-
Title
"Manager can update membership list" checkbox is out of sync with the native permissions -
Description
The Manager can update membership list checkbox selection in Active Roles Server MMC Console is out of sync with the native permissions.
If the checkbox selection is modified in Active Directory Users and Computers snap-in, ActiveRoles MMC Console will not reflect the change.
-
Cause
This behaviour is by design. The root cause is the Active Roles server proxy delegation model.
When the Manager can update Membership list checkbox selection is modified in Active Roles, a special Access Template is linked internally by Active Roles, and the corresponding permissions are propagated to Active Directory.
However, when the selection is changed with the native tools, such as Active Directory Users and Computers, Active Roles is unable to detect the change and update the checkbox in Active Roles properly.
The permission sync works in one direction - from Active Roles to Active Directory only.
-
Resolution
WORKAROUND
Modify the Manager can update membership list checkbox in Active Roles Server only.
Do not use native tools to modify the Manager can update membership list checkbox selection.
-
Additional Information
Proxy delegation model explained: ActiveRoles server ignores the permissions granted to a user in Active Directory. Instead, the effective permissions are calculated from the Access Templates granted to the user in ActiveRoles Server. When the Manager can update membership list selection is modified, a corresponding Access Template is linked or unlinked in ActiveRoles server behind the scenes. The Access Template permissions are automatically synced to Active Directory then. However, if the selection is modified with Active Directory native tools (ADUC), AR is unable to detect and back-sync the new selection.