Good Morning,

I'm tried looking around the web for this issue, but have not been able to find a definite solution.

QUICK OVERVIEW: My company had to change email servers. In the process we migrated just under 4,000 users to the new email system. As a transition phase during the migration a contact was created for each user with the new email address. The user account was then pointed to forward mail to this contact. I wrote a Powershell 3.0 script using the Quest AD Module to delete the contacts and update the corresponding user account with the new email information. The script works excellent on a small scale, but starts throwing "Out of Memory" errors when it gets to about 600+ users. I'm not sure what I'm missing or how to catch / fix this memory leak. Any recommendations would be greatly appreciated.

ATTEMPTED SOLUTIONS: The script initually did everything under 1 function: export the contacts with all attributes (my failsafe in case something went horribly wrong), found the user account that corresponds to the contact, exported user info (again failsafe), deleted contact, updated user, export the user with the new settings. After reading on the few forums I found that were relevant, I tried implementing Clear-Variable, [GC]::Collect(), Remove-Variable throughout the script, but did not see any impact on the memory usage. Under this initial script, I was using about 1.6GB of RAM about 1/3 into the script. The code for the script I'm posint below is version 6. In this one I'm Including all properties on my queries for the export purposes. In previous versions I was only selecting the properies I needed, but then had to do another Get-QADObject/User with full properties for the export. In the end, the script crashed with the "Out of Memory" error regardless of whether I was getting all properies or only the selected ones. I also played around with different PageSize settings and setting it to 25 seemed to speed the process up the most, but had no noticeable impact on the memory consumption. In one version of the script I even tried a While (contacts exist) { process accounts with SizeLimit '250'}. During the testing phase I wasn't actually makeing the changes, just moving the contacts to another OU. In theory I though that setting the size limit would fix my issue, but it had no impact to the overall result.

I finally broke the script into functions and pipelined the whole process (see code below: code has been slightly modified to hide true variable values and condense comments and custom messages).

ERROR MESSAGES: These are the error messages I'm receiving. As you can see, the system has plenty of RAM available, but the script is using ~ 1.4GB. I'm not 100% sure what the 2nd part of the error means. I'm assuming that it resulted in the memory running out and the variable not containing any more data for that iteration of the script.

SCRIPT CODE:

#requires -version 3

## Load Quest Snappin

Add-PSSnapin Quest.ActiveRoles.ADManagement -ErrorAction silentlycontinue

## ***** Declare Variables *****

## Containers

$global:contact_OU="ou=MIGRATION,ou=CONTACTS,ou=OFFICE,ou=DEPT,dc=SUBDOMAIN,dc=DOMAIN,dc=COM"

$global:unmatched_OU="ou=Unmatched,ou=MIGRATION,ou=CONTACTS,ou=OFFICE,ou=DEPT,dc=SUBDOMAIN,dc=DOMAIN,dc=COM"

## Reporting Variables

$global:report_path="C:\AD\Email Cleanup"

$global:timeStamp=Get-Date-UFormat"%H%M_%d-%m-%d-%Y"

## Get-QAD Object Splat Variables

$user_splat= @{

          OrganizationalUnit ="ou=USERS,ou=DEPT,ou=COMPANY,dc=SUBDOMAIN,dc=DOMAIN,dc=COM"

          LdapFilter ="(!(DisplayName=*.ADM))"## Do not include admin accounts

          IncludeAllProperties =$true

          SizeLimit ="1"

          ShowProgress =$true

} # end $user_splat

$contact_splat= @{

Type="Contact"

          OrganizationalUnit =$contact_OU

          LdapFilter ="(mail=*@newEmail.com)"

          IncludeAllProperties =$true

          SearchScope ="OneLevel"

          SizeLimit ="0"

          PageSize ="25"

          ShowProgress =$true

} # end $contact_splat

## Write-Out colors.  Some color variables have been removed to shorten the code being posted.

$gc_colors= @{

          ForegroundColor ="Yellow"

          BackgroundColor ="DarkGreen"

} # end splat $gc_colors

cls

## ***** Get Reports *****

functionGet_Reports ($obj, $fileName) {

## Export the objects

$report=$timeStamp+"_"+$fileName

$obj|Export-Csv"$report_path\$report.csv"-Append-NoTypeInformation

return$obj

} # end function Get_Reports

## ***** Update Users *****

functionProcess_Users ($contact) {

          if (!($user=Get-QADUser @user_splat -LogonName$contact.mailNickname)) {

       Write-Host"*******************************************************" @unmatched_colors

       Write-Host @unmatched_colors $contact.Name " Could not be matched to a user account."

