Weblogic on Unix, authenticating users/groups from NT domain controller

Similar Messages

• Read user groups from realm. Admin rights to each user ??

  Greetings to ALL,
  I am reading users, groups from realm. If I give the user admin priviliges I am
  able to get the information else I get the error weblogic.management.NoAccessRuntimeException:
  Access not allowed for subject: principals=[ruser1, B10AP01, B10MP01, B10MP03A,
  B10MP03], on ResourceType: Security:Name=myrealmDefaultAuthenticator Action: execute,
  Target: listGroups
  Is there more effective way to read the information.
  I can execute the program standalone ( from DOS PROMPT) and read all information
  if I do the following
  adminHome = (MBeanHome) Helper.getAdminMBeanHome (username,password,url);
  But when calling from the application I get the above error.
  Any code, suggestion will be very helpful.
  Fred

  "Fred Boon" <[email protected]> wrote in message
  news:3fa7cb98$[email protected]..
  >
  Greetings to ALL,
  I am reading users, groups from realm. If I give the user admin priviligesI am
  able to get the information else I get the errorweblogic.management.NoAccessRuntimeException:
  Access not allowed for subject: principals=[ruser1, B10AP01, B10MP01,
  B10MP03A,> B10MP03, on ResourceType: Security:Name=myrealmDefaultAuthenticatorAction: execute,
  Target: listGroups
  Is there more effective way to read the information.
  Commo mbeans require admin role in order to be able to invoke methods.
  I can execute the program standalone ( from DOS PROMPT) and read allinformation
  if I do the following
  adminHome = (MBeanHome) Helper.getAdminMBeanHome (username,password,url);
  But when calling from the application I get the above error.
  Try doing a runAs with a subject that has admin role.

• Reg Authenticated Users Group

  Hello Everyone.
  We created two Roles Role1 and Role2 for this Roles we have assigned the Group "Authenticated Users"
  Now the client requirement is they wants to remove couple of users who are assigned to Role1(who belong to "Authenticated Users" group.
  Though it is not a good practise One thing I can do is search for the group "Authenticated Users" in portal  then choose modify and choose assigned users and remove the users from this group.So,that they can not see Role1
  If I remove the users from the group "Authenticated Users" then they will not be able to see Role2 as they are removed from the "Authenticated Users" group which is assigned to Role2
  Can anyone help me out regarding this issue.

  Hi Shailesh,
  What you understood is correct ie  "Both the users have been added to Role 1 and Role 2, and both the roles have been assigned to "Authenticated Group".
  I tried the step what you have stated.
  once I login to portal --- User administration -- identity management
  search for the user.
  choose modify
  if I click on assigned roles I do not see either Role1 or Role2 under assigned roles
  but if i click on assigned groups I see " Authenticated  Users"
  thanks in advance

• Authenticated Users Group Question

  I have a quick question regarding the Authenticated Users "group". I used to be a systems administrator, but I'm a bit rusty since I've been a software developer for the last 10 years. A conflict with data center operations (DCO) group
  at work lead me to get another opinion.
  The question is this... is the authenticated users group a domain-level group or is there a local authenticated users group that would allow only users authenticated locally? We have a share that permits the authenticated users group access.
  My opinion is that all domain users who have authenticated successfully have access to this share. The DCO group is telling me that this is the local (to the server containing the share of course) authenticated users group only.
  Is there such a thing as a local-only authenticated users group? To me this doesn't even make sense, but I could very well be wrong.
  Nathon Dalton
  Sr. Software Engineer
  Blog: http://nathondalton.wordpress.com

  I apologize. I don't think I explained myself correctly. Let's consider the following...
  SERVER: SERVER1
  DOMAIN: DOMAIN1
  SHARE: \\SERVER1\SHARE1
  SHARE PERMISSIONS: Authenticated Users - Full Control
  Given the above information, is it possible that the Authenticated Users group will allow ONLY users that are defined on SERVER1 to access \\SERVER1\SHARE1?
  My understanding is that's not possible. There's one defined Authenticated Users group and that represents ALL users that are authenticated against DOMAIN1, whether added to local groups, shares, etc.
  What I'm being told however is that SHARE1 having Authenticated Users assigned is okay since only those user accounts defined on SERVER1 will be able to access it. All the users in the domain will NOT be able to access it. I think this is bogus. Am I wrong?
  Nathon Dalton
  Sr. Lead Developer
  Blog: http://www.nathondalton.com

