0 votes

Good Morning,

On our help desk's actions they have two options, "Add to Group" and "Modify User". When they attempt to add a user to a group with "Add to group", the operation completes successfully. However, when they try to add a user to a group with "Modify User", they receive the following error.

Access to the attribute is not permitted because the attribute is owned by the Security Accounts Manager (SAM). (Server: #######)

Details
Property 'Member Of' is system-only and is not intended to be modified by a user.
Access to the attribute is not permitted because the attribute is owned by the Security Accounts Manager (SAM). (Server: ######)

I've gone as far as granting the help desk security role full access to group objects, but still no luck.

Any ideas?

Thanks.

by (520 points)
0

Hello,

Probably, you added the Member Of attribute on the form for creating users, didn't you? The thing is that when you add a user to a group, you actually modify the group, not the user. In particular, you add the user's Distinguished Name (DN) to the Member property of the group. The Member Of property is just a back link in AD. It cannot be modified.

There's also one more issue. Since on the Create User Form the new user account is not created in AD yet, the user doesn't have a DN, and there is nothing to add to the Member property of a group.

We have a similar request in our product backlog. In the future, we'll think on some sort of a way of specifying the groups a new user needs to be added to. Currently, you can, for example, add new users to appropriate groups automatically. For examples on how to do this, see Automatically Add Users to Groups by Department and Automatically Change Group Membership Using Scripts.

Alternatively, if the above methods don't work for you, we can suggest the following workaround. On the Create User Form, you can make available a certain AD attribute of a user account that supports the DN syntax and allows multiple values. For example, that can be See Also or Secretary, if you don't use them for any other pruposes. Using the attribute, users will be able to pick multiple groups that a new user needs to be added to.

Then, a Business Rule triggered after creating a user will add the new user account to the groups whose DNs are specified via the attribute. The Business Rule will need to run a PowerShell script. For information on how to run a PowerShell script automatically after creating a user, see the following tutorial: http://www.adaxes.com/tutorials_Automat ... ngUser.htm. Managing group membership with the help of PowerShell scripts is described in the following tutorial: http://www.adaxes.com/tutorials_Automat ... cripts.htm. If you need, we can help you with the actual script.

0

Good Morning,

The error is not coming from our user creation rules. Our business rules are already set up to add the users to their respective groups after it's creation, which works just fine. The issue is coming from the defaults actions on the web portal "Modify User" and "Add to Group". If we use the "Add to group" action to add a user to a group, it completes just fine. But we if use "Modify User" and try to add a group, we get the error in the previous post. These are obviously on users that are already created and have been added to multiple groups already through the user creation rules.

1 Answer

0 votes
by (216k points)
selected by
Best answer

Hello,

Then, on the form of your Modify User action, instead of the Member Of field, you need to use the Member Of section. The difference is that if you are trying to use the Member Of field, you are trying to modify the attribute of a user, which is not allowed. If you are trying to use the Member Of section, it will modify the Member attribute of the corresponding groups instead.

To do this:

If your action uses the default form for editing users

  1. Remove the Member Of field from the form for editing users. For information on how to do that, see steps 1-6 of the following tutorial: http://www.adaxes.com/tutorials_WebInte ... diting.htm.
  2. Add the Member Of section. For information on how to do that, see AD object group membership in step 8 of the same tutorial.

If your action uses a custom form

  1. On the computer, where the Web Interface is installed, start the Web Interface Customization tool.
  2. In the Interface type drop-down list, select the Web Interface that you want to configure.
  3. Activate the General tab, and click Configure Home Page Actions.
  4. Select the action you need and click Edit.
  5. Activate the Form Customization tab.
  6. Click Customize Form.
  7. Remove the Member Of field from the form for editing users. For information on how to do that, see step 6 of the following tutorial: http://www.adaxes.com/tutorials_WebInte ... diting.htm.
  8. Add the Member Of section. For information on how to do that, see AD object group membership in step 8 of the same tutorial.
0

That did the trick!

Thanks!

Related questions

0 votes
1 answer

Hi I need to execute the script when user is added to a group. In that script I need to access group properties - name, etc. and user's properties. I have no problem ... don't think Initiator is giving me the right user. Any help will be much appreciated. V.

asked Oct 31, 2017 by xirurg (100 points)
0 votes
1 answer

Is there any way to add a warning message when someone tries to add a group member that already is member? Checked config but found nothing related. Added a new member that ... the group and there is no warning, and the logs show that the task was completed.

asked Jul 9 by lramirez (20 points)
+1 vote
1 answer

Since today were receiving the below error when attempting to add additional email addresses to users via Adaxes. An Azure Active Directory call was made to keep object in sync ... How do we fix to get the ability to add email addresses via Adaxes again?

asked Mar 1, 2021 by techg (320 points)
0 votes
1 answer

Hello, A year ago, in a previous ticket, I inquired about the possibility of mandating that Adaxes users enter a ticket number before adding a member to a ... automatic business rules that facilitate the addition/removal of members from groups. Regards, Fabian

asked Jul 16 by fabian.p (380 points)
0 votes
1 answer

Hi team, I need to update users extensionAttribute6 after adding or removing them from a specific group. This is my setup: Group is updated based on rule set within Adaxes ... would like to update users after they were added or removed from this group. Thanks!

asked Sep 25, 2023 by wintec01 (1.5k points)
3,574 questions
3,263 answers
8,282 comments
548,006 users