Known Issues
The following is a list of issues, known to exist at the time of release.
|
Known issue |
Issue ID |
|
When you specify the SQL Server instance to host the database of the Administration Service, you may encounter the following error on the Connection to Database page in Configuration Center: “Invalid SQL Server computer name. Use the short computer name to specify the SQL Server instance, such as "computername" or "computername\instancename".”
Examine the results returned by these queries:
WORKAROUND Use the following instructions, depending on the case you have encountered, and then re-run Configuration Center to configure the Administration Service.
|
446759 |
|
Configuration Center is unable to configure the Administration Service if the name supplied for the Active Roles database on the Connection to Database page contains a single apostrophe ('). A symptom of the issue is the following error: “Incorrect syntax near '-'.” WORKAROUND Change the database name so that it does not contain a single apostrophe ('). |
446843 |
|
When you configure the Administration Service on a domain controller, you may encounter the following error: “Service 'Active Roles Administration Service' (aradminsvc) failed to start. Verify that you have sufficient privileges to start system services.” WORKAROUND Use the Services tool to manage the service named Active Roles Administration Service: Specify the logon name and password of the account that you want the service to log on as, and the start the service. |
37391 |
|
In a scenario where Configuration and Management history data are stored in separate databases in ActiveRoles 6.9, if the databases are imported to a single ARS 7.1 Configuration and Management History database before splitting to two databases after installation of ARS 7.1, then Change history for the objects are not available in ActiveRoles 7.1. WORKAROUND Do not combine the Configuration and Management History database if it is already stored in different databases. Import it to individual new databases. |
682593 |
|
In Active Roles 7.2, for the edsvaAzureOffice365Enabled attribute inheritance feature, when only the edsvaAzureOffice365EnabledIncludeAllChildOus attribute is modified by selecting the check box in Edit Attribute properties dialog, the attribute settings does not get updated. WORKAROUND: In the Edit Attributes properties dialog box, clear the value for edsvaAzureOffice365Enabled attribute and click OK and then Save. Edit the values for the edsvaAzureOffice365Enabled again and select the check box for edsvaAzureOffice365EnabledIncludeAllChildOus attribute and click OK and then Save. The edsvaAzureOffice365EnabledIncludeAllChildOus attribute settings get updated successfully. |
729329 |
|
Known issue |
Issue ID |
|
The Administration Service does not support querying for more than 200 different Custom Stored Virtual Attributes (CSVAs) within a single search request. When you query for more than 200 different CSVAs within a single search request so that the request is configured to retrieve the values of those attributes, you may experience performance degradation in the Administration Service and your query may return incorrect results. WORKAROUND If you need to query for a large number of CSVAs (so as to have your search request retrieve the values of those attributes), perform multiple search requests with a smaller number of attributes involved in each request. For best performance, a single search request should not query for more than 32 different CSVAs. |
11990 |
|
The Administration Service incorrectly evaluates the delegated rights of the user account in the following scenario:
In this scenario, Active Roles does not permit the user account to modify objects in the OU. The expected behavior is as follows: since the user account is set as the manager of the OU, and full control of the OU is delegated to the "Primary Owner (Managed By)" account, the user account has full control of the OU and all objects held in the OU. The same issue occurs in the situation where a group is set as the manager. WORKAROUND Configure the Active Roles security settings on the OU so that the appropriate rights (for example, full control) are delegated to the user account (or group) itself rather than to the "Primary Owner (Managed By)" account. |
18378 |
|
The default Exchange mailbox database in which the Administration Service creates user mailboxes may differ from the mailbox database that Microsoft's native tools select for the mailbox creation operation by default. WORKAROUND When you use Active Roles to create a new mailbox-enabled user or create a mailbox for an existing user, verify the mailbox database selection, and choose the appropriate database if necessary. Another option is to configure and apply an Exchange Mailbox AutoProvisioning policy that would automatically choose the appropriate mailbox database. |
18419 |
|
When you use the "Handle changes from DirSync control" option in a script-based policy, you may encounter the following issue: The policy does not execute the onPostDelete handler. This issue occurs if the Policy Object containing the policy in question is applied (linked) to an Organizational Unit. WORKAROUND Apply the Policy Object to a domain rather than to an Organizational Unit. |
22786 |
|
Creation, modification, or deletion of a custom display specifier has no effect on a given Administration Service until that Service is restarted. A symptom is that the directory management section of the Active Roles console does not reflect the changes to custom display specifiers until you restart the Administration Service the console is connected to. WORKAROUND Restart each Administration Service after you have made changes to custom display specifiers. |
23848 |
|
When you export policy check results or change history results to a file in HTML format, and then send the file as an e-mail attachment, you may encounter the following issue: Opening the attachment in Outlook displays a corrupted HTML page, with extra spaces inserted between page sections. Archive the file to which you have exported the results and then send the archive file as an attachment instead of sending the original file. |
24227 |
|
When configuring a Managed Unit to use a query-based membership rule, you may encounter the following issue: A membership rule based on a custom LDAP query may not work as expected if the query includes a right bracket (]). For example, the following query causes an error: (&(objectcategory=group)(accountNameHistory=*[DG]*)). WORKAROUND If possible, modify your query to eliminate the right brackets. In the above example, the query can be modified as follows, without loss of functionality: (&(objectcategory=group)(accountNameHistory=*[DG*)) |
24229 |
|
When you apply an Access Template to the "Active Directory" container in the Active Roles console, with the option to enable synchronization of the resulting permission entries to Active Directory, you encounter the following issue: The resulting permission entries are propagated from the "Active Directory" container to the managed domains held in that container, but not synchronized to Active Directory. WORKAROUND Avoid using the synchronization option when applying Access Templates to the "Active Directory" container. If you need to synchronize permission entries from Active Roles security to native Active Directory security, apply Access Templates to managed domains or objects and containers within managed domains. |
24439 |
|
The Administration Service may not provide its client applications with information about an Active Roles replication failure as expected. As a result, the Active Roles console or Management Pack for SCOM may not display an appropriate alert or status message on the Active Roles database servers that are experiencing replication problems. WORKAROUND Use the instructions given in the document "Active Roles Replication: Best Practices and Troubleshooting" to check the health of, and troubleshoot problems (if any) with, Active Roles replication. |
24487 |
|
The policy compliance check in the Administration Service may inappropriately handle a policy configuration where values of certain object properties in the directory are dependent on other property values that are to be generated by a policy. Thus, when a "Property Generation and Validation" policy is configured to assign a certain property value based on a user logon name generated by a "User Logon Name Generation" policy, you encounter a policy violation error when creating a user account using the Active Roles console unless you have clicked the Generate button to have the Administration Service generate a user logon name. WORKAROUND If you have encountered a policy violation error when using a page that includes the Generate button, click that button to have the Administration Service generate a property value. |
25236 |
|
When you apply an Access Template to a Managed Unit, with the option to enable synchronization of the resulting permission entries to Active Directory, you encounter the following issue: The resulting permission entries are inherited by the directory objects held in the Managed Unit, but not synchronized to Active Directory. The same problem occurs when you apply an Access Template to a Managed Unit container. WORKAROUND By default, for performance reasons, Active Roles does not sync permission settings to native Active Directory security that are configured by applying Access Templates to Managed Units or Managed Unit containers. If you need to sync permission settings from Active Roles security to native Active Directory security, we recommend that you apply Access Templates to Organizational Units. However, Active Roles provides the option to sync permission settings from the Managed Unit level. This option is enabled if the object "CN=Enable Sync to Native Security from Managed Unit,CN=ActiveRoles Server,CN=Services,CN=Application Configuration,CN=Configuration" exists and has the "edsaExtensionAttribute1" attribute set to TRUE. Otherwise, this option is not enabled. To enable this option, use the Active Roles console in Raw view mode as follows: |
