Problem
I need to write an LDAP query that given a distinguishedName for a group will return a list of all users who are owners/managers of the group
Motivation
I am writing a VBA script that will allow an excel user to input a DisplayName for a group in a cell and press a button to receive (1) a list of members and (2) a separate list of group owners.
Progress
The first part works fine. I search the directory for all users who have the group in their memberof field.
For the owners, I successfully pulled the group's managedBy field, but it only contained information for a single user. This is the same user that appears in the "Owner" field when the group is viewed in Outlook's address book. There are many more users with ownership permissions for the list.
Examples
Here are the two (slightly modified) queries I'm using now:
Query 1: Group Members (works)
<LDAP://dc=DOMAIN,dc=com>;(&(memberof=CN=GroupName));DisplayName;Subtree
Query 2: Group Owners (single user returned)
<LDAP://dc=DOMAIN,dc=com>;(&(objectCategory=group)(DisplayName="Group Name"));managedBy;Subtree
The Question
How can I modify Query 2 to return all users with management permissions for the group?
Related Questions
Related
Details of the Issue:
As far as I know, dynamic membership rules can be assigned based off of properties that pertain to a single user. That is, department, object ID, job title, etc.
The limitation is that there can only be one assigned department, one assigned object ID, one assigned job title, etc. for a single user.
How can I assign multiple "departments" to a single user in Azure that can be dynamically assigned in different M365 groups? For example:
User 1 belongs to Department A and Department B
User 2 belongs to Department A and Department C
If Group A only allows users from Department A Then:
User 1 and User 2 is assigned
If Group B only allows users from Department C Then:
User 2 is assigned
The issue is that I cannot seem to find a way to assign multiple departments to a single user that can later be used to dynamically assign users to M365 groups.
You can assign a single department to a single user, thus setting a dynamic membership rule to add all users from that specific department to the M365 group, however this only works if you're okay with a user belonging to a single department.
What I Tried:
My users may belong to multiple departments, so to remedy this issue, I decided to use Azure's Assigned Roles as "departments". That is, I create a custom assigned role for each department allowing each user to be assigned multiple roles (i.e., departments.)
Why It Didn't Work:
However, when setting up the dynamic membership rule, to assign users to a M365 group, I am not able to find a user property that corresponds to their assigned role(s).
Is this a valid approach? Or is there an alternative that I'm missing?
Update:
This relation question runs into the same issue, however the given answer does not address my issue.
This could entirely be a limitation on Azure's side and my goal may not be achievable through AAD.
Answering my own question with a potential, and simple, alternative to this issue:
Listing out all of the departments in any of the user's property fields and using the following dynamic membership rule to find it:
user.department -contains "Department A"
Example:
User 1 belongs to Department A and Department B.
So, Set Department to:
"Department A, Department B"
Group looks for users from Department B.
So, Set M365 Dynamic Rule Membership to:
user.department -contains "Department B"
Azure has a 64 property-character-limit, so contracting your department names to unique ID's, such as:
Department A: DA-001
Department B: DB-001
Works, too.
User 1 belongs to Department A and Department B.
So, Set Department to: "[DA-001],[DB-001]"
user.department -contains "DB-001"
I have an excel sheet where there are two columns:
Email
loyalty points
example:
Email
Loyalty Points
abc1#company.com
248
abc2#company.com
540
My requirement:
When a user (abc1#company.com) login to his SharePoint he should see the token value as 248 and when the user (abc2#company.com) login to SharePoint then he should see the token value as 540.
Till now I have created a page on sharepoint and now I am wondering how to load data specific to user and display it in the sharepoint page.
Solution might be to Import That excel to a SharePoint list. Now based on situations:
A) Unique Item Permission
You can set unique permission per item in the SP library, then set it only for managers group and specific user.
Set unique item permission part can be automatized with WF or Power Automate Flow as well, after that it can be done for large amount of items (limit for unique item permission in SP list is 50 000)
B) View with filter
If the Loyalty Points are not secret and you just dont want to spam users with a lot of rows....you can create a list view in SharePoint list...Where you limit the values with Filter. (Library settings > Views > Create View) in Filter part you select person/group Column "Email" and in value you can put [Me]
[Me] and [today] are only available dynamic filters in View settings
You can display this view on HomePage for example and it will show always values only for specific user.
I am setting up a company for lead nurturing and marketing automation and I'm in the process of scrubbing up all of the contacts, customers, and leads. The way that we are using NetSuite right now, we don't have any need for a separate contact category and role.
