Error: 'You are not authorized to add the object to the specified group(s).' when an Assistant Admin (NETIQKB38272)

  • 7738272
  • 02-Feb-2007
  • 19-Jun-2007

Resolution

fact
Directory and Resource Administrator 7.0

fact
Directory and Resource Administrator 7.0 SP1

symptom
Error: 'You are not authorized to add the object to the specified group(s).' when an Assistant Admin attempts to remove a user from a group when cloning a user account.

symptom

When cloning a user account an Assistant Admin may receive the following error message if they attempt to modify the group membership of the account being cloned during the cloning process:

You are not authorized to add the object to the specified group(s)



symptom

All Assistant Admins, including DRA Admins, receive the following error message if they attempt to modify the group membership of a user account during the cloning process:

You are not authorized to add the object to the specified group(s)

However, once the user account has been cloned successfully, the Assistant Admin is able to modify the cloned account's group membership successfully.



cause

This error message is generated if you have configured Directory and Resource Administrator to manage a subset of a domain and are not managing the entire domain. The template account which is being cloned is a member of groups that are not in the managed OUs and may reside is OUs that are not managed.  By modifying the group membership of the user account during the cloning process, the server is sent a entire list of groups that the cloned user needs to be added to and since one of the groups is in an OU that is not managed the error is returned.



fix

The above error message may be misleading because it states that the Assistant Admin is not authorized to ADD the user to a group, but the Assistant Admin is attempting to REMOVE a user from the group during the cloning process. 

In order to resolve this problem the following workaround is available:

  • Do not modify a user accounts group membership during the cloning process.  Modify the group membership after the user account has been successfully cloned.
  • Ensure that all the groups that the template account is a member of reside in the managed OUs.
  • Create an Exclude rule to exclude the group which resides in the OU that is not manged in the ActiveViews where the Assistant Admin has clone powers.

For Example:

An Assistant Admin has the powers to clone TemplateA user account.  TemplateA user account is a member of GroupA, GroupB, GroupC and the Domain Users group.  The Domain Users group is in an OU that is not managed by DRA.  Create an Exclude Rule to exclude Domain Users group from the ActiveView.  By doing this, the Assistant Admin will be unable to view that the user account being cloned is a member of the Domain Users group and will be able to modify group membership of the cloned account during the cloning process.  However, the resultant cloned account will still be a member of the Domain Users group as its the primary group for the user account.

Beginning with DRA versin 7.5, DRA now ignores the default domain primary group when checking authorized groups. It also now displays a warning message whenever the AA performing the clone does not have enough permissions to add the new (cloned) user to all of the requested groups.

This issue is resolved in Directory and Resource Administrator (DRA) 7.5 and later. Upgrade to the latest version of DRA to resolve this problem.



Additional Information

Formerly known as NETIQKB38272