The Manager can update membership list checkbox selection in Active Roles Server MMC Console is out of sync with the native permissions.
If the checkbox selection is modified in Active Directory Users and Computers snap-in, ActiveRoles MMC Console will not reflect the change.
This behaviour is by design. The root cause is the Active Roles server proxy delegation model.
When the Manager can update Membership list checkbox selection is modified in AR, a special Access Template is linked internally by AR, and the corresponding permissions are propagated to Active Directory.
However, when the selection is changed with the native tools, such as ADUC - AR is unable to detect the change and update the UI properly.
The permission sync works in one direction - from AR to AD only.
An enhancement request (VSTS90973) detailing the feature was created: "Back-synching of the group's 'Manager can update Membership list' checkbox selection from AD to AR."
WORKAROUND
Modify the Manager can update membership list checkbox in Active Roles Server only.
Do not use native tools to modify the Manager can update membership list checkbox selection.
STATUS
The product team will evaluate the request and this feature may become available on a future release of the product.
Please refer to this article for updates or contact support referencing the Enhancement Request ID: VSTS90973.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center