I wanted to list all users in postgreSQL and I would like to identify the users which are not linked to Active Directory.
select * from pg_user;
Above lists all users. I am trying to set up an alert when other dbas create an user which are not part of Active Directory and notify me.
I am looking for a solution.
If your pg_hba.conf only had two lines, one for 'postgres' and one (which goes through AD) for every one else, then you would just need to monitor that file for changes. They might be able to create a user that doesn't yet exist in AD, but they would then be unable to log on.
Related
I've been working on a project that allows users in our domain to edit 3 Active Directory Attributes on their own Object, this has been written in Python and the only issue I have now is user permissions on these attributes.
Two of these are custom, the third is the Location(physicalOfficeDeliveryAddress).
I have looked everywhere and only found documentation on how to give permission for users in a group for these attributes but for ALL users or limited by group.
I'm looking to apply the permission under the Identity Reference: NT AUTHORITY\SELF so that users may only edit their own attributes.
In less words, I'm looking to write a script that will delegate permissions for three specific attributes to ALL users in the domain but only for themselves(NT AUTH\SELF).
I have a loop that will perform it for each user, I just have hit a brick wall in what to include in the loop..
Any help would be appreciated.
NT AUTHORITY\SELF is one of Windows' well-known SIDs, with a SID of S-1-5-10.
So you do it the same way you would for any other account, but grant the permissions to S-1-5-10 instead.
If you show us the code you're working with, we might be able to help you with where to plug in that value, if you need.
We have a requirement to create new AD users through perl using NET::LDAPS.
The new user needs to be a copy of an existing user.
On the Active Directory GUI (dsa.msc), we would simply select the existing user and create a copy with new username and details. This copies all attributes including groups the user is a member of.
Is there similar code using LDAP that would copy all attributes of an existing user into a new user(including groups).
Alternatively, do we need to first create the AD user and then add the user to existing groups. In this case, how do we find out the groups that the existing user is a member of?
No, you have to update the directory manually. Keep in mind that perl-ldap is a library for the protocol LDAP and not for Active Directory which is just one application for LDAP.
And, by the way, it's Net::LDAPS, not Net::LDAP. The latter will only work on case-insensitive file systems.
I added a group to a site. The users were then added to the All Users group. I then removed the group, but the users remained.
Is there anyway to clean this up so that the users get deleted?
Thanks
To be clear, you want to delete the users that were in the group?
Creating and deleting groups does not create or delete users. To delete users you need to go to the users tab and select the users you want to delete.
Also, keep in mind that if the user owns content you will get a message saying:
"[user] was unlicensed" instead of the expected “[user] was deleted”
message.
The “unlicensed” message displays because the user who you want to
delete is a workbook or project owner and therefore cannot be deleted.
In other words, a user can only be permanently deleted from Tableau
Server if he or she no longer owns a workbook or project.
See more here: http://kb.tableau.com/articles/knowledgebase/deleting-user-from-tableau-server
Tableau is not good with Active Directory when it comes to removing users. If you ADD Active Directory account and set up sync, it will add a new user who will be added in AD group but once you remove AD group it will not remove any users who were in AD group.
In order to remove those users, you need to go to all users and delete the Users manually which defeats the purpose of using AD groups.
I create a lot of users (~350) using User CSV Uploader (/alfresco/service/api/people/upload) and then as site maneger i tried to invite some of this users, but i can't find them.
Steps:
create a list of users (using CSV template) - OK
upload the list - OK
check if the users exist - OK
as site manger and alfresco_administrator when i go to http//mydomain/share/page/site/mysite/invite and search for user (let's say TESTUSER) the user is listed and is allowed to be invited
as site manager (not alfresco_administrator) when i go to http//mydomain/share/page/site/mysite/invite and search for user TESTUSER the user is not listed
The user TESTUSER exist and was created using CSV upload.
I creat manualy another user TESTUSER2 and i follow steps 3,4 and 5. In this case this user TESTUSER2 is listed in both case.
My question is: There is a possibility to "reindex" all user or i need to create ~300 users manualy.
Right now LDAP or AD is not an option.
Alfresco 4.2c/Centos 6.4/SOLR (full reindex after 2 days)
Thank You!
Geo
are you able to find the persons via people finder /share/page/people-finder?
If not, are you able to find the persons when appending [hint:useCQ] (forces usage of DB instead of SearchIndex) to your people search term?
If you find the persons using this hint, then your Solr Index is not in sync.
I currently have a user whose Access Rights are messed up and I'd like to reset them. I could be blind but does anyone know of a way to do this?
I am not aware of a way to reset the user rights.
The only way I can think of is deleting the user and create a new one, or write a script that loops to the tree or retrieves al items that the current user has rights on and resets the rights for this user.
Security of an item is stored within the __security field on the item itself. Furthermore, security is stored by the name of the user or role, not by an ID. Deleting a user/role will not modify any item that references that user/role so you effectively get orphaned access rights.
I had created a script years ago that will report on (and reset) the security of items. It is available from my blog post and I referenced it within this similar question. You should be able to modify that script to remove a single user's rights.
So far, the only way I've been able to do this is to go into the Security Editor, select the user, then open every item in the tree and unset every access right manually to the default setting of Inherited.
For instance, there are at least a Read/Write/Rename/Create/Delete/Administer/Inheritance permission on just the Home item alone. Each permission has one of the following states: Inherited/Allowed/Denied/Item vs. Descendant Right/Protected/Not Applicable. If any of those are set, manually unset it. So, if it were set to Allowed, you'd click the green check mark which would unset it from Allowed (I guess you could argue I'm setting it to Inherited).
To get back to square one, everything should be set back to Inherited.