This is a supported patch for ActiveRoles 6.9.0. The patch addresses the issues listed in the Resolved Issues section in the attached Read Me, and also resolves the issues listed in the Knowledge Article 122282 at https://support.quest.com/kb/SOL122282 and Knowledge Article SOL116649 at https://support.quest.com/kb/SOL116649.
We recommend you to install this patch as it resolves a number of important issues that were not addressed by earlier patches or hotfixes for ActiveRoles 6.9.0.
This patch is cumulative and includes all fixes found in Patches 1 and 2.
For previous information on past issues also fixed from Patches 1 and 2, please see links below:
The patch includes the following updates:
Click Here to download the patch.
Installing This Patch
The following is a list of issues resolved by this patch.
Fixed: You may experience a significant delay when the ActiveRoles console opens the Change History results page by using Internet Explorer 8.0.
Fixed: ActiveRoles may fail to remove mailbox rights for a given user account (say, User A) if the security identifier (SID) of that user account is present in the SID history of a user account (say, User B) from a different domain, which is normally the case if User B is created by copying User A during domain migration. The issue occurs if the mailbox account resides in the domain of User B, and is because ActiveRoles uses SID rather than the domain\user ID to identify the user account whose mailbox rights are subject to removal.
Fixed: ActiveRoles may encounter an error condition when processing a "Report Distribution" deprovisioning policy. As a result, ActiveRoles fails to deliver the deprovisioning results report to the recipients specified by that policy. The issue occurs if integration between ActiveRoles and Change Auditor is enabled.
Fixed: When run, the "Dynamic Group Updater" scheduled task may cause dynamic groups to lose their membership. The issue occurs with large dynamic groups (several thousand members) upon the membership update performed by that task, and is due to a defect in the implementation of the membership update request for large dynamic groups.
Fixed: When executing a Search request for AD LDS objects, ActiveRoles does not return virtual attributes of the objects found by the search. For example, suppose you have created a virtual attribute for AD LDS users in Active Roles, with the option to store the attribute value in the database. If you assign a value to that virtual attribute for a specific AD LDS user, and then perform a search in Active Roles to find that user, the object returned by the search does not contain the value you assigned to the virtual attribute.
Fixed: ActiveRoles does not add or remove computer objects from dynamic groups upon changing object attributes until rebuild of the dynamic groups is performed manually or by the "Dynamic Group Updater" scheduled task. For example, when you change attributes of a computer object to match the membership rules of a particular dynamic group, ActiveRoles does not immediately add that object to that group as expected.
Fixed: ActiveRoles may not be able to display the mailbox rights entries that apply to well-known security principals, such as "Self." The issue occurs if the ActiveRoles Administration Service is installed on a non-English language operating system. A symptom of the issue is that the "Self" account is missing from the list in the "Mailbox Rights" dialog box in the Web Interface. For a newly created mailbox, the "Mailbox Rights" list appears empty. The issue occurs because the name of the well-known security principal on the computer running the Administration Service does not match the name returned by Exchange Server.
Fixed: When creating the list of permission entries on the "Native Security" tab in the advanced details pane in the ActiveRoles console, the Administration Service may incorrectly identify the domain of a built-in account, such as "Administrators" or "Account Operators." As a result, in the list on the "Native Security" tab, the Name field may display an incorrect domain name for a built-in account (for example, it may display "PRODAM\Account Operators" instead of "PRODEU\Account Operators"). The issue occurs in multi-forest environments, with domains from different forests registered with ActiveRoles as managed domains.
Fixed: You may encounter the following issue after you have added the ActiveRoles database to an availability group on SQL Server and configured multiple instances of the Administration Service to connect to the database by using the listener of that availability group. If a failover occurs in the availability group, one or more of the Administration Service instances may not be able to start due to the following error: "Information about this Administration Service cannot be found in the Quest One ActiveRoles configuration database. Verify that no changes have been made to the name of the computer running the Administration Service. Check the health of Quest One ActiveRoles replication."
Fixed: If Active Directory Recycle Bin is enabled, the ActiveRoles scheduled task "Directory Objects Cleanup" may delete Access Template links and Policy Object links that apply not only to recycled objects but also to existing, non-deleted objects in Active Directory.
Fixed: The scheduled task that counts managed objects may interfere with other tasks performed by the Administration Service, causing performance degradation.
Console (MMC Interface)
Fixed: In the ActiveRoles console, the message restriction options are missing from the "Properties" dialog box for query-based distribution groups. To address the issue, the "Mail Flow Settings" tab has been added to that dialog box. From the "Mail Flow Settings" tab, you can view or change the message size restrictions and message delivery restrictions for a query-based distribution group.
Fixed: Spelling and grammar mistakes on the "Message Moderation" page for management of mail-enabled groups in the ActiveRoles console.
Fixed: In the ActiveRoles console, on the "Parameters" tab in the "Script Execution Policy Properties" dialog box, the "Function to declare parameters" drop-down list may not include all functions that exist in the policy script module if the entire list of functions does not fit in the drop-down list area. To address the issue, the drop-down list area has been enhanced with a vertical scroll bar that appears in case of a long list of functions.
Fixed: In the list of pending approval tasks, the Web Interface may not enable the "Approve selected" or "Reject selected" button as expected when you select the desired tasks. The "Approve selected" and "Reject selected" buttons remain unavailable (grayed-out). The issue occurs if the approver rights result from your membership in a group, that is, the approval rule designates a certain group as the approver and you are a member of that group.
Fixed: The Web Interface may disregard the "Allow manual edits of pre-Windows 2000 logon name" option of the "User Logon Name Generation" policy: On the pages for creating a user account, the "User logon name (pre-Windows 2000)" field is read-only even though the policy has the "Allow manual edits of pre-Windows 2000 logon name" option selected and set to "Always."