Return
-
Title
Employee's ADSAccount Does Not Inherit Group Memberships -
Description
An Employee with ADSAccount is added to a Business Role with some AD groups assigned, but the Employee's ADSAccount doesn't inherit memberships from the role.
This may also occur for other instances where group inheritance is required, i.e. Department, Cost center, Location. -
Cause
"Groups can be inherited" is not selected for the applicable ADSAccount. -
Resolution
Create an account definition and update the IT operating data mapping so that the "Groups can be inherited" option is selected for all ADSAccounts requiring group inheritance.
Please refer to the Administration Guide for Connecting to Active Directory for complete steps on Account definitions for Active Directory user accounts.
1. For the created Account Definition, select "Edit IT operating data" under "Tasks".
2. Click "Add" to add a new column mapping.
3. In the "Column" drop-down select "ADSAccount.IsGroupAccount".
4. If the group membership will be based on a business role, select "Primary business role" as the "Source". Alternately, select "Always use default value" so that the option is selected for any associated ADSAccount.
E.g.: