ActiveRoles Server 6.9 Patch 4 (206303)

This is a supported patch for Quest One ActiveRoles 6.9.0. The patch addresses the issues listed in the Resolved Issues section later in this document, and also resolves the issues listed in the Knowledge Base Article SOL133478 athttps://support.quest.com/kb/SOL133478, Knowledge Article 122282 at  https://support.quest.com/kb/SOL122282, and Knowledge Article SOL116649 at https://support.quest.com/kb/SOL116649.

We recommend you to install this patch as it resolves a number of important issues that were not addressed by earlier patches or hotfixes for Quest One ActiveRoles 6.9.0.

This patch is cumulative and includes all fixes found in previous patches 1, 2, and 3. 

The patch includes the following updates:

• ARS-6.9.0-Patch4.exe - Update for the Administration Service component; should be installed on the computers running Administration Service 6.9.0.
• ARSMMC-6.9.0-Patch4.exe - Update for the MMC Interface component; should be installed on the computers running MMC Interface 6.9.0.
• ARSWI-6.9.0-Patch4.exe - Update for the Web Interface component; should be installed on the computers running Web Interface 6.9.0.
• ARSCollector-6.9.0-Patch4.exe - Update for the Collector component; should be installed on the computers running ActiveRoles Collector 6.9.0.

Click here to download the patch.

Installing This Patch

To install this patch:

1. Unzip the patch package and rename the files included in the package, to remove the .rename file name extension.
2. On the computers on which the Administration Service is installed, run ARS-6.9.0-Patch4.exe and follow the on-screen instructions.
3. On the computers on which the MMC Interface is installed, run ARSMMC-6.9.0-Patch4.exe and follow the on-screen instructions.
4. On the computers on which the Web Interface is installed, run ARSWI-6.9.0-Patch4.exe and follow the on-screen instructions.
5. On the computers on which the ActiveRoles Collector Patch 2 or below is installed, run ARSCollector-6.9.0-Patch4.exe and follow the on-screen instructions.

   Note: If ARSCollector-6.9.0-Patch3.exe is installed already, ARSCollector-6.9.0-Patch4 is not applicable, since there are no changes in the Patch 3 and Patch 4 Collector module.

Determining if This Patch Is Installed

To determine if this patch is installed:

1. Open Programs and Features in Control Panel and click View installed updates in the Tasks area.
2. Look for the following items in the list of installed updates:
   • Quest One ActiveRoles - Administration Service Patch 4 under Quest One ActiveRoles 6.9.0 - Administration Service x64 indicates that the update for the Administration Service is installed.
   • Quest One ActiveRoles - MMC Interface Patch 4 under Quest One ActiveRoles 6.9.0 - MMC Interface x86 indicates that the update for the 32-bit MMC Interface is installed.
   • Quest One ActiveRoles - MMC Interface Patch 4 under Quest One ActiveRoles 6.9.0 - MMC Interface x64 indicates that the update for the 64-bit MMC Interface is installed.
   • Quest One ActiveRoles - Web Interface Patch 4 under Quest One ActiveRoles 6.9.0 - Web Interface x64 indicates that the update for the Web Interface is installed.
   • Quest One ActiveRoles - Collector Patch 4 under Quest One ActiveRoles 6.9.0 - Collector indicates that the update for the ActiveRoles Collector is installed.

Removing This Patch

To remove this patch:

• On the computer on which the update for the Administration Service is installed, run the following command at a command prompt:
  
  msiexec /I {07AC9485-87BE-4D96-B6DE-2A1D2446BBFB} MSIPATCHREMOVE={1B443228-5CC8-47F3-B6E7-F8E1073EC123} /qb
  
  Alternatively, open Programs and Features in Control Panel, click View installed updates in the Tasks area, and then use the Uninstall command on the Quest One ActiveRoles - Administration Service Patch 4 item under Quest One ActiveRoles 6.9.0 - Administration Service x64.

• On the computer on which the update for the 32-bit MMC Interface is installed, run the following command at a command prompt:
  
  msiexec /I {01AAD965-7200-4E25-B211-BA8B53154A38} MSIPATCHREMOVE={EA42BFAE-3D6B-4F32-98BB-50236CEAD84E} /qb 
  
  Alternatively, open Programs and Features in Control Panel, click View installed updates in the Tasks area, and then use the Uninstall command on the Quest One ActiveRoles - MMC Interface Patch 4 item under Quest One ActiveRoles 6.9.0 - MMC Interface x86.