24486 |
|
There is no option to configure an Active Roles policy for generating a user principal name (UPN) so that the UPN Suffix part of the name automatically changes if the generated name is in use by another user account. Normally, the UPN Prefix part of the name (the value of the edsaUPNPrefix attribute) is the same as the pre-Windows 2000 user logon name (the value of the sAMAccountName attribute). This ensures the uniqueness of the user principal name regardless of the UPN Suffix setting. WORKAROUND After the user account has been created with a valid (unique) user principal name, change the UPN Suffix and UPN Prefix parts of the name as needed using the Active Roles console or Web Interface. |
25620 |
|
In some limited scenarios, you may encounter corruption of attribute names (wrong characters) on the page that displays a report produced by the "Change History" command. For example, this problem may occur with the Change History report on a user account that was deprovisioned via the Active Roles Web Interface using the Web browser with a non-English locale. |
25728 |
|
Incorrect behavior of a User Logon Name Generation policy that is configured to disallow certain (non-acceptable) characters in the user logon name: In the situation where the policy allows the generated name to be modified manually (for example, if the policy fails to generate a unique name), adding non-acceptable characters to the name in the New Object - User wizard causes a policy violation and then the field for entering the name gets unavailable so you cannot correct your input. WORKAROUND In the wizard, re-enter the value of any property based on which the user logon name is generated. This will enable the field for entering the user logon name so that you can remove the unacceptable characters from the name. |
25700 |
|
With an Active Roles policy configured so that the value of a certain (dependent) property is based on another (master) property, the Administration Service may not force the Web Interface to change the dependent property in accordance with the changes that are made to master property. For example, with a policy that makes the user alias the same as the user logon name, changes to the user logon name may not cause the user alias to change accordingly. The issue may occur if the entries for the master property and the dependent property are located on different pages in the Web Interface. WORKAROUND To prevent this issue, modify properties of user accounts in the Active Roles console. |
25902 |
|
Incorrect behavior of the console tree root page in the Active Roles console: Clicking Refresh at the top of the page may cause the following error: "Validation failed on XML." The issue may occur when you are repeatedly clicking Refresh while the Administration Service is busy loading information from a newly registered managed domain or AD LDS instance. WORKAROUND Click OK in the error message box and wait until the Administration Service has finished loading information from the managed domains and AD LDS instances. Then, click Refresh. |
26017 |
|
While the Administration Service is busy loading information from the managed domains and AD LDS instances (for example, upon the startup to the Administration Service), the Active Roles console may fail to connect to the Administration Service, returning the following error messages: WORKAROUND Click Close in the error message box and wait until the Administration Service has finished loading information from the managed domains and AD LDS instances. Then, attempt to connect to the Administration Service. |
26043 |
|
The Administration Service may not send to the console the information that is required to populate the list of Administration Service instances in the "Management History Databases and Replication" section on the console tree root page in the details pane. As a result, the page does not display a list of the Administration Service instances that use a given Management History database. WORKAROUND To view a list of the Administration Service instances that use a certain Management History database, go to the "Configuration/Server Configuration/Management History Databases" container in the console tree, open the Properties dialog box for the database you want to examine, and view the list on the "Administration Services" tab. |
26218 |
|
When processing a query with an LDAP filter that specifies wildcard-based conditions on an Active Roles Custom Stored Virtual Attribute (CSVA) of the Integer type, the Administration Service may report the following error: "An unsupported conversion was attempted." This error may occur if the filter conditions include an asterisk wildcard character coupled with other characters, such as (edsvadeptcode=4*). WORKAROUND Do not use filter conditions that include a combination of an asterisk with other characters. For example, you could use (edsvadeptcode>=4000) rather than (edsvadeptcode=4*). |
35396 |
|
When performing the Deprovision operation on a user object, the Administration Service may return the following error: "Failed to retrieve attributes of the object '<objectDN>'. XML document must have a top level element." The error occurs if the Administration Service performs the Deprovision operations concurrently with the "Change Tracking Cleanup" scheduled task. WORKAROUND Click OK in the error message boxes that appear on the screen until you receive a message stating that the deprovision operation is completed. Then, open the report on the operation results by using the Deprovisioning Results command in the Active Roles console. |
37103 |
|
The Administration Service may incorrectly process a Property Generation and Validation policy rule that includes a text string following the value of an attribute, such as "%<description> This user account was deprovisioned {@date(M/d/yyyy)}". If the attribute is empty (has no value set), the text string may be missing from the generated output. In this example, the output would not contain the text "This user account was deprovisioned". WORKAROUND Create a custom stored virtual attribute that holds the text string you want and modify the rule, replacing the text with that attribute. Thus, in the preceding example, you could create an attribute named edsvaDeprovisionTextConst on the domain object, set the attribute to the text string in question, and then apply the following rule: "%<description>%<domain.edsvaDeprovisionTextConst> {@date(M/d/yyyy)}" |
37289 |
|
Active Roles may fail to re-evaluate the membership of a Dynamic Group in a timely fashion after the membership rules of the Dynamic Group are modified. This issue can be caused by unavailability of the Administration Service that was designated to evaluate and apply the membership rule changes on the Dynamic Group. WORKAROUND On the Membership Rules tab in the Properties dialog box for the Dynamic Group in the Active Roles console, select the appropriate Administration Service from the "Service to evaluate and apply rule changes" list and click Apply. |
37310 |
|
The Administration Service may fail to execute a policy based on a script that calls the EventLog.ReportEvent method, returning the "Object doesn't support the action" error. WORKAROUND In Active Roles policy scripts, use the Request.ReportEvent method rather than EventLog.ReportEvent to record events to the event log, if necessary. |
37379 |
|
When managing user accounts in the Windows Server 2008 Active Directory Domain Services, the Administration Service fails to properly consider the password policy settings that are configured by using Password Settings objects (PSOs). As a result, Active Roles may generate user passwords that do not meet the password policy requirements that are in effect (for example, it may generate a password of an inappropriate length). Only the password policy settings that originate from Group Policy objects are considered by the password generation algorithm. WORKAROUND Ensure that the password policy requirements imposed via Group Policy are the same as those specified by using Password Settings objects. |
38483 |
|
The Management History records that were received through Active Roles replication or imported using the Management History Migration Wizard may be unavailable to the Administration Service for a significant time period.
Depending on these factors, the average time to update a single Management History record may range from 0.1 seconds to 1 second. WORKAROUND Reduce the number of records in the Management History database in order to reduce the time it takes to complete the process of updating the non-replicated Management History data. For example, when importing Management History data by using the Management History Migration Wizard, you may choose not to transfer the records that are older than a certain date. |
38121 |
|
Incorrect behavior of the Approval Workflow function in the following scenario: While the operations are waiting for approval, the Active Roles environment is re-configured so that some instances of the Administration Service use a separate database to store the management history data, possibly synchronizing that data within a separate replication group of management history databases. WORKAROUND Before re-configuring the Active Roles environment, ensure that no operations are waiting for approval. If any operations were requested but not completed before you re-configured the environment, have those operations re-initiated in the new environment. For example, if creation of a user account was started and was not approved or rejected in the initial environment, start creation of that user account again in the new environment.
