Good evening, my problem is that in my active directory I have about 22,000 users, of which 12,000 have been moved to a group called "mobiles" which cannot benefit from a new measure (gpo) that I have to implement, which is to put them a 12-character password, these 12,000 users have to continue with the gpo which can only have 8 characters in the password, that is, the default domain policy will affect all users except those in the "mobile" group. But my problem is the following, when new users are created by default they will be created in the default domain policy and I cannot create them in the "mobile" group directly due to company policies, and hundreds of them can be created per day. Do you have any ideas for new "mobile" users to take advantage of the old 8-character gpo, but they are being created in domain policy, or any suggestions, because I'm pretty stuck?
thank you
Do you have any ideas for new "mobile" users to take advantage of the old 8-character gpo, but they are being created in domain policy, or any suggestions, because I'm pretty stuck?
Related
The question in the subject line is pretty straightforward, but a little background.
At our company, ActiveDirectory group policy requires all users to change their password after 90 days.
Is it possible to keep this rule for most users, but set a longer maximum age to one specific organizational unit and the units beneath it?
All users, regardless of how they're created have their default password expiration age is set max 90 days, But it can be extendable or change you need to create a custom policy using the Active Directory Administrative Tools from a domain joined VM. The Active Directory Administrative Center lets you view, edit, and create resources in a managed domain, including OUs.
Once created the custom policy you can apply to particular OU’s and group of users as well.
Note: To create a custom password policy in a managed domain, you must
be signed in to a user account that's a member of the AAD DC
Administrators group.
For more information how to apply the same you can refer this MS document in which it has mentioned in details.
I have tried multiple times to get this to work, but I haven't figured it out yet, so I'm asking in here, hoping that someone will be able to help me out.
I am using Atlassian's Bitbucket, Jira and Bamboo and they're all synced with an AD. At the moment I am using my AD user to retrieve all the other users. It works, but it's not optimal, as the password expires every three months, and I have to change the LDAP user login info on all three applications. We have ordered a Service User, where the password doesn't expire, but the problem is that the Service User is in another group.
The picture below shows how the AD is set up. My Service User is in a group called Special Users. I would like to use this user as the login user in the settings. This way I would never have to think about changing password, when my AD password expires.
I would then like to retrieve all the users from the "Normal Users" group.
Let me know if more information is needed.
Thanks.
You could also add multiple user directories pointing to different parts of your Active Directory.
Jira has an internal Crowd out of the box.
You may let Jira connect to User directory and let all other application use Jira for authintication.
This would save time by only updating your LDAP password every 3 months on 1 application and reflected on all 3 applications
I have a Microsoft Teams free account that I created under an earlier organization name that I now wish to change. This is because my second Teams site undesirably reveals that it exists under the original organization name of my first Teams site.
Now, inviting users to my second Teams site inadvertently discloses to them that I also run the first Teams site. It comes up during certain Microsoft authentication screens. I don't want them to see that; it's distracting. Although both are non-profits, one organization has nothing to do with the other. A new user entering my second Teams site by invitation may feel confused when, upon initial entry, they're presented with my first organization's name.
I've since learned that I can indeed change my original organization name. Creating my first MS Teams site implicitly created the organization by that name within a personal Azure account that uses my credentials. It's at https://portal.azure.com, and my first Teams site shows up in there. It appears as a group within Azure Active Directory (AAD). My personal directory itself bears that initial name of my organization. The same name was automatically applied to the group representing my first Teams site.
Now, the directory itself is identified both by
the organization name, and
a corresponding subdomain name.
Both were the same, except the subdomain had no spaces embedded in it, obviously.
While I can change the directory's organization name, I don't see how to change the URL subdomain name (e.g., MySite.onmicrosoft.com) for my Teams site.
I know Microsoft Teams users aren't ever exposed to that technical subdomain information in normal everyday use anyway. However, that original name does become revealed when a new user is invited to the new Teams site. On the Android app, for example, upon initial login and setup, the new Teams user is asked to tap on the organization name. And there was my first disappointment, because it was the name of the other unrelated organization! After tapping it, users are then led to the correct Teams site that I did intend to make available to them.
That's what prompted me to want to change my organization name.
I was successful with that by changing the organization name under Properties for my directory. THis resolved the issue for the newly authenticated Android Microsoft Teams user.
However, I cannot see how to rename the subdomain itself. And that's important, because PC users at least (or those trying to enter my Teams site from a web browser) are in fact presented with a permissions prompt where that undesired subdomain name appears!
Is there a way to rename the subdomain?
POSTSCRIPT - Guess what? I can create new directories in AAD alongside my original one! What if I move my Teams group from the unrelated directory to a new one I create? Would that be safe? Will my Teams site still be functional?
To answer your edit. a teams organization is associated with a specific azure active directory, even if you have a second directory, i don't believe there is any way to "move" things across. you would have to create everything from scratch.
to answer your general question, you would probably have to create a new directory as you described, then create a new teams, replicate the information, remove all the users from the old teams. and remove them from the original directory. then invite them to the newly created one.