       Write-Host"*******************************************************" @unmatched_colors

                                          try {

       #Write-Host "******************* Moving ************************" $contact.Name

       Move-QADObject-Identity$contact.Name -NewParentContainer$unmatched_OU-ErrorAction'Stop'-ErrorVariable$moveError

     } catch [System.OutOfMemoryException] {

       Write-Warning"Out of RAM"

       $errorTime=Get-Date-UFormat"%d-%m-%d-%Y_%H%M"

       Write-Host"Memory Error:"$errorTime|Out-File"$report_path\Function_Report_$timeStamp.txt"-Append

       Throw"Memory Error"

     } catch {

       Write-Warning"Error moving contact"

       Get_Reports$contact"Error_Unmatched_Users"

     } finally {

       Get_Reports$contact"Unmatched_Contacts"

     } # end finally

                              } # end if (!(Get-QADUser)

                    else {

       ## Set variables

                                   $new_email=$contact.PrimarySMTPAddress

       ## Generate Report prior to cleanup

       Get_Reports$user"Pre-Cleanup_Users"

     try {

       ## Remove contact so that the new email address can be set as the primary address for the user.

       Remove-QADObject-Identity$contact.name -Force

       ## Process user accounts

       $user|Set-QADUser-ObjectAttributes @{altRecipient=''; msExchHomeServerName=''; homeMDB=''; targetAddress="$new_email"}`

       |Add-QADProxyAddress-Type"SMTP"-Address$new_email-Primary `   

       |Remove-QADProxyAddress-Pattern"*@oldemail1.com"`

       |Remove-QADProxyAddress-Pattern"*@oldemail2.com"

     } catch [System.OutOfMemoryException] {    

       Write-Warning"Out of RAM"

       $errorTime=Get-Date-UFormat"%d-%m-%d-%Y_%H%M"

       Write-Host"Memory Error:"$errorTime|Out-File"$report_path\Function_Report_$timeStamp.txt"-Append

       Throw"Memory Error"

     } catch {

       Write-Warning"Error moving user"

       Get_Reports$user"Error_Users"

    } finally {

       ## Generate report after user changes have been applied

       Get-QADUser$user.Name |% {Get_Reports$_"Post-Cleanup_Users"}

    } # end finally

                    } # end else

} # end function Process_Users

## Function to create pop-up message(s) with information about the script and initiate the rest of the functions if the user chooses to do so.

functionNotifications {

$script_description="This script will go through Active Directory and match ... {script description}.

Do you wish to proceed?"

          $a=New-Object-ComObject wscript.shell

$proceed=$a.popup($script_description,0,"Script Description",4)

          if ($proceed-eq 6) {

  ## Answered "Yes", proceed with script

  Write-Host"YES"

  Write-Host"Processing Contacts and Users"

  ## Process users

                    Get-QADObject @contact_splat |%{Get_Reports$_"Contacts"} |% {Process_Users$_}

  Invoke-Item$report_path

          } # end if

else {

  ## Answered "NO" exit script.

  Write-Host"*** Exiting Script ***"

          } # end else

} # end function Notifications

## Run the notification and give the user an option to terminate program before executing.

Notifications

Hey guys,

I remember a thread awhile back about Access Template Links to Managed Units occasionally being "forgotten" on just one or two child OUs. Can't find it right now, so I'm starting this one.