• On the computer on which the update for the 64-bit MMC Interface is installed, run the following command at a command prompt:
  
  msiexec /I {26282F29-5E90-4379-A8AA-C9F2239E10E2} MSIPATCHREMOVE={EA42BFAE-3D6B-4F32-98BB-50236CEAD84E} /qb 
  
  Alternatively, open Programs and Features in Control Panel, click View installed updates in the Tasks area, and then use the Uninstall command on the Quest One ActiveRoles - MMC Interface Patch 4 item under Quest One ActiveRoles 6.9.0 - MMC Interface x64.

• On the computer on which the update for the Web Interface is installed, run the following command at a command prompt:
  
  msiexec /I {7894FB31-58A7-4620-AB63-2E686861A1ED} MSIPATCHREMOVE={A5D00A4B-36B8-4072-A93C-10446D5F0735} /qb
  
  Alternatively, open Programs and Features in Control Panel, click View installed updates in the Tasks area, and then use the Uninstall command on the Quest One ActiveRoles - Web Interface Patch 4 item under Quest One ActiveRoles 6.9.0 - Web Interface x64.

• On the computer on which the update for the ActiveRoles Collector is installed, run the following command at a command prompt:
  
  msiexec /I {CF41B89F-C184-408A-8868-5BD51B9D8E40} MSIPATCHREMOVE={01DE6053-806F-48A1-8AEB-7C4BB9D52D1F} /qb
  
  Alternatively, open Programs and Features in Control Panel, click View installed updates in the Tasks area, and then use the Uninstall command on the Quest One ActiveRoles - Collector Patch 4 item under Quest One ActiveRoles 6.9.0 - Collector.

Resolved Issues

The following is a list of issues resolved in this patch.

Console (MMC Interface)

457856
Fixed: ActiveRoles workflow may not send a notification e-mail message as expected if the "title" tag is missing from the notification message template. A symptom of the issue is the following error: "Length cannot be less than zero. Parameter name: length."

473039

Fixed: When creating a mail-enabled (distribution) group controlled by Group Family, ActiveRoles may not apply the following Exchange-related settings as expected:

• Hide group from Exchange address lists
• Send out-of-office messages to originator
• Send delivery reports to group owner
• Send delivery report to message originator
• Do not send delivery reports

489492
Fixed: Notification or approval emails sent from ActiveRoles Server has empty square braces '[]' in the mail HTML header. This prevents some email processing software from reading the mail document body correctly. 

495215
Fixed: In ActiveRoles web interface, in the User->General Properties tab, applying the script-based policy to disable the Display Name field, disables the field for editing, but does not grey it out. 

507265
Fixed: There is a difference in the synchronization of the values for Program file name and Start in user properties attributes on the Environment tab, between ActiveRoles and Active Directory Users and Computers (ADUC). 

587275
Fixed: In ActiveRoles Server, there is no mutual inclusion between the two Group Type Property pages specified in the Group Membership Removal Deprovisioning Policy. 

589761
Fixed: While managing Exchange 2013 groups in a mixed environment of Exchange 2007, 2010, and 2013, the Active Roles MMC reports an error that Exchange 2010 tools are not installed. 

605920
Fixed: in ActiveRoles MMC interface, in the Mail Flow Settings window, for any Mailbox enabled user, Query based distribution group, or any Contact, while setting the Message Size Restriction value to “0”, an error is displayed. 

606925
Fixed: In ActiveRoles Web interface and MMC console, when user tries to hide a mail user from the Address list an error is displayed that the user is not found.

621526
Fixed: In ActiveRoles Web Interface and MMC console, under Mail Flow Settings tab of Exchange Properties, the Message Delivery Restrictions property cannot be set successfully for some users, and an error message This user was not found is displayed. 

629265
Fixed: In ActiveRoles Web Interface and MMC console, under user Exchange Properties, checkbox for the "Automatically update e-mail addresses based on e-mail address policy" property cannot be set/reset successfully for some users. 

630370
Fixed: The ActiveRoles Administration Service may take much longer than expected to perform a Base search with an LDAP filter that evaluates virtual attributes defined in ActiveRoles. This issue may cause a long delay before AD objects are added or removed from dynamic groups based on changes to virtual attributes. 

630371
Fixed: ActiveRoles may not promptly respond to changes to an AD object that cause the object to match (or no longer match) the membership rules of a dynamic group. As a result, the object is not added to (or removed from) the dynamic group in a timely fashion. 

