The native security is not working as expected when setting below scenario:
1.- A new ARS Managed Unit has been created. Membership rules apply to members (users) of a specific group.
2.- New ACL created for an admin group to allow them to reset the password for these accounts. Since the application used uses hard-coded LDAP commands, there is a need to stamp this right on the AD.
Two issues are experienced:
1.- As soon as a member is added to the group, the native security changes are not applied. Checking the account in the ARS console and browsing to the native security tab, it shows "Status:Absent":
2.- As soon as a member is removed from the group, the removed member disappears from the MU, but native permissions never get removed from the removed group member:
This is a known issue #24486:
- Workaround when adding a group member:
Right click the new permission that appears in status "Absent" in the "Native Security" tab and select "Resync from Active Roles Security":
- Workaround when removing a group member:
For the removed group member, set the value for attribute “edsvaResyncNativeSecurity” to 1: