Return
-
Title
Unable to remove the "Add" button from the MemberOf tab of a User or Group -
Description
Even with a Deny-write permission applied to the MemberOf attribute of a User or Group object, an initiator can still click on the Add button on the MemberOf tab and browse for a Group (with the appropriate view permissions). Instead, an error is encountered when attempting to add the Group. -
Cause
It is not possible to remove or grey-out the Add button on the MemberOf tab due to Active Directory design.
-
Resolution
The Members attribute is a true attribute, containing DN's of Users or Groups. MemberOf is a computed attribute, back-synced from Members. This means that in order to remove the Add button from MemberOf, Active Roles would have to query write permissions on the Members attribute for every Group in the Domain, every time the MemberOf tab is displayed. This operation would be too slow and too expensive to implement.