• Migrate the users, groups from essbase 7.1.6 to shared services

  Hi
  Our current production is essbase version 7.1.6 and we are planning to migrate to EPM 11.1.2 . We would like to move the security administration from Essbase to Shared Services (want to use Native Directory).
  can somebody please suggest
  1) An utility that Oracle provides with EPM 11.1.2 that helps to migrate the users and groups from 7.1.6 to shared services?
  2) After bringing the users groups from 7.1.6 to 11.1.2, do we need to externalize these users and groups or no need?
  Appreciate the help. Thanks,

  if you have LDAP/MSAD try to configure it first .That will get your users
  Now using maxl
  spool on to GROUP.txt
  display gruoup all;
  spool on to USER.txt
  display user in group all;
  for test purpose create a test group and a test user from the shared services.
  Now using GROUP.txt
  make up maxl statements to create groups(use any advanced text editor or MS excel to get your work done fast)
  create group 'groupname';
  now login into that shared services
  go to FOundation Application group->click sharedservices->drop down native directory ->Right click on Groups and select export for edit.THat will save you Groups.csv file.
  Now
  1.Open that Groups.csv file
  2.Using USER,txt ,paste the users in that file under their respective group.(Look for test group created that should give you an idea!!!)
  3.Paste user correctly and save it to the same file Groups.csv
  4.go to FOundation Application group->click sharedservices->drop down native directory ->Right click on Groups and select IMPORT for edit.
  5.that will get your users into the groups.
  ________filters_______
  Using maxl again
  spool on to FILTER.txt
  display filter row all;
  spool on to GRPRIVILEGE.txt
  display privilege group all;
  Now using FILTER.txt
  create maxl statements
  (use any advanced text editor or MS excel to get your work done fast)
  Ex: create filter app.database.filtername read/write/none/metaread on 'AREA ' ;
  Using GRPRIVILEGE.txt
  create maxl statements
  grant filter app.databse.filtername to 'groupname';
  that should get your filters created and assigned.
  else you can use Advanced Security Manger
  http://www.appliedolap.com/free-tools/advanced-security-manager
  hope that should give you an idea!!!!!!!

• Cannot view the folder security after removed the default "users" group from folder

  Hi guys
  Due to the domain change, I am doing a windows 2003 server migration to windows 2012 for a file server.
  Tones of data have been copied from the old 2003 server to the new setup 2012 server.
  We need remove the "builtin\users" group from the folder security to maintain correct rights access of user to network folder.
  Once the "builtin\users" group has been removed, the account in domain admin group can no longer read the folder security.
  Has anyone faced the similar situation? 
  Or, is there any change in folder security rights of Windows 2012?
  Thanks in advance
  KC@ITL

  Hi,
  Glad to hear that the issue has been resolved.
  If you need any assistance in the future, please do not hesitate to post in our forum.
  Regards,
  Mandy
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Migrate Rpd Catalog and User ,Groups from OBIEE 11.1.1.3.0 to 11.1.1.5.0

  hi Guys,
  I have got a setup of OBIEE 11.1.1.3.0 on windows 32bit machine and now i am planning to have a setup of 11.1.1.5.0 on windows 64 bit machine.
  please tell me the Detailed steps for Migrating the Rpd Catalog and User ,Groups from OBIEE 11.1.1.3.0 to 11.1.1.5.0
  Like
  1. Do i have to copy the RPD and Catalog Directly to 1.5 or some Upgrade Assistance is to be done
  2. If i am Using the Export Provided in the myrelam ( in 1.3) and taking it to obiee 1.5 (as it already contains some inbuilt policies and groups) does it going to give me error
  Regards
  Ankit

  Check the Oracle reference I have provided earlier. Concept goes like this:
  Important difference is that upgrading from 10g to 11g is called an "out-of-place upgrade" while upgrading to another 11g is called an "in-place upgrade," because the upgrade operates on existing files. Moving from one 11g release to another 11g release is sometimes referred to as "patching."
  http://download.oracle.com/docs/cd/E21764_01/bi.1111/e16452/bi_plan.htm#BABECJJH
  Follow patching and not out-of-place upgrade as you are required to upgrade component
  http://download.oracle.com/docs/cd/E21764_01/doc.1111/e16793/patch_set_installer.htm#PATCH789
  Hope this is clear now

