I'm attempting to run an LDAP filter to return all users within a group. Pretty simple, and there are hundreds of Stack Overflow questions which already provide example queries. However the one I'm using is basic, and returns nothing when run in Powershell.
What I've Tried
Get-ADUser -LDAPFilter "(&(objectclass=user)(objectcategory=person)(memberOf=CN=MyGroup,OU=Users,DC=MyDomain,DC=com))"
I've also tried "CN=Users" instead of "OU=Users
Where "MyGroup" is located in the OU:
"MyDomain" (Forest) > "Users" (OU) > "MyGroup" (CN)
Any ideas what I'm doing wrong, and why none of the 100-200 members of the "MyGroup" are being returned?
Cross-post: https://serverfault.com/q/978336/536173
TL;DR of the most upvoted answer:
Use (memberOf:1.2.840.113556.1.4.1941:=<GROUP_DN>) to query for group memberships recursively.
Related
ive been struggling with this for a wee while now.
I am looking at using dynamic distribution groups.
I want to include all users with an "external" suffix at the end of their display naes. (this could als be used to exclude.)
Issues
DDGs do not accept a wild card prefix. it would accept (displayname -eq "john.doe*)" but not (dispalyname -eq *external).
powershell doesnt accept the employee type feild ( could have just filled that in and pointed at that)
-unable to add a mailgroup to the dynamic dg.
this is exchange online and fully cloud tenant
Attempts
i can add single users by smtpaddress but i would like to add a group of people
i have created a security group that i was hoping to pull the smtp from and pipe into the recipient filter.
this is for trying to add users of a dynamic security group to the distribution group
$groupname = "groupname" $external = Get-AzureADGroupMember -ObjectId "objectnumber" $externalsmtp = $external.UserPrincipalName $contractorsmtp | Foreach {Set-DynamicDistributionGroup "externalusersemail" -RecipientFilter {PrimarySmtpAddress -eq '$_.UserPrincipalName'}}
Any help would be appreciated.
I am looking for something simple and i think ive gone down a bad rabbit hole.
I would have rather done something like below. but nope :( ive also tried other
-RecipientFilter {-not(displayName -eq "*External*")
Need assistance in getting the summary of user domains from sentinel signinglogs.
SigninLogs
| where AppId == "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx"
| extend UserDomains = split(UserPrincipalName,'#')[1]
| summarize TotalAttempts = count(), Failed=countif(ResultType !=0), Succeded=countif(ResultType ==0), LastAttempt = max(TimeGenerated), FirstAttempt = min(TimeGenerated), CountofUniqueID = dcount(UserPrincipalName), DomainCount = dcount(tostring(UserDomains))
The result has most of the information I need. However, I need little bit more clarity.
The objective of this report is to understand how may external users are consuming this applications and from which all domains they are accessing. So I need to make a summary based on internal users and external users.
How can I get the the count of all signed in users who are having a domain name ending with *mydomain.com (covering the root domain and child domains)
How can I get the the count of user domains specific to external users, ie the unique user domains - internal user domains (anything ending with *mydomain.com)
Is there a way to concatenate all the external domains with ";" as a delimiter ? In PowerShell, we use -join ";". Anything similar for KQL?
Appreciate your help on this.
I know that you can remove certain roles from users, and remove all roles from a user, but I was thinking of doing the reverse. I looked at this guide, which provides a way to retrieve all of the people who have a specific role. It seems like you could manipulate the collection/map to go through each member and remove the role. However, I cannot seem to achieve this.
I've hard-coded the one specific role that I am targeting as well as the message that should trigger the command.
Current code that I've been trying out (only seems to be working if there's just one person assigned the role):
if (msg.startsWith('!new round')) {
//check for everyone and remove the role
//roleID is just the roleID number string; I've stated it outside the if loop, for other command use cases as well
let membersWithRole = message.guild.roles.cache.get(roleID).members;
console.log(membersWithRole);
for (let member of membersWithRole) {
let mem = member[1]
mem.roles.remove(role).catch(console.error);
message.reply("Everyone with the jail role is now back in the game!");
}
}
Bottom line: Given a collection of the list of "guild" members that have the specified role (provided in the guide), could I iterate through a list* in order to remove the role from each member?
*I haven't found said list containing the members, but it's probably the objects themselves, so the whole collection
you need to learn documentation of discord.js
and yes you can do it by looping through all members.
if(msg.startsWith('!new round')){
console.log('command used by '+msg.author);
let role =msg.guild.roles.cache.get(roleId);
role.members.each(member=>{
member.roles.remove(role);
});
console.log('removed role from all members');
}
and also if you want to remove role from all members, so why you are not just deleting the role?
delete role:
msg.guild.roles.cache.get(roleId).delete();
Does somebody know how I can import all members of one group into another in GitLab, rather than doing it manually one by one?