|
38246 |
|
In an Active Roles replication environment where multiple Administration Service instances use the same database, execution of the 'Change Tracking Cleanup' task may fail with the following last run message: "Transaction (Process ID <number>) was deadlocked on lock resources with another process and has been chosen as deadlock victim. Rerun the transaction." WORKAROUND Run the task again: In the Active Roles console tree, expand Configuration | Server Configuration | Scheduled Tasks | Builtin; then, in the details pane, right-click Change Tracking Cleanup and select All Tasks | Execute. When running the task, ensure that no data migration is being performed by the Management History Migration Wizard. |
39140 |
|
In certain rare conditions, the Administration Service may fail to properly configure a Subscriber database server: The New Replication Partner wizard in the Active Roles console reports that the operation is completed successfully, but the Subscriber database server configured by the wizard remains in standalone state and the Publisher database server does not recognize the newly configured Subscriber (the Subscriber's status on the Publisher is indicated as "unknown"). The Active Roles Admin Service event log contains a "ReplPartnerPolicy failed" error event in this case. Data synchronization between the Publisher and the newly configured Subscriber does not occur. WORKAROUND Use the instructions that follow to delete the failed Subscriber record from the Publisher's database, and then use the New Replication Partner wizard in the Active Roles console to add the Subscriber again. |
38646 |
|
Consider the following scenario. In your Active Roles environment, a Group Membership Removal policy is in effect that removes deprovisioned user accounts from groups. You use the Temporal Group Memberships feature of Active Roles to schedule addition of user accounts to groups. In this scenario, when you deprovision a user account that is scheduled to be added to a certain group, the Administration Service may not cancel that scheduled operation as expected. As a result, the deprovisioned account eventually becomes a member of that group, which violates the Group Membership Removal policy. WORKAROUND If you are affected by this issue, please contact Quest Support to obtain a fix for this version of the Administration Service. |
51063 |
|
Consider the following scenario. You have the Undo Deprovisioning policy configured so that it allows password reset on restored user accounts (this is the default policy setting). You delegate the right to restore deprovisioned accounts by applying the following Access Templates: Users - Perform Undo Deprovision Tasks In this scenario, the delegated administrator receives the following error message when using the Undo Deprovisioning command: "Administrative Policy returned an error. Attempted to perform an unauthorized operation." WORKAROUND Create a new Access Template that contains the "Write properties" permission for these attributes on the User object class:
Apply that Access Template in addition to those listed above, so as to give the delegated administrator the rights to reset password and manage password options. |
53491 |
|
An Active Roles workflow that uses conditional branching based on the If-Else activity may cause duplicate occurrences of the EVENT_ACTIVITY_ALERT (ID=2711) event in the Active Roles Admin Service event log: "This activity is skipped because branch condition is not satisfied on any of its branches." WORKAROUND Disregard the duplicate occurrences of Event 2711 in the Active Roles Admin Service event log. |
100584 |
|
Cyclic references within custom library scripts may cause the Administration Service to stop unexpectedly. Cyclic references occur when two different library scripts reference each other by calling the ScriptLib.Load() function. A typical example of a cyclic reference is as follows. Consider a library script module named LIB1 containing a script that loads a script module named LIB2 (Set LIB2 = ScriptLib.Load("LIB2")) whereas the script that is held in the module LIB2 loads the module LIB1 (Set LIB1 = ScriptLib.Load("LIB1")). In this case, saving changes to the module LIB1 or LIB2 may cause the Administration Service to stop unexpectedly. WORKAROUND Avoid cyclic references in Active Roles script module. In a situation where cyclic references may occur, consider copying the necessary functions from one script module to another instead of loading the module that contains those functions. |
102049 |
|
When you deprovision and then un-deprovision a group, the temporary or pending members of that group may not be restored as expected. This issue may occur, for example, when you schedule a member to be added to a particular group at a certain time in the future, deprovision and then un-deprovision that group. As a result, the Administration Service loses the schedule setting for that member, so the member will not be added to the group as expected. WORKAROUND After you have un-deprovisioned a group, review the "Members" list of that group and, if necessary, add and configure the temporary or pending members by hand. |
104474 |
|
When performing the Demote operation on the Publisher role holder, the Administration Service may cause a deadlock condition on SQL Server. In this case, the Administration Service returns an error message similar to the following: "Your transaction (process ID {#number}) was deadlocked on {lock | communication buffer | thread} resources with another process and has been chosen as the deadlock victim. Rerun your transaction." This issue is most likely to occur when the database server to demote is busy with other requests from the Administration Service, such as retrieving Active Roles configuration data requested through a custom script. WORKAROUND Ensure that the Administration Service is not performing any resource-intensive operations against the database, such as running scheduled tasks or custom scripts, and then try the Demote operation again. |
105507 |
|
When performing a request to un-deprovision a user account, the Administration Service may not restore the membership of the user account in a group that resides in a domain other than the domain of the user account. A symptom of the issue is the following error message: "The specified group type is invalid." The issue occurs if the domain of the group has the functional level of Windows Server 2003 and a Global Catalog server is unavailable in that domain. WORKAROUND Ensure that a Global Catalog server is up and running in the domain that holds the group. |
113794 |
|
In a function within a PowerShell based policy script, the use of the "return" operator applied to a data array may cause the policy script not to perform as expected or may result in an error condition at run time. The root cause of the issue is that the service objects such as $Request or $DirObj may incorrectly handle the input data conveyed by the "return" command. For example, the following policy script does not update the edsvaKeywords attribute as expected: function onPostGet($Request) WORKAROUND Avoid the use of the "return" operator in functions within Windows PowerShell based policy scripts when passing data to service objects. Thus, in the preceding example, you should remove the "return" operator from the function ff: function ff |
113873 |
|
Active Roles may incorrectly process a scheduled task with the option "Execute on: All servers." The issue occurs in an environment where Active Roles replication is used to synchronize configuration of multiple Administration Service instances. Although the task option suggests that the task is to be run on each instance of the Administration Service, the task actually runs on only one instance. WORKAROUND Use the Active Roles console to connect to each Administration Service instance and run the task on the connected instance by hand: Right-click the task and then select "All Tasks | Execute." |
120824 |
|
You may encounter the following issue in an environment where Active Roles replication is used to synchronize configuration of multiple Administration Service instances: If SQL Server Agent is not running on the Publisher SQL Server (which is a prerequisite for Active Roles replication to function), no diagnostic information is provided by Active Roles as to the replication problem caused by that condition. The only indication of the problem is the replication status of "Unknown" on the database objects in the "Configuration/Server Configuration/Configuration Databases" container in the Active Roles console. WORKAROUND If you encounter the replication status of "Unknown" on the database objects in the "Configuration/Server Configuration/Configuration Databases" container in the Active Roles console, verify that the SQL Server Agent service is up and running on SQL Server that hosts the Active Roles Publisher database. |
120833 |
|
The Administration Service may not stop a running scheduled task as expected: The Terminate command on the task in the Active Roles console either does not stop the task despite an information message stating that the operation was completed successfully, or fails with an error message stating that the specified method is not supported. The issue occurs with any scheduled task that uses a Windows PowerShell based script. WORKAROUND To terminate the task, restart the Administration Service. Alternatively, wait for the task to finish running. Check the Active Roles Admin Service event log for an event indicating that the task has been completed. |
122331 |
|
The operation of adding an object to a group may cause a duplicate record in the Change History report for the group. The issue occurs when a given object is added to the group and then the same object is added to that group again (this could be accomplished, for example, by using two instances of the Active Roles console). In this scenario, the addition of the object to the group is recorded twice in the Change History report. A similar issue occurs with the operation of removing a member from a group. WORKAROUND Disregard the duplicate Change History record regarding the addition or removal of an object from the group. |
122552 |
|
E-mail based approval cannot be used on Symbian OS based devices. With a Symbian OS e-mail client, the Approve/Reject links in Active Roles notification messages may not function as designed. WORKAROUND Perform approval tasks using the Web Interface, or use a different e-mail client to work with Active Roles notification messages. |