• Authenticated User group

  We have following doubt regarding Authenticated User group in Windows 7
  1. When this user group is added to a Drive/folder/file automatically.
  2. As per our observation, mostly it shows in the drive in which OS is installed. On some machines it shows in other drives. How  this is added in other automatically.
  3. Another observation is, due to the presence of this group, it is possible to write a file(which is created by administrator or system) with an application which is started with Standard User token.  So do we need to add any extra permission to work
  our application(with standard user token) to read and write to the folder/file with Authenticated User group.
  4.  Is it possible that Authenticated User group will not exist in OS installed drive.
  5. Is it possible that an application with standard user cannot write to a file/folder even if Authenticated User group is present for the same.
  Thanks, Renjith V R

  Hi,
  To learn more about authenticated users group, you can refer to the related thread:
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/e1a8e680-03a2-4690-a7e5-f17ad7389ecd/authenticated-users?forum=winserverDS
  Andy Altmann
  TechNet Community Support

• Everyone Group vs. Authenticated Users Group

  Two questions.....
  1.) What is the difference between the "Everyone" group and the "Authenticated Users" group.
  2) We are starting to use some new BI content (NW04s) in our federated portal and have found that we have to grant permissions to "Authenticated Users" instead of the "Everyone" group. Any ideas why?
  Regards,
  Diane

  Diane,
  The following asnwer is not a SAP answer but I did a quick check on our system and:
  1. the difference between the group Everyone and Authenticated users is exactly 1 user assignment.. I looked further and see that it has to do with the J2EE_GUEST user. this user is member of the group Everyone but NOT of the group Authenticated users.
  2. Can not give you a sure anser on this question but maybe it has to do with security that this is needed?!?!\
  Hopfully another SDN community member can fill me in here...
  Good luck and Kind Regards,
  Benjamin Houttuin

• Authenticated Users Group

  As I understand the AU group is made up by any user that logs in. However, it does not work when I specify access to a TAB page so is only visible for AU. In this case the TAB is also available for the PUBLIC user.
  I am working with Portal 3.0 EA on an Intel/NT plataform, my question is: is this the way that was supossed to be or it is something that has to do with the version that I am using...?
  Thanks

  I apologize. I don't think I explained myself correctly. Let's consider the following...
  SERVER: SERVER1
  DOMAIN: DOMAIN1
  SHARE: \\SERVER1\SHARE1
  SHARE PERMISSIONS: Authenticated Users - Full Control
  Given the above information, is it possible that the Authenticated Users group will allow ONLY users that are defined on SERVER1 to access \\SERVER1\SHARE1?
  My understanding is that's not possible. There's one defined Authenticated Users group and that represents ALL users that are authenticated against DOMAIN1, whether added to local groups, shares, etc.
  What I'm being told however is that SHARE1 having Authenticated Users assigned is okay since only those user accounts defined on SERVER1 will be able to access it. All the users in the domain will NOT be able to access it. I think this is bogus. Am I wrong?
  Nathon Dalton
  Sr. Lead Developer
  Blog: http://www.nathondalton.com

• Sharepoint 2010 get User Groups from specific site

  Hello,
  I was able to get all User groups from entire site Collection.
  But instead of getting user groups from entire site, I want read user groups only from one specified sub site.
  Please help!
  Thanks

  Assuming you have an SPWeb object named "web", example:
  SPSite site = new SPSite(http://yourdomain/sites/yoursite);
  SPWeb web = site.OpenWeb("mysubsite/subsbusite");
  web.Groups will return a collection of SPGroup objects for the current subsite. If this subsite inherits permissions from a parent site (web.HasUniquePerm = False), the list is the same as the Groups property of the parent site.
  SPWeb.Groups:
  http://msdn.microsoft.com/en-us/library/office/microsoft.sharepoint.spweb.groups(v=office.15).aspx
  SPGroup:
  http://msdn.microsoft.com/en-us/library/office/microsoft.sharepoint.spgroup(v=office.15).aspx
  You would be better results by posting coding questions in "SharePoint 2010 - Development and Programming" instead of "SharePoint 2010 - General Discussions and Questions".
  Mike Smith TechTrainingNotes.blogspot.com
  Books:
  SharePoint 2007 2010 Customization for the Site Owner,
  SharePoint 2010 Security for the Site Owner

• Provisionusers.cmd and Migrate users/groups from Planningweb

  Hi
  Is the functionality of Provisionusers.cmd and migrateusers/groups from planning web similar?
  I feel Provsionsuers.cmd is an alternative way to migrateusers/groups from planning web.
  Please correct me if i am wrong.
  Thanks and regards
  krishnatilak

