anyone does know how to do this just reply to this at any point i'll pick the mail up.
    thanks

  • Transformer tags and checking user group memberships

    Is the command "stringToACLGroup ('group=203;').isMember($currentuser)" in the code below, doing a Database lookup or getting it from a cached value? If this the server API or a PRC call?
    <pt:when pt:test="stringToACLGroup ('group=203;').isMember($currentuser)" xmlns:pt='http://www.plumtree.com/xmlschemas/ptui/'> Welcome corp user!<br> ... Home Office content... </pt:when>
    Thanks.
    Vanita
    Staples

    On the machine that is having this issue, run this command:
    RSOP.msc
    When the results come up, browse to this path:
    Computer Configuration->Windows Settings->Security Settings->Restricted Groups
    Do you have a listing for "Remote Desktop Users"
    I suspect what you have going on is a GPO that is applying explicit members of that group.  That would remove anyone that you specify every 15 minutes.
    - If you have found my post to be helpful, or the answer, please mark it appropriately.  Thank you.
    Chris Ream

  • My user group photo changed with out my authorization

    I went to log onto my computer and noticed that the photo of myself which come up on the screen when i type my password in had changed to a picture of an animal.  How did this happen with out my authorisation?

    Some one may have access to your MBP.  I suggest that you change your password.
    Ciao.

  • Invoke an adapter on change of User's Group Membership details

    Hi
    I need to invoke an adapter on change of User’s Group Membership details. I am not able to figure out from where I can invoke my adapter.
    Does anyone have any idea about this?
    -- Another Question: what is the purpose of having “tcUSRautoGroupMembership” in User’s Object Form on Post Update. It would be nice if you give some details about this task.
    -Hardew

    Thanks for quick response.
    What you have mentioned, is applicable for a specific value of a user’s OIM Profile filed; that means it will triggered only if a user has specified value i.e. "blah blah" for that field i.e. fieldA.
    However my scenario is slightly different. Let me explain my scenario by example:-
    I have N numbers of OIM groups i.e. g1, g2, g3, g4……, gn and a user called myUser. This user is a member of two groups’ g1 and g2, now if I make myUser to member of one more group i.e. g3 or remove i.e. g1; then I want to perform a custom task using adapter on this Group Membership change.
    Is there any “Data Object Form” where I can associate my adapter on post-update to detect change of User’s Group Membership?
    _hardew                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           

  • User Unable to RDP in Win 2008R2 Due to Multiple Group Membership But Can RDP in Win 2003 Server

    We have built a new application server with Windows 2008R2 where set of users are local admin (application owners) and we have same kind of application server
    in Windows 2003 SP2 with same users as local admin. 
    Now in Windows 2008R2 servers these local admins are unable
    to RDP and get ACCESS
    DENIED whenever user tries to login but can login successfully in 2003 server.
    Now, strange case is, I found these admin users group membership with more than 600 groups and they are able to login win 2008 server as well if I remove their
    group membership to a minimum level say around 300.
    This is so confusing for me as user can login in WIn 2003 server with highest group membership but not in WIn 2008.
    We have applied Maxtoken registry also through GPO.
    Any idea what are we missing here.

    This has nothing to do with Directory Services so I will move to the General forum.
    One thing to look at is to make sure that you have RDP enabled on these new 2012 servers.
    http://winplat.net/post/2012/07/16/How-to-enable-Remote-Desktop-on-Windows-%E2%80%988%E2%80%99.aspx
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security, BS CSci
    2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
    Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
    Please no e-mails, any questions should be posted in the NewsGroup.
    This posting is provided AS IS with no warranties, and confers no rights.

  • Reconcile user groups to OIM (11g)

    I would appreciate it if someone may let me know how to reconcile the organization and leadership structure information from an Oracle DB based identity vault into OIM (11g) to create organizational roles, for example, into the user group and user group membership tables, i.e. the UGP and USG table series. Many thanks.

    yesy, I have defines correct search value but its again and again throwing error. I change the search values too. But its not working.