130043 |
|
When populating the list of permissions on the "Native Security" tab in the advanced details pane in the Active Roles console, the Administration Service may incorrectly identify the domain of a built-in account, such as "Print Operators" or "Account Operators." As a result, in the list on the "Native Security" tab, the Name field may display an incorrect domain name for a built-in account (for example, it may display "PRODAM\Account Operators" instead of "PRODEU\Account Operators"). WORKAROUND To view the correct names, use the Permissions dialog box which you can access from the "Native Security" tab: Right-click a list entry on the "Native Security" tab and then click "Edit Native Security." In the Permissions dialog box that appears, the names are listed under "Group or user names." |
137451 |
|
Active Roles approval workflow may not function as expected in a scenario that needs conditional approval for adding members to a group and the condition of the approval is based on certain properties of objects being added to the group. The issue occurs with a workflow that starts upon a request to add objects to a group and analyzes certain object properties to determine if single-level approval (by a single person) or multi-level approval (by several persons in sequence) is required for the request to be performed. WORKAROUND To work around this issue, you should enable a policy that forces Active Roles to split requests for adding or removing objects from groups as needed in the case of approval workflow. For each object whose addition or removal from a given group requires approval, the policy creates a separate operation request, thereby ensuring the object is properly handled by approval workflow. If this policy is not enabled, a request to add multiple objects to a particular group (or remove them from that group) is performed as a single operation, which causes the operation to be completed for all objects once the request is approved, although additional approvals may be required for some of the objects involved in the operation. |
154997 |
|
When you uninstall an instance of the Administration Service, Active Roles may not remove the object representing that instance from the "Administration Services" container in the Active Roles console. The record of the uninstalled Administration Service is also present on the "Administration Services" tab in the "Properties" dialog box for the database object in the "Configuration Databases" and "Management History Databases" containers, with the "State" field indicating "Status unknown." The issue occurs if the uninstalled Administration Service was configured to use the database that is currently used by the Administration Service to which the console is connected. WORKAROUND You may safely disregard the objects representing uninstalled Administration Service instances in the console. If you are sure that the given object in the "Administration Services" container applies to an uninstalled Administration Service, you might delete that object (right-click the object and click "Delete"). |
197804 |
|
When you configure the Administration Service, you encounter the “Insufficient rights to access the Active Roles database. Ensure that your login has the default schema of "dbo" in the Active Roles database. WORKAROUND If you use Windows (integrated) authentication to connect to SQL Server when installing the Administration Service, ensure that the Windows user account under which you run Configuration Center has a login on SQL Server mapped to a database user with sufficient permissions to perform Administration Service installation tasks. For a list of permissions, see “SQL Server permission/Configuration permissions” in the Active Roles Quick Start Guide. |
197815 |
|
When you start the Administration Service, you encounter the “Account must have the default schema of dbo in the database” error if all of the following conditions are true: WORKAROUND If you have the Administration Service configured to use Windows (integrated) authentication when connecting to SQL Server, ensure that the Windows user account under which the Administration Service is running has a login on SQL Server mapped to a database user with sufficient permissions in the Active Roles database. For a list of permissions, see “SQL Server permissions/Operation permissions" in the Active Roles Quick Start Guide. |
197831 |
|
Consider the following scenario. You create a mail-enabled Group Family in Active Roles, and select the "Hide group from the Exchange address lists" option on the "Exchange-related Settings" page in the Group Family configuration wizard. Then, you run the Group Family. In this scenario, the groups created by the Group Family do not have the "Hide group from the Exchange address lists" option selected by default. WORKAROUND To ensure that the groups created by the Group Family have the "Hide group from the Exchange address lists" option selected, create a Policy Object containing a Script Execution policy based on the script that follows, and apply that Policy Object to the containers in which the Group Family is expected to create groups. Note that you should apply this policy before running the Group Family. The groups created before this policy is applied won't have the "Hide group from the Exchange address lists" option selected by default. function onPostCreate($Request) |
203199 |
|
If multiple Administration Service instances share a single database, then updating the Active Roles schema on one of those Administration Service instances (for example, via installation of a patch) may have no effect on the other instances of the Administration Service. As a result, the consolidated Active Roles schema may not be updated as expected. Thus, it may occur that the attributes added to the Active Roles schema during update are missing from the consolidated schema, and are therefore not recognized by Active Roles clients. WORKAROUND When applying a patch that updates the Active Roles schema, install the patch on all the instances of the Administration Service that use the same database. Then, restart one of the Administration Services you have updated. For instructions, see “Start, stop or restart the Administration Service” in the Active Roles Administrator Guide. |
204816 |
|
Consider the following scenario. You choose the option that causes the Administration Service to access a particular domain using an override account. This is the "Access the domain using | The Windows account information specified below" option in the Properties dialog box for the domain object in the "Managed Domains" container in the Active Roles console. Then, you change the configuration by selecting the option for the Administration Service to access that domain using the service account. This is the "Access the domain using | The service account information the Administration Service uses to log on" option in the Properties dialog box for the domain object in the "Managed Domains" container. In this scenario, your change to the configuration may have no effect until you restart the Administration Service. WORKAROUND After you have changed the Active Roles configuration so that the Administration Service must no longer use the override account to access the domain, restart the Administration Service for your changes to take effect. For instructions, see “Start, stop or restart the Administration Service” in the Active Roles Administrator Guide. |
218147 |
|
When you use a multi-value workflow parameter to pass multiple values to a workflow activity, you encounter the following issue: The workflow activity receives one of the parameter values; the remaining values are disregarded. The issue occurs with parameters of DN, GUID or SID syntax when you use the "Object identified by workflow parameter" option to pass parameter values to a workflow activity. WORKAROUND Use a script function to retrieve the parameter values and pass the array of values to the workflow activity (in this script function, dnParameter stands for the name of the workflow parameter): function GetParameterValues() For example, you can use this script function to assign the array of parameter values to a multi-value attribute, such as Secondary Owners (edsvaSecondaryOwners), within an "Update" activity: |
226503 |
|
The "Pick a store containing the least number of mailboxes" option of an Exchange Mailbox AutoProvisioning policy may have no effect when you create Exchange mailbox-enabled users in a newly added managed domain with Exchange server. WORKAROUND After you have added a new managed domain with Exchange server to Active Roles, wait for Active Roles to run the Scheduled Task "Mailbox Location Checker." Normally, that Task is scheduled to run on a daily basis at 2:00 AM. Alternatively, you could run that Task by hand: In the Active Roles console, go to the "Configuration/Server Configuration/Scheduled Tasks/Builtin" container, right-click the "Mailbox Location Checker" object in that container, point to "All Tasks" and then click "Execute." |
227364 |
|
After you click the Rebuild button on the Members tab in the Properties dialog box for a Dynamic Groups in the Active Roles console, Active Roles may not update the members list of the Dynamic Group as expected. The issue occurs if Active Roles has not completed the previous request to build the members list. For example, when you add a new membership rule, Active Roles receives, and starts processing, a request to build the members list in accordance with the new rule. If you change the rule and force the rebuilding of the members list before Active Roles has finished the ongoing build request, then you encounter the issue in question. WORKAROUND Wait for Active Roles to finish building the members list of the Dynamic Group. Active Roles does not allow you to force the rebuilding of the members list while another request to build the members list is in progress. |
234922 |
|
When you block the "Dynamic Groups" policy on a particular container (organizational unit or domain), it may take 15 minutes or more for the block policy setting to take effect. The issue occurs if you've selected the "Blocked" check box next to "Built-in Policy - Dynamic Groups" in the dialog box displayed by the "Enforce Policy" command for a container in the Active Roles console. WORKAROUND To ensure that the block policy setting is in effect, restart the Active Roles Administration Service. For instructions, see “Start, stop or restart the Administration Service” in the Active Roles Administrator Guide. |
