-
Title
Users are not removed from Universal groups by Identity Manager -
Description
An AD forest contains two domains, a parent domain and a child domain. It is possible to add and remove accounts, groups and contact objects from the parent domain to groups of the child domain of type "Universal" and "Domain local". This is also possible via LDAP - ModifyRequest.
Removing these memberships from groups of type "Universal" suddenly no longer works, even though Identity Manager shows them removed successfully. -
Cause
This is due to Microsoft (MS) update patches applied to the Domain Controller:
Windows Server 2016: KB4462928
Windows Server 2012 R2: KB4462926, KB4462921
Windows Server 2008 R2: KB4462926 -
Resolution
WORKAROUND
Since the error is distributed to all server versions with the MS Security Update of October 2018, there is a version of the ADS Connector which fires the Remove function blindly again with the DistinguishedName of the member when removing members from groups of type "Universal", after calling with the SID of the member. This affects performance, but the result is expected, until Microsoft has fixed the defect.
Please find the links for the hotfix containing the workaround below:One Identity Manager 7.1.4 Hotfix 30575
One Identity Manager 8.0.1 Hotfix 30575
One Identity Manager 8.0.2 Hotfix 30575
STATUS
One Identity is working with Microsoft to resolve the issue. -
Change Request
30575 -
Additional Information
Scenario before applying the patches:
1. A user of the parent domain is to be removed from a "Universal" group of the child domain via LDAP - ModifyRequest.
a. To do this, an attempt is first made to remove the membership by specifying the SID of the member. This fails and the server responds with a ModifyResponse "unwilling to perform".
b. This is correct and a second ModifyRequest is then sent, which should remove the member by specifying the DistinguishedName.
c. The ModifyResponse here is "success", the member has been removed from the group.
Situation after the patches have been applied:
1. Once the above-mentioned patches have been applied, A user of the parent domain is to be removed from a "Universal" group of the child domain via LDAP - ModifyRequest.
a. The first ModifyRequest containing the member's SID is answered by the server with the ModifyResponse "success" in the scenario, but the member has not been removed from the group.
b. Because no error in Step One, no attempt is made with DistinguishedName
If the operation is performed with a group of type "Domain local", the process works correctly, regardless of whether the above mentioned patches are installed or not.