none
ADMA Outbound - GroupMembership ADD now fails with "permission-issue" after adding "false=>MembershipLocked" to sync rule RRS feed

  • Question

  • I have implemented declarative rules for managing a specific group from a source forest to target forest. I have successfully added users to the group by modifying the source group and having them sync to the target group membership.

    even with it working I was seeing errors that require attribute was missing "membershipLocked" and after reviewing documentation and blogs I added it to the inbound attribute flow on the soruce & target connectors.  It is set to "false".

    Now I am getting permission errors on the Add to membership on the target.  Any suggestions?

    Thanks,Stu

    Monday, September 14, 2015 2:22 PM

All replies

  • Troubleshooting this issue indicated that the error is caused by my target group being a PROTECTED group as it is a member of the Domain Admins group.  

    what is the best way to handle managing a group by FIM when it is protected and AD automatically disables inheritance and marks AdminGroup = 1?

    Should I assign the required MA account permissions directly on the target group?

    -Stu

    Monday, September 14, 2015 4:00 PM