After ARS spent several hours refusing to accept client connections, I did a little digging and realized that we had some ARS scheduled tasks running that we really didn't need anymore, and in fact, these were calling old Quick Connect 3.5 stuff we had installed in ARS 6.5 but not on our ARS 6.7 servers. .Net deadlocks all around.

While disabling those, and auditing the rest (Server Management -> Scheduled Tasks in the MMC), I saw something in the Builtin folder that I thought would solve that problem: Managed Unit Checker. It had no script associated with it, but neither did any of the others which ARS cheerfully runs each day. So I enabled it, and set the first run time to about an hour later, and scheduled it for daily runs.

Two days later, nothing - no Last Run Time or Message, unlike other tasks on the list like Dynamic Group Updater or Sync of Permissions to Active Directory.

Right now, we can only respond to admins complaining that they can't make changes in a specific OU by temporarily excluding and then re-including the problem OU in the parent Managed Unit. I'd rather prevent the problem, and something like Managed Unit Checker sounds like it might be at least part of that solution.

Is this something that used to exist in ARS 6.5 which, like many things, we blindly and uselessly imported, or are we missing something?

Any insights into what happened to this or where there's a replacement solution would be appreciated.

I'm running ARS 6.7. I have explicitly added a Distribution Group to a Managed Unit, to which a particular administrative group has access. The admin group wants to be able to reset the passwords of any members of this Distribution Group. However, when browsing to this DG using the web interface and clicking "members" in the menu, none of the users are "clickable". When I log on with my admin account, all the members are hyperlinked and I can click on them and view properties. If using the full ARS console as a member of the admin group, I can right-click the user and get properties, or right-click and change password.

I have granted access at the managed unit level as well as on the specific distribution group.So far I can't seem to find any specific right that would be needed, or any way to explain the discrepency between the web client and the console. Any advice would be greatly appreciated.

Hi All

Is there a way to restrict a user (manager) so that he can only reset passwords for his direct reports in AD and not everyone?

Thanks

I have a problem that looks like a ARS database version problem - cannot give a different explanation. Let me explain:

I have created several access templates and applied them to several OUs and several security groups. One of the access templates is quite simple : I only give read access to all user object properties (no write whatsoever). For testing purposes (to check what the users will see) I also created a test user and added him to the security group. Tested and everything worked fine. User was then removed from the Security Group.

I then had another access template that gave access to another security group to manage Unified Messaging (enable, disable, reset PIN etc). I added the test user in this group and again eveything worked fine.The test user was removed again

To re-check everything (after several changes in other access templates) I added the test user to the first security group (the one that was supposed to have only read access to the user objects. That's the point hell broke loose and I started getting strange behaviour from the web interface. Although doubled checked (no nestings etc), the group that was supposed to have read only access, now (at least for this test user, has full Unified Messaging access rights, although he was not supposed to. No way to trace those access rights to an access tempate or nesting or group membership either direct or indirect.

User deleted and recreated and the whole process above repeated (same steps, same behavior at least from the Web Interface).

This raises a security problem and can not be tolerated. We have to find a solution.

What worries me and makes me believe that a have a database version/corruption problem is that I checked the user activity for this user and I see actions attributed to this user although the user has not performed those actions (and I am 100% sure about this)

Another reason I am suspecting a database problem, is an article that i read (dated March 29 2013) that mentioned an upgrade required but this was for 6.7 - nevertheless i had to do with Unified Messaging capabilities. In our case, we used to have 6.7 then upgraded to 6.8 but I do not recall having applied the 6.7 patches (and I am sure that these this not work 100% all the times)

Your guidance is required to trace the problem - where should we start searching? Can we verify the DB schema?

Best regards

Hello,

We are implementing a brand new ARS 6.8 installation and are having issues authenticating to the built in websites.

We are getting a username and password prompt which doesn’t accept any credentials, not even that of the ARS service account.

I can confirm that when opening the page from the local server there are no issues.

Can anyone please point me in the right direction where to assign the access rights to the web page?

