Resolution
Directory and Resource Administrator 6.60
fact
Directory and Resource Administrator 7.x
symptom
The 'Member of' attribute is not cloned when cloning a Group.
symptom
Error: 'Unable to add the member to the Group. Access is denied. The selected object does not have the appropriate Active Directory security settings to support the task. Verify the service account permissions on this object and parent containers in the managed sub tree.'
symptom
Error: 'Unable to add the Member to the Group. The specified group type is invalid'.
cause
When a group is cloned, there is no way to modify group membership list of the cloned group. The authorization node in GroupCopy checks the group membership list to see if it contains any groups that do not belong to the ActiveViews assigned to the Assistant Admin. If there is a group that does not belongs to any of the Assistant Admins ActiveViews, the authorization fails.
When a user is cloned, unless the Assistant Admin has modified the group list, the UserCopy operation figures out the list of groups to which the clone should be added. The authorization node in UserCopy automatically selects only those groups, which belong to the ActiveViews assigned to Assistant Admin. Thus the memberships in the "trusted" groups are not cloned.
fix
This is the correct behavior. In Directory and Resource Administrator (DRA) 6.5 and prior when you cloned a group, the 'Member of' attribute was cloned as well. The cloning of the 'Member of' during a GroupClone has been intentionally removed in DRA 6.6 and above due to NT limitations dealing with trusted domain authorization.
This issue is resolved in Directory and Resource Administrator (DRA) 6.6 and later. Upgrade to the latest version of DRA to resolve this problem.