Resolution
Directory and Resource Administrator 7.0 SP1
symptom
Assistant Administrator is unable to MailEnable a group when delegated the power 'Create Group and Modify Limited Properties'.
symptom
Error: 'You do not have the power to create the Group [groupname] in the container [Users]'.
symptom
Assistant Administrator (AA) is not able to mail enable a group.
symptom
This scenario can be reproduced by creating an ActiveView with the following rules:
Group Rule: Include any group, in any OU, from any domain
Target OU Rule for create operations: Include OU [Users] [TESTDRA.com/Users], but no objects in the OU. Do not allow these objects to be cloned, moved or added to groups.
Power: Create Group and Modify Limited Properties
When the Assistant Administrator (AA) delegated to this AV attempts to create a group, the operation will fail with the error: 'You do not have the power to create the Group [groupname] in the container [Users]'.
If the power is changed to Create Group and Modify All Properties, the process works and the AA is able to create the group.
cause
The Directory and Resource Administrator (DRA) GUI is not processing the power correctly.
fix
This is corrected in DRA 7.5. To resolve this issue upgrade to the latest version of DRA.
To workaround this issue:
You can delegate the Create Group and Modify All Properties power to the Assistant Administrator (AA), then use a script to deny the ability to enable a group. The script to perform this action is available on the NetIQ Knowledge Depot.