Thanks,

Matt

Hi to all,

I have installed ARS 6.8, i have modified the directory management tree, in web interface in order to display only managed units. (hide active directory and adlds sur trees)

Now i want to do the same in the browsing windows:

When i select a user and click on "add to group" or "move", a browsing windows comes. It contains a tree in order to select the group destination or the new place. this tree contains "manged units" and "Active directory"

I want to delete "Active directory" from this tree

How to do it ?

Thank you

Hey guys,

I remember a thread awhile back about Access Template Links to Managed Units occasionally being "forgotten" on just one or two child OUs. Can't find it right now, so I'm starting this one.

After ARS spent several hours refusing to accept client connections, I did a little digging and realized that we had some ARS scheduled tasks running that we really didn't need anymore, and in fact, these were calling old Quick Connect 3.5 stuff we had installed in ARS 6.5 but not on our ARS 6.7 servers. .Net deadlocks all around.

While disabling those, and auditing the rest (Server Management -> Scheduled Tasks in the MMC), I saw something in the Builtin folder that I thought would solve that problem: Managed Unit Checker. It had no script associated with it, but neither did any of the others which ARS cheerfully runs each day. So I enabled it, and set the first run time to about an hour later, and scheduled it for daily runs.

Two days later, nothing - no Last Run Time or Message, unlike other tasks on the list like Dynamic Group Updater or Sync of Permissions to Active Directory.

Right now, we can only respond to admins complaining that they can't make changes in a specific OU by temporarily excluding and then re-including the problem OU in the parent Managed Unit. I'd rather prevent the problem, and something like Managed Unit Checker sounds like it might be at least part of that solution.

Is this something that used to exist in ARS 6.5 which, like many things, we blindly and uselessly imported, or are we missing something?

Any insights into what happened to this or where there's a replacement solution would be appreciated.

Hi to all,

In ARS Web interface 6.8

Is it possible to add a button near to "Delete" "Deprovision" "Move..." "Add to group..." ?

The aim is to propose "ResetPassword" when user (or users) is selected but the button must be hiden if a computer is selected

Do you think it is possible ?

Hello,

I would add French language in WI Interfaces.

In the document QuestOneActiveRoles_6.8_ReleaseNotes.html :

"This release has the following known capabilities or limitations: Quest One ActiveRoles 6.8 is released without localization. Product localization and translated documentation will be released separately as Quest One ActiveRoles Language Pack 6.8."

But i don't have LCID French code : http://msdn.microsoft.com/en-us/library/0h88fahh(VS.85).aspx   to can translate : ARServerAdmin, ARServerHelpDesk and ARServerSelfService  web WI.

Thank you for your help

I am having a problem with obtaining the serialNumber attribute for computer objects in Active Directory using the Get-QADComputer cmdlet.

Using the following code, I get nothing back

Get-QADComputer -IncludeAllProperties OJR2UA0460YJP |fl serialNumber

However if I connect to the ARS service...

connect-QADService -proxy

Get-QADComputer -IncludeAllProperties OJR2UA0460YJP |fl serialNumber

It works and returns the contents of the serialNumber attribute.

Why won't the get-QADComputer cmdlet return the native attribute of serialNumber when connected to a domain controller?

Hi Folks,

i want to create some events in the "EDM Server" eventlog. I can use the write-eventlog cmdlet to write the events to the log.

Does anyone know a docment with all eventids of ARS? I can define my own ids, but maybe they will overlap with ARS eventids.

Regards,

BEN

Hi I'm trying to grab the value of a virtual attribute using the $DirObj rather than binding to the user object directly because it's obviously faster to do this but it's not returning any values. 

e.g.

function Get-Value($obj, $attr) {
################################################
#
# Function to get an attribute value
#
trap {  continue  }
return $obj.Get($attr)
return $null
} # End Function Get-Value

$myVAvalue = Get-Value $DirObj "myVA"

$EventLog.ReportEvent($Constants.EDS_EVENTLOG_INFORMATION_TYPE,"User-reactToAccountStatusChange_v$scriptVersion >>>>>>> in Set-OOOState - myVAValue = $($myVAValue)")

