In environments with multiple domains managed by Active Roles, When attempting to delegate an Access Template to a Well-Known SID such as Account Operators, the access template may not apply to the correct object as expected.
For example:
There are two domains managed in Active Roles, Domain1 and Domain2
An Access Template is delegated to Domain2\Account Operators, however the delegation is set to Domain1\Account Operators erroneously.
Built-in accounts and other Well-Known SIDs have the same Object SIDs across all domains. Active Roles utilizes these Object SIDs when mapping Access Template links (AT Links) to a Trustee.
This issue has been identified as a product defect and assigned the Defect ID 91777.
WORKAROUND
Create an alternate group that is not a Well-Known SID to use when delegating Access Templates.
STATUS
Waiting for fix in a future release of Active Roles.
© ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center