249248 |
|
The "Restricted characters" option of the User Logon Name Generation policy has no effect if the list of restricted characters contains a space character only. In this case, Active Roles may not remove space characters from the policy-generated logon name as expected. WORKAROUND To ensure that space characters are removed from policy-generated logon names, configure the list of restricted characters to include any character in addition to a space character. For example, add an asterisk (*) to the list (note that asterisk characters are removed from policy-generated logon names anyway, regardless of whether or not the list of restricted characters includes an asterisk). |
284037 |
|
In Active Roles Replication environment, management of Azure objects from subscriber service does not work successfully post Azure configuration. WORKAROUND In Active Roles Replication environment, restart the Subscriber Active Roles Service post Azure configuration, to enable management of Azure objects from Subscriber Service. |
673381 |
|
Active Roles provides limited workflow support for Azure AD Management. |
682621 |
|
Currently after an in-place upgrade of Active Roles, the Active Roles Service cannot be upgraded remotely. WORKAROUND Login to the system where Active Roles Service was upgraded, open Configuration Center and perform the "Upgrade Configuration Service" operation to upgrade the Service. |
690207 |
|
Currently during an in-place upgrade of Active Roles, the earlier version of Active Roles is removed if the Upgrade process is canceled before completion. WORKAROUND On the Add or Remove Programs window, select the Active Roles component, and click the Modify component. This reverts Active Roles to the earlier version that was available on the system before starting the in-place upgrade. |
690557 |
| Known Issue | Issue ID | ||
|---|---|---|---|
|
When you add a number of Organizational Units to an Active Roles Managed Unit, and then open that Managed Unit in the Web Interface, you may encounter the following issue: The Organizational Units are not sorted by name in the Tree View pane. WORKAROUND When adding Organizational Units to the Managed Unit, add them in the order in which you want them to appear in the Tree View pane. For example, if you first add the "Groups" OU, then add the "Special Accounts" OU, and then add the "Users" OU, these three organizational units appear sorted by name in the Tree View pane. |
18427 | ||
|
When adding values to a multi-value attribute, the Active Roles ADSI Provider may add only the last value in a sequence of values. The problem occurs when you add values one by one, as in the following example: obj.PutEx 3,"otherHomePhone",Array("123") obj.PutEx 3,"otherHomePhone",Array("456") obj.SetInfo() When executing the code given in this example, the ADSI Provider will only add the "456" value and disregard the "123" value. WORKAROUND Use a single array containing all values to add, as in the following example: obj.PutEx 3,"otherHomePhone",Array("123", "456") obj.SetInfo() |
22820 | ||
|
When using the "Choose Columns" dialog box in the Web Interface, you may encounter the following issue with the "Hidden columns" list: Different list items have the same name. For example, for the object type User, the list includes two items with the same label - Name. WORKAROUND Click Add to move a list item to the "Displayed columns" list. This will allow you to view the LDAP display name which uniquely identifies the item. If you do not want to display the column represented by the item, use the Remove button to delete the item from the "Displayed columns" list. |
24192 | ||
|
When you use the Web Interface to create a network share, you may encounter the following issue on the "New Share" page: If you specify the path to the folder in the form "DiskLetter:/FolderName", and select the "Create folder if it doesn't exist" check box, the folder is created but a network share on that folder is not.
WORKAROUND In the Path field on the "New Share" page, specify the path in the form "DiskLetter:\FolderName" (use a backslash character (\) rather than a slash mark (/) as a separator in the path). |
24421 | ||
|
After submitting changes to a certain object for approval, the Web Interface may fail to display the appropriate page, returning the "Object reference is not set to an instance of an object" error. The problem occurs if the Web Interface user does not have the Read permission on the Active Directory container that holds the object. This scenario implies that the object is located by selecting a Managed Unit rather than an Active Directory container, so the Read permission on the container is not required to locate the object. WORKAROUND If modification of a certain object requires approval, ensure that the Web Interface user has the All Objects - Read All Properties permission on the Active Directory container that hold the object. |
24713 | ||
|
When you use the Web Interface to view the members list of a group that is under the control on an Active Roles Group Family (controlled group), you may encounter the following error: "Exception has been thrown by the target of an invocation." The Web Interface returns this error when you select a controlled group and then click Members, if your logon account does not have the Read permission on the objectClass property of objects that belong to that group. WORKAROUND Apply the "All Objects - Read All Properties" Access Template on a directory container that holds the members of the controlled groups so that that the Web Interface users have the Read permission on all properties, including the objectClass property. |
24740 | ||
|
When you use the Web Interface to configure permission settings on a network file share, you may encounter the following issue: The Web Interface fails to assign permissions to a local user account returning an error message that states "Value does not fall within the expected range." WORKAROUND Use native Windows tools to perform that task. |
25606 | ||
|
When you use the Advanced Search option in the Approval section of the Web Interface to find an operation by completion date, you may encounter the following issue: The search results include some operations that are waiting for approval and therefore are not completed. This issue occurs with operations that have to be reviewed by multiple approvers. If such an operation is approved by some but not all of the approvers, the operation may appear in the search results list as if it were completed by the specified date. WORKAROUND When configuring a search for operations by completion date, specify an additional rule to ensure that the search returns only the completed operations: select the "Status" field, "Is (exactly)" condition, and "COMPLETED" value; then, select the AND option and click Add to include the new rule in the search filter. |
25913 | ||
|
Selecting the "Microsoft Exchange System Objects" container in the Web Interface displays a page for managing properties of the container instead of displaying a list of objects held in that container. WORKAROUND Select the "Microsoft Exchange System Objects" container and then click "View Contents" to display a list of objects held in that container. |
26027 | ||
|
You may encounter incorrect behavior of a DN-syntax, single-value attribute entry after upgrading the Administration Service and Web Interface: If the Web Interface was customized so that such an entry was added to a custom form, then after the upgrade the entry behaves as if the attribute were multi-value. WORKAROUND After the upgrade, use the Active Roles console to correct the configuration of the Web Interface:
|
26046 | ||
|
When two or more administrators simultaneously use the Customization section of the Web Interface to customize the same Web Interface site, the changes that were made by one of the administrators can be lost. WORKAROUND Ensure that no more than one administrator uses the Customization section of the Web Interface at a time so that no more than one customization session is in progress at a time for each Web Interface site. The session begins when an administrator opens the Customization section of the Web Interface in the Web browser and ends when the administrator issues the Reload command and closes the Web browser window. |
26135 | ||
|
When you configure custom Web Interface pages for creating objects of a certain type (for example, Contact objects), you may encounter the following issue: If you have added the entry for the Name (name) property by creating a new entry (rather than selecting the existing entry), the pages do not work as expected. The object creation operation fails, returning an error. The error message reads "The 'Name' field cannot be empty." WORKAROUND When configuring the object creation pages, select the existing entry for the naming property Name (name) instead of creating a new entry (on the Select Existing Entries page, select the check box that has the label 'Name' followed by 'name'). |
36775 | ||
|
When modifying a user account, the Web Interface may fail to set the e-mail alias on the user account in accordance with the E-mail Alias Generation policy that is in effect. For instance, with a policy configured to set the e-mail alias to the user logon name (pre-Windows 2000), the Web Interface may not set the new alias when the pre-Windows 2000 logon name is changed. WORKAROUND Customize the Web Interface to have the e-mail alias (mailNickname) entry and the pre-Windows 2000 logon name (sAMAccountName) entry located on the same Web Interface page (tab) for managing user account properties. |
36788 | ||
|
There is a limitation on the processing of Property Generation and Validation policy rules in the Web Interface. For a rule to generate a property value on a particular Web Interface form, the form must contain the entries for the properties based on which the value is to be generated. For example, since the form for creating AD LDS user objects does not contain entries for the First Name (givenName) and Last Name (sn) attributes, the Web Interface is unable to process a rule that generates the logon name based on those attributes when creating an AD LDS user object. WORKAROUND Customize the form so that it contains the entries for all the object attributes required by the policy rules that are in effect. In the preceding example, you should add the entries for the First Name (givenName) and Last Name (sn) attributes. |
37870 | ||
|