630381
Fixed: Change History report records that refer to adding or removing users from groups may identify the user by SID rather than by name when the user and group reside in different Active Directory domains. 

630386
Fixed: When turning off the option Hide from Exchange address lists for an Exchange mailbox, ActiveRoles adds the mailbox to all address lists, disregarding any recipient filters. In this case, ActiveRoles is expected to add a mailbox to a given address list only if the mailbox matches the recipient filter of that address list.

630387
Fixed: The user deprovisioning policy may return the following error: "Failed to reset the user password. Administrative Policy returned an error. The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements. (Exception from HRESULT: 0x800708C5)" The issue is most likely to occur if the user object you are deprovisioning is in the scope of a Property Generation and Validation policy that restricts the value of the attribute User Password (edsaPassword). The root cause of the issue is that the deprovisioning policy attempts to reset the user password to a value obtained from that policy rather than the legitimate password generation policy. 

630923
Fixed: For a dynamic group, membership rules that evaluate a Boolean attribute may have no effect. The issue occurs if the following conditions are true:

• Policy Object "Built-in Policy - Dynamic Groups" has the "Enable cross-domain membership" option selected
• The membership rule evaluates a Boolean attribute defined in Active Directory, such as msTSAllowLogon=TRUE

The root cause of the issue is that ActiveRoles may accidentally modify the membership rule, replacing the TRUE literal (uppercase, required for the LDAP filter to function as expected) with true (lowercase).

630928
Fixed: The ActiveRoles console may not display the Size value on the Exchange General tab in the Properties dialog box for a mailbox user. 

630930
Fixed: When creating Exchange mailboxes, the Web Interface may not properly handle a script-based policy for selecting the mailbox database depending upon the value of a certain attribute of the mailbox user account being created. If you change the value of that attribute in the mailbox creation wizard, the Web Interface may not change the mailbox database as expected. 

630931
Fixed: When you remove a user from the list of secondary owners for a distribution group in ActiveRoles, the msExchCoManagedByLink attribute of the distribution group is not updated. As a result, the user remains an owner of that group from an Exchange perspective. Since ActiveRoles automatically adds secondary owners to the msExchCoManagedByLink attribute, it is also expected to remove users from that Exchange attribute upon removal them from secondary owners in ActiveRoles.

631138
Fixed: Active Roles may not synchronize permission settings to Active Directory as expected for Access Template links that do not use the inheritance option (in the Access Template link properties dialog box, on the General tab, the Child objects of this directory objectcheck box under Apply permissions onto is cleared, and the check box on the Synchronization tab is selected). A symptom of the issue is that the resulting permissions are missing from the list on the Native Security tab in the Advanced Details pane in the Active Roles console. 

630934
Fixed: In ActiveRoles Server, on adding a group to the secondary owners list, exchange property msExchCoManagedByLink is not set with the group added to the secondary owners list. 

640135
Fixed: In ActiveRoles Server MMC Interface, adding or modifying the SMTP email address to include empty space is not allowed and must display a warning. 

475232
Fixed: Currently, ActiveRoles, does not support retrieving properties in a workflow based on Added Member and Removed Member functionalities for a Group Membership. 

Web Interface

475232
Fixed: Currently, ActiveRoles, does not support retrieving properties in a workflow based on Added Member and Removed Member functionalities for a Group Membership. 

479165
Fixed: In ActiveRoles Server Web interface, in the User->General Properties->Address tab, the field for country does not get populated with the corresponding country code when three letter abbreviation is used as the attribute. 

489934
Fixed: In ActiveRoles Server, the values in the drop-down lists are not completely visible while using the browsers Internet Explorer 10 and 11. 

589463
Fixed: In ActiveRoles, when the attribute MSRTCSIP-PrimaryHomeServer is added to a form in the web interface, combined with a policy that generates the value of the MSRTCSIP-PrimaryHomeServer attribute, other policies that generate drop-down options stop working and the drop-downs are not displayed on the web interface. 

590352
Fixed: In ActiveRoles Web interface, when you try to add a user to a group using Temporal Membership, the Temporal Membership Settings does not provide the option to specify a date beyond the year 2020. 

590354
Fixed: In ActiveRoles Server, currently enabling or disabling the Outlook Web App (OWA) property through MMC interface or Web interface, updates the OWA component only and not the HTTP component in the protocol settings. 

598152
Fixed: In ActiveRoles Server MMC Interface, adding or modifying the SMTP email address to include empty space is not allowed and must display a warning . 

