Directory and Resource Administrator 6.50
Assistant Admins are able to change the group membership of a target account during a clone operation even though they are not assigned the power to do so.
If an Assistant Admin is delegated a custom role that includes the All Properties - Clone a User Account power and the ActiveView contains an object rule to include any groups in the domain, the Assistant Admin is incorrectly granted the power to change group membership of the target account during the clone operation.
The cause of this issue is a result of DRA version 6.50 incorrectly translating the power All Properties - Clone a User Account when it is included in a custom role.
Hotfix 11200 improves group membership security by ensuring that just the All Properties - Clone a User Account power does not allow an Assistant Admin to change the membership of a target account.
To install this hotfix, run the DRA65000_Hotfix11200.exe file on the Administration server computer. This hotfix modifies the EaSec.dll file on the Administration server computer. By default, this file is located in the Program Files\NetIQ\DRA folder.