If no Global Catalog servers are available in an Active Directory domain, then the Active Directory domain services fail to authenticate a domain user other than the built-in administrator account. In this situation, the Web Interface user may encounter one of the following errors:
WORKAROUND Ensure that at least one Global Catalog server is available in every Active Directory domain. |
39209 | ||
|
When you select a built-in domain local group (for example, Administrators or Account Operators) in the Web Interface, and then navigate to the "Member Of" page for that group, you encounter the following issue: The "Add" button is available on the "Member Of" page. Clicking "Add" and selecting a group to add the built-in group to causes an error such as "A new member could not be added to a local group because the member has the wrong account type." WORKAROUND Do not use the "Add" button on the "Member Of" page for a built-in group: In Active Directory, built-in groups cannot be added to other groups. |
39531 | ||
|
When the Active Roles Administration Service cannot access the configuration database, you may receive an inappropriate error message in the Web Interface: "Client cannot use the selected Administration Service due to version incompatibility." WORKAROUND If you receive that error message in the Web Interface, verify that the Administration Service is up and running. It is advisable to check for Event ID 2512 in the Active Roles Admin Service event log. |
39767 | ||
|
On the "General Properties/Managed By" page for a group in the Web Interface, the object name may not fit in the "Manager" field, so you cannot view the entire name. WORKAROUND You can view the name by copying it to a text editor, such as Notepad: Click in the Manager field, press Ctrl+A, press Ctrl+C, switch to your text editor, and then press Ctrl+V. |
46387 | ||
|
The following Property Generation and Validation policy rule for computer objects may cause a policy violation when you create a computer account in the Web Interface: 'Computer name (pre-Windows 2000)' must be '%<cn>$' (default value) Upon object creation, this policy generates default value: Yes WORKAROUND Modify the rule by selecting the 'Computer name (pre-Windows 2000) is case-insensitive' option. As a result, the rule changes to:'Computer name (pre-Windows 2000)' is case-insensitive and must be '%<cn>$' (default value) Upon object creation, this policy generates default value: Yes |
47238 | ||
|
On the "Member Of" page in the Web Interface, the "Set Primary Group" button is available when you select a group that does not meet the standard requirement for the primary group setting: "A user's primary group must be in the same domain as the user's account and the primary group must be either a global or universal security group." WORKAROUND: If clicking "Set Primary Group" has no effect, verify whether the group you selected meets the above-stated requirement. If not, change your selection. |
54638 | ||
|
Consider the following scenario. The DN of an AD LDS partition managed by Active Roles contains the DN of an Active Directory domain that is also managed by Active Roles. In this scenario, the Active Roles ADSI Provider may fail to locate the Administration Service when binding to a directory object. WORKAROUND In a binding string, explicitly specify the name of the computer running the Administration Service (for example, "EDMS://server.company.com/CN=John Smith,OU=Research,DC=Gamp,DC=com"). |
55184 | ||
|
When you assign a secondary owner to a group by using the Web Interface, the "Select Object" dialog box allows you to choose an AD LDS user or group from a Managed Unit. The expected behavior is that only AD DS users or groups can be selected for the role of secondary owner. WORKAROUND When using the "Select Object" dialog box in the Web Interface to select a user or group for the secondary owner role, verify that you do not select an AD LDS user or group. |
103650 103677 | ||
|
The Web Interface does not support Property Generation and Validation policy rules that control the "name (name)" property value. Thus, a policy rule such as "name=%1<givenName>%<sn>" has no effect on the name of an object when you administer that object in the Web Interface. WORKAROUND: When configuring a policy rule for a certain object class, choose the naming property of that object class rather than the "name (name)" property. The naming property for most object classes is "Name (cn)". The naming property for the Organizational Unit object class is "Name (ou)". So, to work around the issue with the "name=%1<givenName>%<sn>" policy rule on the User object class, you could replace that policy rule with the following one: "cn=%1<givenName>%<sn>" |
104964 | ||
|
With the E-mail Alias Generation policy configured to set the e-mail alias to the "Name (cn)" property of the user account, the Web Interface fails to create a mailbox-enabled user account, returning an error such as "E-mail alias does not comply with the E-mail Alias Generation policy. A different e-mail alias must be assigned to this user account." WORKAROUND Select the "name (name)" property rather than "Name (cn)" when configuring the E-mail Alias Generation policy with the option "Set e-mail alias to other combination of user properties." |
105471 | ||
|
When you use the Web Interface to create a new room or equipment mailbox by copying an existing room or equipment mailbox, you encounter the following issue: The settings on the "Resource Information" page are not copied from the original mailbox. WORKAROUND After you have copied a room or equipment mailbox, configure resource information settings for the new mailbox by hand as required. |
106596 | ||
|
When you use the "Approval/Advanced Search" page in the Web Interface, you may encounter incorrect search results in case of a search rule with the following parameters:
WORKAROUND: Add a search rule with the following parameters:
Use the logical OR operator to combine the newly added rule with the existing rule. |
107621 | ||
|
The Web Interface does not apply the Property Generation and Validation policy rules or Effective Policy Info settings to the property entries that are configured with the IsStatic attribute set to TRUE (IsStatic="true"). WORKAROUND When configuring a property entry that is subject to the Property Generation and Validation policy rules or Effective Policy Info settings, avoid the use of the IsStatic attribute. Set the ReadOnly attribute to TRUE instead (ReadOnly="true"). For information regarding the entry configuration attributes, see topic "The Entries Settings" in the Active Roles SDK. |
130826 | ||
|
Consider the following scenario. You select a domain or an Organizational Unit (OU) in the TREE pane in the Web Interface, choose the "New Organizational Unit" command, and create an OU. In this scenario, the newly created OU may not appear in the tree view, even after you click the "Refresh" button in the top-right corner of the TREE pane. WORKAROUND In the tree view, click the domain or the Organizational Unit to which you applied the "New Organizational Unit" command (this is the parent container of the newly created OU), and then click the "Refresh" button in the TREE pane. This will cause the tree view to display the newly created OU. |
209882 | ||
|
Consider the following scenario. You open the "Approval" page in the Web Interface, click "Advanced Search" and configure a search condition to search for a certain property value, approver action, or approval task title. If you specify the value in quotation marks, then your search causes an error in the Web Interface. For example, the following search condition causes an error:
WORKAROUND Do not use quotation marks in the Value field. Thus, in the above example, you should type Approve instead of "Approve" in the Value field. |
211135 | ||
|
Consider the following scenario. You use a Web browser other than Windows Internet Explorer to customize the Web Interface. You open the "Customization | Directory Objects" page in the Web Interface, select any menu for AD LDS objects (for instance, "container - AD LDS Object"), select any form-based command (for instance, "Properties"), click "Edit Form" to start the Form Editor, and then choose "Add Entry | Create" or "Add Entry | Select" in the Form Editor to add an entry to the form. In this scenario, you encounter one of the following errors:
WORKAROUND In the above scenario, use Windows Internet Explorer to customize the Web Interface. |
219941 | ||
|
When you use the Web Interface to start an automation workflow with a parameter name containing a quotation mark ("), you may encounter a script error stating "Unable to set property 'control' of undefined or null reference." WORKAROUND When configuring workflow parameters, ensure that the name of the parameter contains only alphanumeric characters (letters or digits). You may safely use non-alphanumeric characters, such as quotation marks, in the display name of the parameter. |
312242 | ||
|
When you use the ActiveRoles Web Interface to start an automation workflow with a parameter name containing a colon (:), comma (,) or dollar sign ($), you may encounter an error condition. The reeoe message is one of the following: WORKAROUND When configuring workflow parameters, ensure that the name of the parameter contains only alphanumeric characters (letters or digits). You may safely use non-alphanumeric characters, such as a colon (:), comma (,) or dollar sign ($), in the display name of the parameter. |
312243 | ||
|
If you have any customizations of the Web Interface an earlier Active Roles version that use custom code or images stored in the CustomCode or CustomImages folder in the Web Interface installation directory, then you lose those customizations after upgrade to Active Roles 7.1, as the contents of the CustomCode and CustomImages folders are not copied to the new Web Interface version during upgrade. WORKAROUND After upgrade, copy the files held in the CustomCode and CustomImages folders to the corresponding folders in the Active Roles 7.1 Web Interface installation directory, and then restart the Web server running the Active Roles 7.1 Web Interface. |
447158 | ||
|
After Enabling Request Validation(<add key="EnableRequestValidation" value="true"/>, the following error may be displayed even when an expected operation is performed: A potentially dangerous Request. Form value was detected from the client. WORKAROUND To solve this issue, update the IgnoreForValidation key in <AppSettings> section.