  Hi,
  The provisionusers utility basically syncs planning and essbase with the provisioning of users/groups in shared services.
  If you run the utility and a user exists in shared services but has not been created in the planning database the user will be added.
  If the user does not exist in the essbase security file then they are added.
  If it is a user that exists and has security settings on members in planning then these filters are pushed down to essbase.
  It should also remove users/groups from planning if they have been deprovisioned in shared services.
  Cheers
  John
  http://john-goodwin.blogspot.com/

• Mapping users coming from different domain in AD

  HI,
  We have configured vintela SSO which is working.Now we are trying  to add another domain but it has been unsuccessful.
  We have imported the users coming from other domain in CMC->AD, and UseFDQNDirectoryForServers parameter in registry.
  The issue is our complex krb5.ini errors as "cannot find kdc for realm" for the user account coming from the other domain.The existing domain kinit is successful.
  Please help in resolving this issue!!! We need to have users coming from different domain to use vintela SSO.
  Thank you.

  well you're mixing things up a bit.
  The usefqdnfordirectoryservers is used to map in groups. If the groups show up as well as the users that piece should be complete.
  the krb5.ini is for logging in users manually, it must conatin the KDC for every domain that may contain users that need to log into BO. It also must have a KDC or capath entry to define all the parent domains as well (even if they do not have members that need to login. This is how the krb5 is used to verify transitive trusts. Then all users that are not in the default domain must logon as username@ DNSDOMAIN.COM where the DNS domain is entered in all caps aqnd represents the FQDN of theidomain the users bewlong to. Now if not logging in manually this should be a big problem.
  So for SSO (vintela anyway) this process is automatic, although you may want to configure vintela with site information so it doesn't randomly use all your DC's Site can be set following the steps at the end of business objects note 1261835 (complete and vintela only editions).
  In order for vintela to work properly the value entered in CMC > Authentication > Windows AD > service principal name must = an SPN thet was created on the account that is running the SIA/CMS
  Regards,
  Tim

• 802.1x using authentication from NT Domain Controller instead of Radius

  I would like to know if it's possible to configure 802.1x using authentication from NT Domain Controller, instead of using Radius or Tacacs.

  It is possible to use MS AD, generic LDAP, Novell NDS for authentication, it's fairly common.
  The issue is "How do get the device to talk to the authentication source ... (AD, DC, NDS, LDAP)?"
  The answer is RADIUS.
  You can configure RADIUS to pull authentication from a variety of source (depending on the RADIUS - many/most can use any of the LDAP-based systems).
  So, yes, certainly you can use the Microsoft AD, but you need RADIUS to connect the two systems (the 802.1x device and the AD server).
  If cost is the issue, try freeRADIUS (www.freeradius.org) - it's fully featured (can use LDAP, AD, NDS, Certificates, etc), it's free, and configuration is much easier than it looks ....
  Good Luck
  Scott

• How to retrieve the all user name from system domain(including login user)?

  Hi, I am trying to get the system domain all users name. But I unable to get the all user name except domain login user name. I used the below code. What I want to do to get the all user name from system domain. Kindly any one help me.
  Properties envVars = new Properties();
  Runtime r = Runtime.getRuntime();
  String OS = System.getProperty("os.name").toLowerCase();
       if ((OS.indexOf("nt") > -1) || (OS.indexOf("windows 2000") > -1 ) || (OS.indexOf("windows xp") > -1) )
            p = r.exec( "cmd.exe /c set" );
       BufferedReader br = new BufferedReader ( new InputStreamReader( p.getInputStream() ) );
       String line;
       while( (line = br.readLine()) != null )
            int idx = line.indexOf( '=' );
            String key = line.substring( 0, idx );
            String value = line.substring( idx+1 );
            envVars.setProperty( key, value );
       String domainDNSName = envVars.getProperty("USERDNSDOMAIN");
       String userName = envVars.getProperty("USERNAME");
       System.out.println("\n\n\n DOMAIN NAME == "+domainDNSName +" USERNAME == "+userName);
  Thanks & Regards
  Palani

  Thanks kajbj,
  I don't know, How many users in domain. I neet to get all the user names from my domain. User like A, B,C,D, E,F. I need to get this users name.
  public class Env {
       public static void main(String[] args) {
            System.out.println("USERDOMAIN: " + System.getenv("USERDOMAIN"));
            System.out.println("USERNAME: " + System.getenv("USERNAME"));
  Here , I am getting the login user name only. So i needs all user name. How to retrive or get this.
  Regards
  Palani