  • WLS 8.1.5  console doesn't show ActiveDirectory (or custom) Users/Groups

    We currently have numerous apps running on a weblogic 8.1.4 portal domain. I am attempting to replicate this domain on 8.1.5. There are four authenticators on our old domain: a DefaultAuthenticator, an ActiveDirectoryAuthenticator, and two Custom Authenticators (based on the sample database authenticator), with JAAS flags set to OPTIONAL for all. Everything was working properly under sp4, including user/group/membership listings in console and authentication. Under sp5, while simple authentication seems to work with all providers, the user/group/membership listings in weblogic console have bad HTML (empty rows under any default authenticator users/groups). The active directory settings were migrated wholesale and I verified that authentication works against this provider. Just no usernames or groupnames. I tested with just ActiveDirectory and DefaultAuthenticator, DefaultIdentityAsserter.
    <p>
    I was able to debug a bit more using our custom authenticators. I have verified that the user and group lists are being requested and returned properly when you click on Manage Users or Manage Groups in weblogic 8.1.5 console. It just seems like somewhere in the console there is a problem and the HTML output is garbled. Here is a sample of my debug text, the method names and classes should be immediately familiar from the sample authenticator:
    <p>
    getUserLoginNamesMatching(*,50)<br>
    loginNames=[BF, DAD, NA, OTN, P1Adm1, P1User1, P2Adm1, P2User1, S, ab, admtest, gw, jb, joeschmo, kw, mf, mh, pa, rn, rt, super, test1, wf]<br>
    Success: listUsers(userNameWildcard = *, maximumToReturn = 2147483647) = Cursor0<br>
    Success: haveCurrent(Cursor = Cursor0) = true<br>
    Success: getCurrentName(Cursor = Cursor0) = BF<br>
    Success: advance(Cursor = Cursor0)<br>
    Success: haveCurrent(Cursor = Cursor0) = true<br>
    Success: getCurrentName(Cursor = Cursor0) = DAD<br>
    Success: advance(Cursor = Cursor0)<br>
    Success: close(Cursor = Cursor0)<br>
    getExistingUser(BF)<br>
    user=new UserEntry( BF, BF , BF, [PDA, ADM], com.otn.mobilelynx2.security.providers.authentication.UserGroupDatabase@7f5e61 )<br>
    Success: getUserDescription(user = BF) = BF<br>
    getExistingUser(DAD)<br>
    Success: haveCurrent(Cursor = Cursor0) = false<br>
    Success: close(Cursor = Cursor0)<br>
    getExistingUser(BF)<br>
    user=new UserEntry( BF, BF , BF, [PDA, ADM], com.otn.mobilelynx2.security.providers.authentication.UserGroupDatabase@7f5e61 )<br>
    Success: getUserDescription(user = BF) = BF<br>
    getExistingUser(DAD)<br>
    user=new UserEntry( DAD, Dummy Alcanto Demoer, LYNX, [PDA], com.otn.mobilelynx2.security.providers.authentication.UserGroupDatabase@7f5e61 )<br>
    Success: getUserDescription(user = DAD) = Dummy Alcanto Demoer<br>
    getExistingUser(NA)<br>
    user=new UserEntry( NA, Nancy Aarons, 1234, [PDA, ADM], com.otn.mobilelynx2.security.providers.authentication.UserGroupDatabase@7f5e61 )<br>
    Success: getUserDescription(user = NA) = Nancy Aarons<br>
    ---- weblogic console output sp4, Manage Users ----
    User Description Provider <br>
    portaladmin Admin for portal domain DefaultAuthenticator <br>
    weblogic This user is the default administrator. DefaultAuthenticator <br>
    yahooadmin Admin for yahoo content DefaultAuthenticator <br>
    john John Smith DefaultAuthenticator <br>
    qamean ActiveDirectoryAuthenticator <br>
    qamin ActiveDirectoryAuthenticator <br>
    ---- weblogic console output sp5, Manage Users ----
    User Description Provider <br>
    portaladmin Admin for portal domain DefaultAuthenticator
    weblogic This user is the default administrator. DefaultAuthenticator <br>
    yahooadmin Admin for yahoo content DefaultAuthenticator <br>
    --- html for above (with weird empty rows) ---
    <FORM NAME=FilterUsers METHOD=POST ACTION=><P>Filter By: <INPUT TYPE=text NAME=filter SIZE=10> <INPUT CLASS='buttons' TYPE=submit VALUE=Filter></FORM><b>Displayed 68 of 357 Total, use filter to narrow your search results.<b><table border='1' cellpadding='4' cellspacing='0' height='20'><tr bgcolor='#b8cece'><th>User</th><th>Description</th><th>Provider</th><th> </th></tr><tr bgcolor='#FFFFFF'><td>portaladmin</td><td>Admin for portal domain</td><td>DefaultAuthenticator</td><td><img border='0' src='http://localhost:7001/console/images/delete.gif' title='Delete'/></td></tr><tr bgcolor='#FFFFFF'><td>weblogic</td><td>This user is the default administrator.</td><td>DefaultAuthenticator</td><td><img border='0' src='http://localhost:7001/console/images/delete.gif' title='Delete'/></td></tr><tr bgcolor='#FFFFFF'><td>yahooadmin</td><td>Admin for yahoo content</td><td>DefaultAuthenticator</td><td><img border='0' src='http://localhost:7001/console/images/delete.gif' title='Delete'/></td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr><tr bgcolor='#FFFFFF'><td><td><td></tr></table>
    Message was edited by:
    srhutch444