To Modify the key:
|
652470 | ||
|
After Enabling EnableAntiForgery"(<add key="EnableAntiForgery" value="true"/> ), the following error may be displayed in a new tab: " {"State":1,"ErrorMessages":["Session timeout due to inactivity, Please reload the page to continue."],"Arguments":null} " WORKAROUND To solve this issue, update the IgnoreValidation key in <AppSettings> section.
To Modify the key Open IIS Manager, expand default website, and click on Active Roles Application (Default is ARWebAdmin).
|
653530 | ||
|
Active Roles Web interface supports exporting linear nested access templates only. Exporting circular nested access templates may cause errors. |
675024 | ||
|
The Azure Password complexity does not match with Azure policy. WORKAROUND The Azure password complexity requirement expects password length to be 8. Hence, you must set the minPwdLength attribute on the domain to 8. |
672022 | ||
|
Active Roles uses graph API to communicate with Azure AD. However, Graph API is not supported in Federated environment to update Azure objects attributes. Hence, after any create or update operation through the Active Roles web interface, for example, Update attribute, Deprovision, undo-deprovision, and so on, the changes are not visible in Azure AD immediately. WORKAROUND You must wait for the delta sync (using AADConnect) to complete from local AD to Azure AD in order to see the updated information. |
675092 | ||
|
Azure Configuration and Azure objects creation is not possible through HelpDesk and Self-Service portal. WORKAROUND To enable a help desk user to perform Azure related operation, he must be provided with delegated rights and use the Administrators site to perform the required operation. |
682586 | ||
|
After in-place upgrade of Active Roles, Configuration to import drop-down does not display existing website configurations when trying to create a new website before completing service upgrade. WORKAROUND
|
690566 | ||
|
Currently, Active Roles Web interface does not support setting the Exchange online Property of ProhibitSendQuota value in Storage Quotas. |
728521 | ||
|
Currently, Active Roles Web interface does not support enabling or disabling IMAP properties for Exchange online Azure user. |
729370 |
|
Known issue |
Issue ID |
|
Consider the following scenario. You are using the Active Roles console to register an AD LDS instance with Active Roles. On the Active Roles Credentials page in the Add Managed AD LDS Instance wizard, you specify an incorrect account (for example, an account that does not have sufficient rights to access the desired AD LDS instance). Then, you return back to the previous page of the wizard and click Next on that page. In this scenario, you may receive an error message stating “There is no such object on the server.” WORKAROUND Close the wizard by clicking Cancel, and start registering the AD LDS instance again. Another option is to click Next again, without closing the dialog box that displays the error message, and then close that dialog box. |
26019 |
|
Consider the following scenario. You are using the Active Roles console to manage a mailbox-enabled user account that resides in a forest other than the forest in which the console is installed. In addition, the domain of your user account is not trusted by the domain of the account being managed. You open the Exchange Advanced tab in the Properties dialog box for that mailbox-enabled user and click Mailbox Rights. Then, you click Add in the Permissions dialog box to select users or groups for which you want to assign permissions. WORKAROUND In this scenario, you can use the Active Roles Web Interface to configure mailbox rights. The Web Interface would allow you to select users or groups from the location you want. |
26398 |
|
The Active Roles console incorrectly processes Property Generation and Validation policy rules that include any values containing a backslash character (\). WORKAROUND To specify one backslash character (\) in a Property Generation and Validation policy rule, use a combination of two backslash characters (\\). For example, to specify a policy rule such as “Network path must begin with \\server\”, enter \\\\server\\ in place of \\server\. |
37815 |
|
For a Dynamic Group or Managed Unit with a membership rule based on a custom LDAP query, the Active Roles console may incorrectly display the query in the dialog box for editing the rule: A closing parenthesis character may get removed. WORKAROUND When editing such a query, verify the query to ensure that the syntax is correct. If necessary, add the closing parenthesis character at the end of the string. Another option is to modify the query so as to change the order of sub-filter strings. |
39592 |
|
Consider the following scenario. You have a Dynamic Group configured in Active Roles with complex membership rules (for example, using a complex query that returns a large number of objects). You open the Properties dialog box for that group, go to the Members tab, and click Rebuild. The console informs you of the fact that you are going to start a lengthy operation, without giving you the option to cancel the operation. When you click OK in the warning message box, the console may stop responding for a certain time period. WORKAROUND: Wait while Active Roles completes the rebuild operation. |
55373 |
|
In the Active Roles console, when you right-click a selection containing a large number of objects (100+), you may experience a long delay before the shortcut menu is displayed. WORKAROUND: Wait while the console processes your selection. Consider using a selection of fewer objects. |
55600 |
|
You may encounter a noticeable delay in the Active Roles console when you click the plus sign (+) to expand an Organizational Unit (OU) in the “Browse for Container” dialog box. This issue is most likely to occur if the OU holds a large number of other OUs. WORKAROUND: If you need to select the OU itself, avoid expanding the OU, only click the name of the OU in the “Browse for Container” dialog box. To select an OU that is held within another (parent) OU, you have to wait while the console expands the parent OU. |
55919 |
|
You may encounter a noticeable delay in the Active Roles console when saving your changes to a Group Family configuration that were made from the Groupings tab in the Properties dialog box for the Group Family configuration storage group. Clicking OK or Apply on that tab may cause the console to “hang” for up to a minute. This issue is most likely to occur if the Group Family is configured to search within a large number of objects (50,000+), and has two or more group-by properties specified. WORKAROUND: When you specify the location of managed objects for Group Family, avoid choosing containers that hold a large number of objects. |
55998 |
|
When you configure the “<attribute> must be <value>” policy rule for a Property Generation and Validation policy, you may encounter an issue in the following scenario. Suppose you have specified a list of acceptable values for a certain attribute and selected one of them to be the default value. Then, you choose the “Sort Items Ascending” or “Sort Items Descending” command from the shortcut menu to reorder the values. As a result, the default value setting may change: the value that now occupies the first position in the list is set as the default value. WORKAROUND: After the values have been reordered, right-click the value that you want to be default, and then click “Set as Default Value”. |
64436 |
|
You may encounter an issue in the following scenario of configuring a workflow that includes an approval or notification activity. Suppose the workflow applies to the User object type (“User” is selected as the target object type in the workflow start conditions). You specify notification settings for a particular event so that the “Manager of operation target object” option is selected in the “Notification recipients” area. Then, you change the target object type in the workflow start conditions by selecting “Group” instead of “User” In this scenario, the “Manager of operation target object” option gets cleared (so notification e-mails will not be sent to the manager), but the event with that recipient remains in the “Events, Recipients and Messages” list. Re-selecting the “Manager of operation target object” causes the manager to be specified two times in the “Notification Recipient” field of the corresponding list entry under “Events, Recipients and Messages”. WORKAROUND: Prior to changing the target object type from User to Group, or vice versa, verify the notification settings for all events to ensure that the “Manager of operation target object” option is not selected. |
93007 |
|