Hi,

I would like to know what are the ARS rights required (on ARS) and where to change it on ARS server (I would like to grant other users/groups)

to perform powershell scripting using the Quest cmdlets for AD management (with -proxy switch)

typically,

the FW ports required to connect ARS are open.

from a remote client computer with Quest cmdlets installed,

connect-qadservice -service "serverars.mydomain.com"  -proxy         ; returns "The activeroles administration service is not available"

but if I specify a user and password with ARS rights It works:

connect-qadservice -service "serverars.mydomain.com" -connectionaccount $user -connectionpassword $pwd -proxy

So it is a question of rights on ARS ? which template ? where to grant this right on ARS ?

Thank you

Good Morning,

I'm tried looking around the web for this issue, but have not been able to find a definite solution.

QUICK OVERVIEW: My company had to change email servers. In the process we migrated just under 4,000 users to the new email system. As a transition phase during the migration a contact was created for each user with the new email address. The user account was then pointed to forward mail to this contact. I wrote a Powershell 3.0 script using the Quest AD Module to delete the contacts and update the corresponding user account with the new email information. The script works excellent on a small scale, but starts throwing "Out of Memory" errors when it gets to about 600+ users. I'm not sure what I'm missing or how to catch / fix this memory leak. Any recommendations would be greatly appreciated.

ATTEMPTED SOLUTIONS: The script initually did everything under 1 function: export the contacts with all attributes (my failsafe in case something went horribly wrong), found the user account that corresponds to the contact, exported user info (again failsafe), deleted contact, updated user, export the user with the new settings. After reading on the few forums I found that were relevant, I tried implementing Clear-Variable, [GC]::Collect(), Remove-Variable throughout the script, but did not see any impact on the memory usage. Under this initial script, I was using about 1.6GB of RAM about 1/3 into the script. The code for the script I'm posint below is version 6. In this one I'm Including all properties on my queries for the export purposes. In previous versions I was only selecting the properies I needed, but then had to do another Get-QADObject/User with full properties for the export. In the end, the script crashed with the "Out of Memory" error regardless of whether I was getting all properies or only the selected ones. I also played around with different PageSize settings and setting it to 25 seemed to speed the process up the most, but had no noticeable impact on the memory consumption. In one version of the script I even tried a While (contacts exist) { process accounts with SizeLimit '250'}. During the testing phase I wasn't actually makeing the changes, just moving the contacts to another OU. In theory I though that setting the size limit would fix my issue, but it had no impact to the overall result.

I finally broke the script into functions and pipelined the whole process (see code below: code has been slightly modified to hide true variable values and condense comments and custom messages).

ERROR MESSAGES: These are the error messages I'm receiving. As you can see, the system has plenty of RAM available, but the script is using ~ 1.4GB. I'm not 100% sure what the 2nd part of the error means. I'm assuming that it resulted in the memory running out and the variable not containing any more data for that iteration of the script.

SCRIPT CODE:

#requires -version 3

## Load Quest Snappin

Add-PSSnapin Quest.ActiveRoles.ADManagement -ErrorAction silentlycontinue

## ***** Declare Variables *****

## Containers

$global:contact_OU="ou=MIGRATION,ou=CONTACTS,ou=OFFICE,ou=DEPT,dc=SUBDOMAIN,dc=DOMAIN,dc=COM"

$global:unmatched_OU="ou=Unmatched,ou=MIGRATION,ou=CONTACTS,ou=OFFICE,ou=DEPT,dc=SUBDOMAIN,dc=DOMAIN,dc=COM"

## Reporting Variables

$global:report_path="C:\AD\Email Cleanup"

$global:timeStamp=Get-Date-UFormat"%H%M_%d-%m-%d-%Y"

## Get-QAD Object Splat Variables

$user_splat= @{

          OrganizationalUnit ="ou=USERS,ou=DEPT,ou=COMPANY,dc=SUBDOMAIN,dc=DOMAIN,dc=COM"

          LdapFilter ="(!(DisplayName=*.ADM))"## Do not include admin accounts

          IncludeAllProperties =$true

          SizeLimit ="1"

