Adaxes

Error when adding user to group

0 votes

Good Morning,

On our help desk's actions they have two options, "Add to Group" and "Modify User". When they attempt to add a user to a group with "Add to group", the operation completes successfully. However, when they try to add a user to a group with "Modify User", they receive the following error.

Access to the attribute is not permitted because the attribute is owned by the Security Accounts Manager (SAM). (Server: #######)

Details
Property 'Member Of' is system-only and is not intended to be modified by a user.
Access to the attribute is not permitted because the attribute is owned by the Security Accounts Manager (SAM). (Server: ######)

I've gone as far as granting the help desk security role full access to group objects, but still no luck.

Any ideas?

Thanks.

by (520 points)
0

Hello,

Probably, you added the Member Of attribute on the form for creating users, didn't you? The thing is that when you add a user to a group, you actually modify the group, not the user. In particular, you add the user's Distinguished Name (DN) to the Member property of the group. The Member Of property is just a back link in AD. It cannot be modified.

There's also one more issue. Since on the Create User Form the new user account is not created in AD yet, the user doesn't have a DN, and there is nothing to add to the Member property of a group.

We have a similar request in our product backlog. In the future, we'll think on some sort of a way of specifying the groups a new user needs to be added to. Currently, you can, for example, add new users to appropriate groups automatically. For examples on how to do this, see Automatically Add Users to Groups by Department and Automatically Change Group Membership Using Scripts.

Alternatively, if the above methods don't work for you, we can suggest the following workaround. On the Create User Form, you can make available a certain AD attribute of a user account that supports the DN syntax and allows multiple values. For example, that can be See Also or Secretary, if you don't use them for any other pruposes. Using the attribute, users will be able to pick multiple groups that a new user needs to be added to.

Then, a Business Rule triggered after creating a user will add the new user account to the groups whose DNs are specified via the attribute. The Business Rule will need to run a PowerShell script. For information on how to run a PowerShell script automatically after creating a user, see the following tutorial: http://www.adaxes.com/tutorials_Automat ... ngUser.htm. Managing group membership with the help of PowerShell scripts is described in the following tutorial: http://www.adaxes.com/tutorials_Automat ... cripts.htm. If you need, we can help you with the actual script.

by (216k points)
0

Good Morning,

The error is not coming from our user creation rules. Our business rules are already set up to add the users to their respective groups after it's creation, which works just fine. The issue is coming from the defaults actions on the web portal "Modify User" and "Add to Group". If we use the "Add to group" action to add a user to a group, it completes just fine. But we if use "Modify User" and try to add a group, we get the error in the previous post. These are obviously on users that are already created and have been added to multiple groups already through the user creation rules.

by (520 points)

1 Answer

0 votes
by (216k points)
selected by
Best answer

Hello,

Then, on the form of your Modify User action, instead of the Member Of field, you need to use the Member Of section. The difference is that if you are trying to use the Member Of field, you are trying to modify the attribute of a user, which is not allowed. If you are trying to use the Member Of section, it will modify the Member attribute of the corresponding groups instead.

To do this:

If your action uses the default form for editing users

  1. Remove the Member Of field from the form for editing users. For information on how to do that, see steps 1-6 of the following tutorial: http://www.adaxes.com/tutorials_WebInte ... diting.htm.
  2. Add the Member Of section. For information on how to do that, see AD object group membership in step 8 of the same tutorial.

If your action uses a custom form

  1. On the computer, where the Web Interface is installed, start the Web Interface Customization tool.
  2. In the Interface type drop-down list, select the Web Interface that you want to configure.
  3. Activate the General tab, and click Configure Home Page Actions.
  4. Select the action you need and click Edit.
  5. Activate the Form Customization tab.
  6. Click Customize Form.
  7. Remove the Member Of field from the form for editing users. For information on how to do that, see step 6 of the following tutorial: http://www.adaxes.com/tutorials_WebInte ... diting.htm.
  8. Add the Member Of section. For information on how to do that, see AD object group membership in step 8 of the same tutorial.
0

That did the trick!

Thanks!

by (520 points)

Related questions

0 votes
1 answer
Getting user when adding to a group

Hi I need to execute the script when user is added to a group. In that script I need to access group properties - name, etc. and user's properties. I have no problem ... don't think Initiator is giving me the right user. Any help will be much appreciated. V.

asked Oct 31, 2017 by xirurg (100 points)
+1 vote
1 answer
Error adding additional email addresses to user

Since today were receiving the below error when attempting to add additional email addresses to users via Adaxes. An Azure Active Directory call was made to keep object in sync ... How do we fix to get the ability to add email addresses via Adaxes again?

asked Mar 1, 2021 by techg (320 points)
0 votes
1 answer
Business Rule - After adding members to group - Powershell script to user not executed

Hi team, I need to update users extensionAttribute6 after adding or removing them from a specific group. This is my setup: Group is updated based on rule set within Adaxes ... would like to update users after they were added or removed from this group. Thanks!

asked Sep 25, 2023 by wintec01 (1.1k points)
0 votes
1 answer
Business rule to adjust a custom property on user upon adding or removing that user from a group.

Hello, I am attempting to configure a business rule that adjusts an adaxes custom property of a user, upon that user being added/removed from a group. I cannot seem to ... (like username, office, description, email, etc.) but not so much on custom attributes.

asked Jul 14, 2023 by NKB#2772 (70 points)
0 votes
1 answer
Powershell: Removing a user from one group and adding to another via Scheduled Task

I have a scheduled task that runs a Powershell script against an AD group, "Group 1". I need to get all of the members of Group 1, and add them to Group 2. The ... identity in the error message start with 'user;'? What is the correct way to accomplish this?

asked Aug 27, 2019 by ngb (220 points)
3,346 questions
3,047 answers
7,782 comments
544,984 users