The Active Roles console may return an error message stating that the console cannot use the Administration Service on a particular computer due to version incompatibility, although both the console and the Administration Service are of the same version. This issue occurs if the user account under which the console is running does not have sufficient rights to access the Administration Service. Under that condition the console attempts to contact the Administration Service with the credentials of the Guest user account, and fails to identify the version of the Administration Service. As a result, it displays an error message that informs of a version mismatch. WORKAROUND: Disable the Guest user account. |
104085 |
|
When you use the “Select Objects” dialog box in the Active Roles console, you may encounter the following issue: If you type in a name and then click “Check Names”, Active Roles fails to find any object if the name you supplied contains a backslash character (\). WORKAROUND: Select the desired object from the list in the “Select Objects” dialog box. |
118209 |
|
When you use the Active Roles console to edit a PowerShell based script, you encounter the following issue: The “Include Library Script” command does not function as expected in the Script Editor. WORKAROUND: To include a library script into a PowerShell based script, add the following code to the onInit function in that script: function onInit($context) |
134558 |
|
When you configure a Scheduled Task in the Active Roles console, you may encounter the following issue: The “All servers” item is missing from the “Execute on” list on the General tab in the Properties dialog box for the Scheduled Task object, so you cannot configure the Scheduled Task to be executed by all instanced of the Administration Service in your Active Roles environment. WORKAROUND: Use the following steps to enable the “Execute on all servers” option for a Scheduled Task:
|
186054 |
|
When you rename a Policy Type object by using the Rename command in the Active Roles console, you encounter the following issue: The Rename command only changes the name of the object, leaving the object's display name intact. WORKAROUND: You can change the display name of a Policy Type object on the General tab in the Properties dialog box for that object. |
218881 |
|
After you have created a Policy Type object implementing a custom workflow activity (the Policy Type category is set to “Workflow activity”), the Workflow Designer may not display the new activity item in the toolbox. WORKAROUND: To ensure that the Workflow Designer displays all activity items, including those based on the newly created Policy Type objects, click the “Refresh Toolbox” button next to the search box at the top of the left pane in the Workflow Designer. |
227628 |
|
When you configure a CRUD or Search activity, you encounter the following issue: The point-and-click interface in the Workflow Designer does not allow you to select an object or container from the Active Roles Configuration namespace. For example, when you configure a “Create” activity, you cannot select a sub-container of the Active Roles Configuration container so as to have the activity create objects in that sub-container. WORKAROUND: You can use the “Object identified by DN-value rule expression” option to specify the Distinguished Name of the desired object or container, including the Distinguished Name of an object or container held in the Active Roles Configuration container. The following steps demonstrate how to specify the “Configuration/AT Links” container for a “Create” workflow activity:
|
228096 |
|
The Script Editor provided by the Active Roles console may change the letter case of certain words in comment strings within a PowerShell script. For instance, after you save a PowerShell script in the Script Editor, “FOR” changes to “for” (all lowercase) and “xml” changes to “XML” (all uppercase). The issue occurs with multi-line comments, that is, multiple lines enclosed in the “<#” and “#>” tags. WORKAROUND: Use single-line comments where each comment line begins with a number sign (#). |
302897 |
|
For Active Roles Server, Indexes are added to the database tables only when a new data base is chosen during installation. Indexing is not added in case of upgrade of the existing database installation. To resolve this issue, run the following script though sql: use [<DataBaseName>] go CREATE CLUSTERED INDEX [_dta_index_CVSAValues_c_20_534292963__K1] ON [dbo].[CVSAValues] ( [objectGUID] ASC )WITH (SORT_IN_TEMPDB = OFF, IGNORE_DUP_KEY = OFF, DROP_EXISTING = OFF, ONLINE = OFF) ON [PRIMARY] go CREATE STATISTICS [_dta_stat_534292963_1_3] ON [dbo].[CVSAValues]([objectGUID], [attributeSchemaIDGUID]) go CREATE NONCLUSTERED INDEX [_dta_index_CVSAIndexedValues_20_550293020__K2_5] ON [dbo].[CVSAIndexedValues] ( [attributeValueGUID] ASC ) INCLUDE ( [isLongValue]) WITH (SORT_IN_TEMPDB = OFF, IGNORE_DUP_KEY = OFF, DROP_EXISTING = OFF, ONLINE = OFF) ON [PRIMARY]go |
651518 |
|
Currently, on Active Roles, Properties page, after a sub property window is closed using |
715563 |
|
Currently, in Active Roles, designating Approvers while escalating an approval request using a script function throws an error exception when we are using a persist-ent variable. |
705698 |
|
Currently in Active Roles, for CA integration Policy, deprovision reports are not being sent and the following error is displayed:Root element is missing and Specified method is not supported. |
706844 |
|
In a scenario where multiple SKUs are available, and Azure Management Provisioning Policy is configured for a specific license of an SKU, the specific license if available for other SKUs appears to be enabled (check box is selected) in the policy. |
729393 |
, clicking Save on the Properties page displays blank screen.
|
Known issue |
Issue ID |
|
Containers other than Organizational Units do not show up on the OU-related reports. For example, such reports do not include information about the Users or Builtin container. WORKAROUND Create a Managed Unit that holds the container and then use Managed Unit-related reports to display data from that container. To create a Managed Unit that holds a given container, use the Active Roles console. When creating the Managed Unit, specify the membership rule with the following settings:
|
23641 |
|
On domains with a large number of directory objects (typically 100,000 or more user accounts), you may encounter significant performance degradation of the Data Collector component. Thus, a data collection job may take more than 30 hours to finish running for a domain containing 100,000+ user accounts. |
24297 |
|
When using SSRS Report Manager to export an Active Roles report in Excel format, you may experience the following problem: The report data in the resulting Excel book is incomplete. WORKAROUND Choose a different export format. |
49955 |
|
In the Active Roles reports, the filter options that use the "like" operator (such as "Object name like") do not support the asterisk (*) wildcard character, which is expected to represent a string of zero or more characters. WORKAROUND Use the percent character (%) to represent any string of zero or more characters, or use the underscore character (_) to represent any single character. |
50295 |
|
In the Active Roles reports, a filter option that uses the "like" operator (such as "Object name like") may cause an error if the option value contains an apostrophe or single quotation mark character ('). WORKAROUND In the "like" option value, enclose each of the apostrophe or quotation mark characters in brackets, such as [']. |
107520 |
Product Licensing
After you install Active Roles 7.2 (or upgrade to Active Roles 7.2), no special steps are required to activate your purchased commercial license for Active Roles.
You can use product usage statistics to verify your Active Roles licensing compliance. For further details, see “Evaluating product usage” in the Active Roles Administrator Guide.
Upgrade and Installation Instructions
In Active Roles 7.2, enhancements are made for in-place upgrade processes. For instructions on how to upgrade from an earlier Active Roles version, see the Active Roles 7.2 Quick Start Guide. The Quick Start Guide also contains instructions on how to perform installation and initial configuration of Active Roles 7.2.
For instructions on how to install and configure the Synchronization Service, see the Active Roles 7.2 Synchronization Service Administrator Guide.
Upgrade and compatibility
For instructions on how to upgrade Active Roles, refer to the Active Roles Quick Start Guide.
When performing the upgrade, keep in mind that the components of the earlier version may not work in conjunction with the components you have upgraded. To ensure smooth upgrade to the new version, you should first upgrade the Administration Service and then upgrade the client components (Console and Web Interface).
Custom solutions (scripts or other modifications) that rely on the functions of Active Roles may fail to work after an upgrade due to compatibility issues. Prior to attempting an upgrade, you should test your existing solutions with the new version of the product in a lab environment to verify that the solutions continue to work.