So I want to set up a script to connect the category and role fields, or have the role field always copy what's in the category field.
Is there any way to achieve this?
The "Contact Category" and "Contact Role" fields in NetSuite are two different CRM list fields. Which means that:
In order to create a new "Contact Category", navigate to: Setup -->
Sales --> CRM Lists --> New --> Contact Category
And In order to create a new "Contact Role", navigate to: Setup -->
Sales --> CRM Lists --> New --> Contact Role
And because they are two different list fields, you need to have a 1 to 1 link of both these list values before populating it in your entity record.
One efficient way to do it would be by using a custom record as a reference. Please follow the below procedure to achieve the same:
Create a "Custom Record" titled "Contact Category & Roles" [or any appropriate name] with two fields in it: Contact Category (list/record of contact category) and Contact Role (list/record of contact role)
Now create each of these "Contact Category & Roles" custom record. For every record, select the Contact Category and the corresponding Contact Role.
Hence, in this way you will now have a list of this custom record that gives the Contact Category and its corresponding Contact Role.
This custom record can now be used as a reference in scripts.
For new records that are created, have a client script deployed. And in the "fieldChanged()" event of the script, write the logic to populate the role field based on what the category field is selected. [So here, when the category field is selected, reference the custom record and see if the category field has a corresponding role value and set it accordingly]
And since you are doing a scrub of already existing records, you can achieve the same by writing the above logic (point 5) in a schedule or map/reduce script (i.e by loading each record, getting the category value, referencing the custom record and getting the corresponding role and setting the role value).
Additional Note: If the Category values need to be cleaned up, a csv import could be done to achieve the same. You can then run the schedule script to set the role values.
I have a sharepoint list "Notes" with columns [Title] and [Department].
I fetch values for column [Department] from another list called "Departments" (columns [Id] and [Name].
I want this:
Everytime I add new record in "Notes", I want to set permission for this record according to permission set on the value in column Department.
So, basicaly, I SOMEHOW need to first set permissions, which users or groups has rigths for each department in list "Departments". After that, I need to inherit this permission in "Notes" list from the value of [Department].
For example:
Departments list would look like this
Billing (some permission for users or groups)
Operations (some permission for users or groups)
Sales (some permission for users or groups)
I want to add new record in "Notes" like "Hello, new item" and I chose department "Billing".
Now, I want that only users/groups which has rigths to see Billing records can see this record. No one else.
And so on... as soon as I add new record with [Department] Operations, I want only users/groups which have rigths to see Operations record to see only these records.
Is there any solution for me? I think it should has something to do with sharepoint designer workflow "Replace permission" but I never figured it out how to set as described above.
Thanks,
Jan
As you mentioned, the "Replace List Item Permissions" Action is the only way to achieve this without creating a custom event receiver. Here is a blog post about it: http://spcycle.blogspot.com.tr/2012/01/how-to-create-workflow-to-change-item.html.
Having said that, I don't think securing sensitive information at item level in a shared list by using workflows is a good idea. What if the workflow stops working someday for some reason? Not a rare case when you upgrade your SP deployment to the next version... People would keep using that list by relying on the assumption that their information is secured and I can imagine that that can create a lot of trouble for some. Besides if the number of items in that list is going to be "high" you will have performance issues and potentially hit the soft limits of SharePoint.
I would create a separate list for each department to store their notes or create a folder in the Note List for each department, lock it down to the corresponding department and ask that department's users to put their notes into their department's folder.
Is it possible to create a Drop-down list in InfoPath which connects to Active Directory and fills the list with UNIQUE Department Values only (no repeating ones)
I need this for an InfoPath so when a user entering the data can pick one of the departments listed in the drop-down. Any help would be appreciated.
I've had a look at the people picker control, which works great for User names, but the department field is a separate field and has nothing to do with the user I pick, so I simply need a control which is populated by the unique Department codes in AD.
Any help would be appreciated.
You should really contact your administrator for this sort of information. You do not want a form to query every AD user to pull their department and get the unique values just to populate a drop down list. It is very possible to obtain the list of unique directories, however you should work with your administrator to populate this data to an XML web page or other similar solution and then connect your form to THAT data source through the form. The point is you are missing a step of obtaining the queried data.
With that said you can obtain the department of the user by querying the get user profile service to obtain the department name, elinating the need to even create a populated drop down list. See this article.