The only native feature which comes close is in lib/tasks/gitlab/bulk_add_permission.rake, which is mentioned in "User management"
# omnibus-gitlab
sudo gitlab-rake gitlab:import:all_users_to_all_groups
# installation from source
bundle exec rake gitlab:import:all_users_to_all_groups RAILS_ENV=production
You could take that as a model to develop our own task.
I am not aware of such a feature. But you can script it with the API. We use it here to add all users to one single group (all users to all groups is not feasible for our case).
Helpful documentation: http://doc.gitlab.com/ce/api/README.html, http://doc.gitlab.com/ce/api/users.html and http://doc.gitlab.com/ce/api/groups.html
There is also a respond to another question that might be helpful and lists also various modules for various programming languages: Is there a way to add users automatically into gitlab?
I was looking for a solution to Assign all Gitlab users to one particular group.
Here's the solution:
Create this file:
/opt/gitlab/embedded/service/gitlab-rails/lib/tasks/gitlab/finder_import.rake
With this content:
namespace :gitlab do namespace :finder do
desc "GitLab | Add all users to group Colaboradores (admin users are added as owners)"
task importall: :environment do |t, args|
user_ids = User.where(admin: false).pluck(:id)
admin_ids = User.where(admin: true).pluck(:id)
groups = Group.where(name: "Colaboradores")
puts "Importing #{user_ids.size} users into #{groups.size} groups"
puts "Importing #{admin_ids.size} admins into #{groups.size} groups"
groups.each do |group|
puts "Importing into #{group.name}"
group.add_users(user_ids, GroupMember::DEVELOPER)
group.add_users(admin_ids, GroupMember::OWNER)
end
end
end end
Run this command:
gitlab-rake gitlab:finder:importall
Does anybody know how to limit a users ability to set variables? Specifically statement_timeout?
Regardless of if I alter the user to have this variable set to a minute, or if I have it set to a minute in the postgresql.conf file, a user can always just type SET statement_timeount TO 0; to disable the timeout completely for that session.
Does anybody know a way to stop this? I know some variables can only be changed by a superuser but I cannot figure out if there is a way to force this to be one of those controlled variables. Alternatively, is there a way to revoke SET from their role?
In my application, this variable is used to limit the ability of random users (user registration is open to the public) from using up all the CPU time with (near) infinite queries. If they can disable it then it means that I must find a new methodology for limiting resources to users. If there is no method for securing this variable, is there other ways of achieving this same goal that you may suggest?
Edit 2011-03-02
The reason the database is open to the public and arbitrary SQL is allowed is because this project is for a game played directly in the database. Every player is a database user. Data is locked down behind views, rules and triggers, CREATE is revoked from public and the player role to prevent most alterations to the schema and SELECT on pg_proc is removed to secure game-sensitive function code.
This is not some mission critical system I have opened up to the world. It is a weird proof of concept that puts an abnormal amount of trust in the database in an attempt to maintain the entire CIA security triangle within it.
Thanks for your help,
Abstrct
There is no way to override this. If you allow the user to run arbitrary SQL commands, changing the statement_timeout is just the top of the iceberg anyway... If you don't trust your users, you shouldn't let them run arbitrary SQL - or accept that they can run, well, arbitrary SQL. And have some sort of external monitor that cancels the queries.
Basically you can't do this in plain postgres.
Meantime for accomplish your goal you may use some type of proxies and rewrite/forbidd some queries.
There several solutions for that, f.e.:
db-query-proxy - article how it born (in Russian).
BGBouncer + pgbouncer-rr-patch
Last contains very useful examples and it is very simple do on Python:
import re
def rewrite_query(username, query):
q1="SELECT storename, SUM\(total\) FROM sales JOIN store USING \(storeid\) GROUP BY storename ORDER BY storename"
q2="SELECT prodname, SUM\(total\) FROM sales JOIN product USING \(productid\) GROUP BY prodname ORDER BY prodname"
if re.match(q1, query):
new_query = "SELECT storename, SUM(total) FROM store_sales GROUP BY storename ORDER BY storename;"
elif re.match(q2, query):
new_query = "SELECT prodname, SUM(total) FROM product_sales GROUP BY prodname ORDER BY prodname;"
else:
new_query = query
return new_query