          ShowProgress =$true

} # end $user_splat

$contact_splat= @{

Type="Contact"

          OrganizationalUnit =$contact_OU

          LdapFilter ="(mail=*@newEmail.com)"

          IncludeAllProperties =$true

          SearchScope ="OneLevel"

          SizeLimit ="0"

          PageSize ="25"

          ShowProgress =$true

} # end $contact_splat

## Write-Out colors.  Some color variables have been removed to shorten the code being posted.

$gc_colors= @{

          ForegroundColor ="Yellow"

          BackgroundColor ="DarkGreen"

} # end splat $gc_colors

cls

## ***** Get Reports *****

functionGet_Reports ($obj, $fileName) {

## Export the objects

$report=$timeStamp+"_"+$fileName

$obj|Export-Csv"$report_path\$report.csv"-Append-NoTypeInformation

return$obj

} # end function Get_Reports

## ***** Update Users *****

functionProcess_Users ($contact) {

          if (!($user=Get-QADUser @user_splat -LogonName$contact.mailNickname)) {

       Write-Host"*******************************************************" @unmatched_colors

       Write-Host @unmatched_colors $contact.Name " Could not be matched to a user account."

       Write-Host"*******************************************************" @unmatched_colors

                                          try {

       #Write-Host "******************* Moving ************************" $contact.Name

       Move-QADObject-Identity$contact.Name -NewParentContainer$unmatched_OU-ErrorAction'Stop'-ErrorVariable$moveError

     } catch [System.OutOfMemoryException] {

       Write-Warning"Out of RAM"

       $errorTime=Get-Date-UFormat"%d-%m-%d-%Y_%H%M"

       Write-Host"Memory Error:"$errorTime|Out-File"$report_path\Function_Report_$timeStamp.txt"-Append

       Throw"Memory Error"

     } catch {

       Write-Warning"Error moving contact"

       Get_Reports$contact"Error_Unmatched_Users"

     } finally {

       Get_Reports$contact"Unmatched_Contacts"

     } # end finally

                              } # end if (!(Get-QADUser)

                    else {

       ## Set variables

                                   $new_email=$contact.PrimarySMTPAddress

       ## Generate Report prior to cleanup

       Get_Reports$user"Pre-Cleanup_Users"

     try {

       ## Remove contact so that the new email address can be set as the primary address for the user.

       Remove-QADObject-Identity$contact.name -Force

       ## Process user accounts

       $user|Set-QADUser-ObjectAttributes @{altRecipient=''; msExchHomeServerName=''; homeMDB=''; targetAddress="$new_email"}`

       |Add-QADProxyAddress-Type"SMTP"-Address$new_email-Primary `   

       |Remove-QADProxyAddress-Pattern"*@oldemail1.com"`

       |Remove-QADProxyAddress-Pattern"*@oldemail2.com"

     } catch [System.OutOfMemoryException] {    

       Write-Warning"Out of RAM"

       $errorTime=Get-Date-UFormat"%d-%m-%d-%Y_%H%M"

       Write-Host"Memory Error:"$errorTime|Out-File"$report_path\Function_Report_$timeStamp.txt"-Append

       Throw"Memory Error"

     } catch {

       Write-Warning"Error moving user"

       Get_Reports$user"Error_Users"

    } finally {

       ## Generate report after user changes have been applied

       Get-QADUser$user.Name |% {Get_Reports$_"Post-Cleanup_Users"}

    } # end finally

                    } # end else

} # end function Process_Users

## Function to create pop-up message(s) with information about the script and initiate the rest of the functions if the user chooses to do so.

functionNotifications {

$script_description="This script will go through Active Directory and match ... {script description}.

Do you wish to proceed?"