    i have reinstalled solaris and the problem continues.
    Under Solaris Management Console groups and users doesn't run ok. Editing an user i can't see groups and editing groups i can't see its users...very very extrange.
    A bug?
    I don't know what is happening :(

  • AD account used for running SIA locked during group membership querying

    Hello,
    I have code that is querying user / group membership from the BOE repository using the Java Enterprise SDK.  When running against an environment using an AD service account to run the SIA, an error is thrown and the AD account is subsequently locked when I execute my code.  The error is as follows:
    com.crystaldecisions.sdk.exception.SDKServerException: The Active Directory Authentication plugin failed to verify the currently specified administration credentials required to connect to Active Directory. Please contact your system administrator. 
    cause:com.crystaldecisions.enterprise.ocaframework.idl.OCA.oca_abuse: IDL:img.seagatesoftware.com/OCA/oca_abuse:3.2
    detail:The Active Directory Authentication plugin failed to verify the currently specified administration credentials required to connect to Active Directory. Please contact your system administrator. 
    The server supplied the following details: OCA_Abuse exception 10505 at [.\exceptionmapper.cpp : 79]  50068 { ,  , secWinAD}
         ...The Active Directory Authentication plugin failed to verify the currently specified administration credentials required to connect to Active Directory. Please contact your system administrator.   Plugin error: SecWinAD Error: an error occurred in CADCredentialManager::SwitchSecurityContexts().
    If the account is successfully running the SIA, I'm not understanding why this message is being thrown.  Also - I'm assuming some internal login is happening with this AD account when I query for group membership (?), as I am able to query for other types of metadata without error / locking the account.  Based on the error thrown, the authentication with this ID is failing, and is probably being attempted multiple times, resulting in the account being locked?  Can anyone provide insight here?
    Thanks...

