Users losing rights (file or object) inherited from associated groups

  • 7002509
  • 30-Jan-2009
  • 26-Apr-2012

Environment

Novell ConsoleOne 1.3.6f
Novell ConsoleOne 1.3.6h
Novell ConsoleOne NDS Administration Snapin 1.2D

Situation

Users are randomly losing rights to the file Directory structure, (or eDirectory rights) that they are inheriting from group memberships.    If you remove the group and add the group back in ConsoleOne, they get the rights back.
 
If you open ConsoleOne and Remove a group membership from a user, then add a group membership back to another group on the user (without hitting apply between the remove and add), the original group still appears in the Group Memberships of the user.   If you then delete the original group and click ok or apply, it removes the original group from the user, but deletes the new group from the Security Equals attribute for the new group off the user.    If you look at the new group, it shows the user as a member and in the Security Equals to me.   On the User object in ConsoleOne, it shows the user as a member of the Group (on the Group Membership section of the Memberships tab), but the user no longer has the rights inherited from the group (on the Security Equal To section of the Membership tab).  
 
 
 
 

Resolution

1.  Use iManager to administer your network.   This issue could not be duplicated in iManager.
2.  If you use ConsoleOne to administer group membership changes,  Click the Apply button after each group you remove from the user's Group Membership list before adding the new groups in the list.
 
NOTE:   The group fix (grpfix.exe) utility (linked to KB 2952770), will not fix users affected with this issue.   You must remove the users from the group, save the change, and then add the user back to the group correct the issue.  grpfix.exe is an unsupported utility. 

Additional Information

When you add a User to a group the following attributes are placed on the User (testUser) & Group (testGroup).
 
User: testUser
   Group Membership:   testGroup
   Security Equals:  testGroup
Group: testGroup
  Members: testUser
  Equals to Me: testUser

The user receives their rights inherited from the group, from the Security Equals attribute placed on the user.    If that attribute is missing, the user does not get the rights from the group.