          $a=New-Object-ComObject wscript.shell

$proceed=$a.popup($script_description,0,"Script Description",4)

          if ($proceed-eq 6) {

  ## Answered "Yes", proceed with script

  Write-Host"YES"

  Write-Host"Processing Contacts and Users"

  ## Process users

                    Get-QADObject @contact_splat |%{Get_Reports$_"Contacts"} |% {Process_Users$_}

  Invoke-Item$report_path

          } # end if

else {

  ## Answered "NO" exit script.

  Write-Host"*** Exiting Script ***"

          } # end else

} # end function Notifications

## Run the notification and give the user an option to terminate program before executing.

Notifications

I'm running ARS 6.7. I have explicitly added a Distribution Group to a Managed Unit, to which a particular administrative group has access. The admin group wants to be able to reset the passwords of any members of this Distribution Group. However, when browsing to this DG using the web interface and clicking "members" in the menu, none of the users are "clickable". When I log on with my admin account, all the members are hyperlinked and I can click on them and view properties. If using the full ARS console as a member of the admin group, I can right-click the user and get properties, or right-click and change password.

I have granted access at the managed unit level as well as on the specific distribution group.So far I can't seem to find any specific right that would be needed, or any way to explain the discrepency between the web client and the console. Any advice would be greatly appreciated.

Hello,

it's possible to add images in ARS notification? I would like to use a custom template for notification emails, this template have an html table and 2 images: an header and a footer. I tried providing the image local path with "img src" tag with no success.

Maybe do i need some C# code? Can anyone help?

Thanks,

Andrea

good morning,

in thread http://communities.quest.com/thread/22763, tatiana said "You can only hide the existed commands or change their order."

i'm trying to remove the "Set Primary Group" button from the web interface, unfortunately Ican't do it

can you tell me how to made this ?

thanks

I have a problem that looks like a ARS database version problem - cannot give a different explanation. Let me explain:

I have created several access templates and applied them to several OUs and several security groups. One of the access templates is quite simple : I only give read access to all user object properties (no write whatsoever). For testing purposes (to check what the users will see) I also created a test user and added him to the security group. Tested and everything worked fine. User was then removed from the Security Group.

I then had another access template that gave access to another security group to manage Unified Messaging (enable, disable, reset PIN etc). I added the test user in this group and again eveything worked fine.The test user was removed again

To re-check everything (after several changes in other access templates) I added the test user to the first security group (the one that was supposed to have only read access to the user objects. That's the point hell broke loose and I started getting strange behaviour from the web interface. Although doubled checked (no nestings etc), the group that was supposed to have read only access, now (at least for this test user, has full Unified Messaging access rights, although he was not supposed to. No way to trace those access rights to an access tempate or nesting or group membership either direct or indirect.

User deleted and recreated and the whole process above repeated (same steps, same behavior at least from the Web Interface).

This raises a security problem and can not be tolerated. We have to find a solution.

What worries me and makes me believe that a have a database version/corruption problem is that I checked the user activity for this user and I see actions attributed to this user although the user has not performed those actions (and I am 100% sure about this)

Another reason I am suspecting a database problem, is an article that i read (dated March 29 2013) that mentioned an upgrade required but this was for 6.7 - nevertheless i had to do with Unified Messaging capabilities. In our case, we used to have 6.7 then upgraded to 6.8 but I do not recall having applied the 6.7 patches (and I am sure that these this not work 100% all the times)

Your guidance is required to trace the problem - where should we start searching? Can we verify the DB schema?

Best regards

Hi,

I'm relative new to ARS and this question may have been answered before, I do apologize.

I've an OU structure like this.

MainOU

     subou1

     subou2

     subou3

I have delegated permissions/access template to our helpdesk on the MainOU. On subou3 I want a different set of policies that for example doesn't include Exchange. I've created an Access Template and a Policy with the settings I want and delegated it to the helpdesk. Since helpdesk also has delegation set on MainOU that is inherited on all sub ou's, I still see Exhange settings on subou3.

While researching this I came across this link http://communities.quest.com/message/21001#21001 which unfortunately does not help since helpdesk is delegated control on the MainOU that is inherited in all sub ou's.

I can achieve what I want if I explicity delegate control on all ou's, but I rather not do that. Is here any way I can achieve what I want?

Hopefully I've made myself clear, but if not, please do not hesistate to ask.