    Ted is right on the mark with this one.
    The cause is outlined in the exception indicating a problem with the SwitchSecurityContexts() function.  The Active Directory plugin requires a set of credentials with which to connect to Active Directory and perform any necessary lookups.  Therefore, the issue is not with the account running your SIA (and by extension your CMS), but the Active Directory administration credentials you've set on the plugin (either via the CMC or through code).  When the CMS tries to impersonate, or switch security context to the other account, it fails to authenticate against Active Directory.
    Check to make sure this property is set identically to the account running the SIA, and like Ted said, that you can successfully update the plugin via the CMC.
    Thanks,
    Jim

  • Neat OAM Trick (showing users' groups), but a problem...

    Hi,
    I took an OAM class this week, and the instructor showed us a way to show users' group membership in User Manager.
    To do this, create a derived attribute for the inetorgperson attribute, e.g., named "ThisUsersGroupMembership", and configure it with:
    Self
    groupofuniquenames
    uniquemember
    Then, add the derived attribute to the user panel, and then go into User Manager and display an individual user's profile. The user's group membership should be displayed as the "ThisUsersGroupMembership".
    I thought that this was pretty nice, but I noticed that if I go to the User Manager's main page and customize it to display the "ThisUsersGroupMembership" attribute,
    the attribute name is shown, but no values are shown for that attribute.
    I'm trying to figure out why the values for the derived attributes are not being displayed on the main User Manager page, and also if it's possible to get that working?
    Thanks,
    Jim

    Jim,
    Yes even I am not able to list users. I did not understand what you were exactly pointing to in your earlier mail.
    This seems to be a bug with OAM but before we arrive at this conclusion. I think we should try and look at the xml response sent by OAM for search result. I am not able to recall how we can see the xml response in the browser. If you know then you can try and see if the Groups of the user are returned? If groups are returned then you will have to look at the stylesheet being used and modify it to display the groups.
    If groups are not fetched then it must be a bug with OAM.
    Thanks
    Preetam

  • Computer's group membership

    I am trying to find a way to list the groups a computer knows it is a member of. Normally a computer only picks up a group membership change after a reboot. You can purge the kerb tickets and it will sometimes pick up the new membership.
    I have a requirement to determine if a group membership has propigated to >300 servers for GPO filtering, but the only way I can find to validate this is by running a gpresult and checking the computer group memberships.
    I started by trying to run a gpresult remotely but that does not always return the computer group membership. Is there a wmi call that can pull this or can a kerb ticket be dissasembled to get the memberships?

    jrv,
    I understand how Active Directory and the various methods of GPO provisioning work.
    The systems in question (>300 production servers) have been added to a provisioning group. This group is used to filter application of a GPO. I need to validate the systems have picked up the new group membership before moving forward with a multi-step
    implementation.
    When a gpresult is run the output displays the groups the system is a member of in order to determine GPO application. I am trying to get this data from remote systems programatically, hence why I posted in this forum since I am specifically asking if anyone
    knows of a WMI (or other) call that would return the computer group memberships.
    As I re-organize a GPO structure in dire need of cleanup I am going to have to do this validation multiple times over a large number of servers. Being able to automate this process would help quite a bit.
    "For computer accounts this requires a reboot." - See this article: 
    http://setspn.blogspot.com/2010/10/updating-servers-security-group.html

Maybe you are looking for

  • Type array? Is it possible?

    Hi, i want to know is it possible to have the array of the specific type? (in declaration) For example public function test( items:Array) ... in this example i can't force user to put an array of a special type. for example in java for 'static' array

  • User say ur database is slow how u slove this how identified reasons

    user say ur database is slow how u slove this how identified reasons

  • Command not properly ended line 12

    Good Morning, Would some please take a look at this and see where this error is? I am sitting here with a pipe ready to use it on myself. I did a search on this and didn't see anything related to it. thanks for any help in advance you can provide. re

  • Can I get mountain lion on disc

    Can I buy Mountain Lion on disc?

  • Tutorial on HTMLB and TableView

    Hi, I am new to SAP EP world. I am searching to get some tutorial on HTMLB and TableView component. I got a brief tutorial on HTMLB but I could not find anything on TableView. Can you let me know the location of the tutorial if anything is available.