607774
Fixed: Currently when ActiveRoles Web Interface is accessed through Internet Explorer, when we attempt to edit the proxyAddresses attribute on the web page, an extra space gets added to the proxyaddress value. 

621526
Fixed: In ActiveRoles Web Interface and MMC console, under Mail Flow Settings tab of Exchange Properties, the Message Delivery Restrictions property cannot be set successfully for some users, and an error message This user was not found is displayed. 

624661
Fixed: In Web interface, modified the text in Message moderation properties popup window from "massages“ to "message". 

629266
Fixed: In ActiveRoles Web Interface -> Create User tab , after applying Customer's policy of cn generation if initials are not added, policy will add blank space after name. 

630380
Fixed: With an ActiveRoles approval rule configured to require approval for the operation of adding or removing users from an Active Directory group, the Web Interface may identify a user by SID rather than display name in the list of approval tasks. The issue occurs if the approval task applies to the operation of adding or removing a user from a group in a situation where the user and group reside in different Active Directory forests. 

630382
Fixed: In the Web Interface, when you select an OU containing a large number of objects, you may experience a long delay (5 seconds or more) before the list of objects is displayed. The issue is most likely to occur with the following Web Interface settings:

• Number of objects to display per page: 200 or more
• Number of page links to display for object list: 5 or more

630384
Fixed: The Web Interface may incorrectly display custom UI elements added by Active Roles add-on for Office 365. In the User forms for Office 365 licenses, raw HTML code is displayed instead of labels. 

630385
Fixed: When displayed in a frame, Web Interface pages lose the functions that require the Web Interface to create its own frames. For example, any dialog box cannot open, as the Web Interface is unable to create a frame in which to display the dialog box.

630924
Fixed: ActiveRoles may not be able to remove the mailbox rights entries that apply to deleted objects. A symptom of the issue is the following error message that appears when you attempt to delete an item from the "Mailbox Rights" list in the Web Interface: Administrative Policy returned an error. Failed to make changes to attribute of object. Attribute: edsaMailboxSecurityDescriptor; Object:

630925
Fixed: You may encounter the following error when opening a properties page for a user object in the Web Interface: Error during serialization or deserialization using the JSON JavaScriptSerializer. The length of the string exceeds the value set on the maxJsonLength property. 

630927
Fixed: In the Storage Quotas dialog box in the Web Interface, you may encounter the following error after you submit your changes for approval: IFormContext with key "FormContext_3" not found in SessionCache. This error also causes the "500 - Internal server error" condition.

630932
Fixed: When displayed in a frame, Web Interface pages lose the functions that require the Web Interface to create its own frames. For example, any dialog box cannot open, as the Web Interface is unable to create a frame in which to display the dialog box.

630936
Fixed: The ActiveRoles Web Interface may not save customized changes to the Home page, while using Internet Explorer 11. Trying to save customized changes to the Home page causes the Web Interface to hang, displaying the "Please wait" message. 

631160
Fixed: In ActiveRoles Server Web Interface, adding or modifying the SMTP email address to include empty space is not allowed and must display a warning. 

639023
Fixed: In ActiveRoles Server Web Interface , while customizing User-properties Page, adding Organizational Unit field in the view makes it a mandatory field. 

641849
Fixed: In ActiveRoles Server Web Interface, the field accountExpires displays the value as "Expired" for some valid users. 

Administration Service

630379
Fixed: Suppose you have an ActiveRoles approval rule configured so that addition or removal of users from an Active Directory group is subject to approval. In this scenario, the e-mail message notifying of the approval task may identify a user by SID rather than display name. The issue occurs if the user and group reside in different Active Directory forests. 

630383
Fixed: Suppose you have an ActiveRoles workflow configured to send a notification when users are added or removed from a group in Active Directory. In this scenario, the notification message may identify a user by SID rather than display name. The issue occurs if the user and group reside in different Active Directory forests. 

630388
Fixed: Active Roles may not be able to perform Exchange tasks, returning the following error: An Active Directory error 0x51 occurred when trying to check the suitability of server ''. Error: 'Active directory response: The LDAP server is unavailable or A parameter cannot be found that matches parameter name 'DomainController'. The issue occurs in a scenario where the target object of the Exchange task and the Exchange server that performs the task are located in different Active Directory domains. 

630929
Fixed: The Dynamic Groups policy may cause the ActiveRoles Administration Service to generate diagnostic memory dumps. This issue does not normally interrupts the operation of the Administration Service.