The reason for this is, if you invite someone, you are essentially adding their email / login to your azure tenant. of they have been invited to multiple teams tenants. then when they log into teams there is functionality for them to switch between all the directories that they are a guest of. so they will be able to see it. the only way to remove that is to delete the guest users from azure ad.
tldr: if details are changed or new accounts added in active directory we want to update an RSS feed.
Our organisation has a good deal of staff changes so it can be slightly crazy to keep track of who's in what role and new staff that have joined us.
I'm currently interested in setting up a feed which will show staff changes which I could then have show up on our intranet site (internal only so no privacy issues there). Something like: Jane Doe has started working for CompanyName in DepartmentName, here's a link to her staff profile [LINK]. Or Bill from accounting now works in building management.
Basically person x now works for us, or person y has changed roles.
We handle our login authentication with active directory (which I don't know heaps about), any time someone comes to work for us they get a login; when they change roles they would have their details changed in active directory.
What I want is an RSS feed which would have new items added to it dynamically any time that a new user is added or a staffmember's details are changed on AD.
a particular item in the feed would look something like this
<item>
<title>[username] [now works here / has changed roles]</title>
<link>.../staff.aspx?uid=[username]</link>
<description> follow the link to see their staff profile</description>
</item>
how can I get the feed xml file automatically updated when one of those changes is made in active directory?
Thanks for your time.
I would recommend setting up a service to poll for the changes that then writes them somewhere else for you to pick up and manipulate for your RSS feed.
Ryan Dunn has a great post discussing how to do this in .Net, specifically with Change Notifications. Personally, I'd recommend using DirSync as it's pretty easy to setup, but his post does a great job with pros/cons of each method.
This is quite a complicated question. Active Directory has a "last modified" attribute and a "created" attribute. So you could query the timestamp on created and then update an RSS file from that to get your new users. However, just because an AD entry has been modified doesn't mean the job title has changed, so you're going to have to cache the Active Directory somewhere locally, say into a database and then do a check against that to see if a job title has changed.
You'll need to write some LDAP queries (See here, for example: http://www.selfadsi.org/extended-ad/search-user-accounts.htm) to find all the accounts and then process them.
What language are you looking to use?
I have a Debian Squeeze system which is using libnss-ldap to bind to a 2008 Active Directory domain controller to look up users and groups. Everything works fine, except for some reason anyone who is in the Domain Admins, Enterprise Admins, or Schema Admins group does not get the correct group memberships. They get only the *Admin group, and no others (unless there are local groups that apply, which do show).
Stranger yet, a "getent group" shows all the correct group memberships for the user, but an "id " or "groups" (when running as the user) doesn't. We use a domain group for sudo access, and this user is unable to use sudo because it fails to see the group membership. As soon as the *Admin membership is removed, lookups work correctly.
I suspected maybe this was an AD security feature, but we have FreeBSD systems using nss-ldap on which these users' group memberships resolve correctly. There is nothing in the logs to indicate why these lookups don't return the normal results, and I haven't been able to find anything via Google to help shed light on the situation. Is anyone else using libnss-ldap in Debian to connect to an AD who can try to confirm this behavior?
Edit: I have confirmed using ldapsearch that the AD is returning the correct results. I also stopped nscd to make sure it wasn't interfering. Any user in Domain Admins sees only his primary group, local groups, and Domain Admins.
BTW, I think this is the issue:
http://support.microsoft.com/kb/976063
I have had this problem also.
I found it eventually about 18 months ago. It is a security feature of Microsoft. There is a service that runs once per hour and removes the admins from the LDAP search. If you do a query as anonymous, you will receive the correct answer for 1 hour. After one hour you will receive nothing. If you log in as a domain user, you will receive the correct information. That is why you get different results.
I do not at this point remember the service name but I am searching for it now. I found it originally on Microsoft tech net about 18 months ago, but by now, I don't remember it.
The point was that the only answer to it is
Disable that service and it does many other security items so that is not a good idea.
Change the LDAP searches to run under a domain user's log in (we have done that on some users)
Create a bogus duplicate contact with the same information for each of our admins. This is probably the easiest and quickest, but the most prone to developing wrong information over time.
The rational of this security feature is to hide all domain admins from random anonymous searches so their credentials can't be compromised by an encyclopedia password attack.
Calvin Thomas
My answer was deleted, but the problem was, in fact UAC as described in http://support.microsoft.com/kb/976063. The issue is that Domain Admins, when UAC is enabled on the DC, actually exist in two states. One that is a member of the domain admins group (i.e., the UAC 'shadow' user) and another that is the normal user. It appears that the DC only returns the former when queried with LDAP. By creating a new group, making that group a member of Domain Admins instead of the accounts themselves, and putting the accounts in the new group, the problem was resolved.