none
Unable to add AD user as a manager, told the object cannot be found RRS feed

  • Question

  • Hi!

    I've got a user in my AD that seems to be invisible to Active Directory. I'm trying to add her as the Manager of another user, but when I search for her, whether I use the sAMAccountName or Display Name, I get told "An object (User) with the following account name cannot be found." The user definitely exists, however! She can sign into the domain, I can see her in ADUC, her email functions, and I can add her to groups and so forth by opening her user object and adding the group. However, if I go to a group and try adding her there, I get the same result- I'm told that the object cannot be found.

    We've got two domain controllers, and I've verified that I can see her when I'm connected to both via ADUC and ADSIEdit. Replication between the DCs seems to be fine. She's in the same OU as every other user we have.

    Any ideas what's going on here?

    Friday, December 12, 2014 7:22 PM

Answers

  • First, make sure your correct domain is selected. Your error message already indicates you have selected objects of class user. Then try the "Advanced" tab, where you find users where the name (RDN) starts with a specified string. And make sure you search on the RDN, not the displayName. Otherwise, I'm at a loss.

    Richard Mueller - MVP Directory Services

    • Marked as answer by Graham Starfelt Wednesday, December 17, 2014 11:37 PM
    Wednesday, December 17, 2014 10:00 PM

All replies

  • Hello Graham,

    I advise you to force replication on both domain controller and try again.

    Btw, On both DC's you're having the same problem?

    You can verify that the if user can be find on both DC's with the command:

    get-aduser -f {GivenName -eq 'Name'}

    In my opnion it's incosistent database due to replication failure.

    Best Regards,


    Sergio Figueiredo
    Microsoft Certified Solutions Associate

    Saturday, December 13, 2014 3:56 PM
  • Assuming both DCs are Windows 2008 R2 or above, I would suggest trying:

    Get-ADUser -LDAPFilter "(sAMAccountName=jsmith)" -Server mydc1

    substituting the correct value for sAMAccountName. Target both DC's to make sure you get the same result.

    It is possible to "hide" user objects so not everyone can see them, but then the same user would also fail to see the user in ADUC.

    If one DC is Windows 2003 and doesn't support the AD modules, then use dsquery:

    dsquery * -Filter "(sAMAccountName=jsmith)" -S mydc1


    Richard Mueller - MVP Directory Services

    Saturday, December 13, 2014 4:46 PM
  • Hi,

    I just want to confirm what is the current situation.

    Please feel free to let us know if you need further assistance.

    Regards.


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Wednesday, December 17, 2014 8:03 AM
    Moderator
  • Hi guys,

    Get-ADUser successfully returns the correct information for the user in question on both domain controllers. I forced replication successfully, as well. However, my original problem persists. Any other suggestions?

    Wednesday, December 17, 2014 9:00 PM
  • Can you add the user to groups using AD-Powershell with add-ADGroupMember ?
    Wednesday, December 17, 2014 9:25 PM
  • Can you add the user to groups using AD-Powershell with add-ADGroupMember ?
    Yup, that worked just fine.
    Wednesday, December 17, 2014 9:49 PM
  • First, make sure your correct domain is selected. Your error message already indicates you have selected objects of class user. Then try the "Advanced" tab, where you find users where the name (RDN) starts with a specified string. And make sure you search on the RDN, not the displayName. Otherwise, I'm at a loss.

    Richard Mueller - MVP Directory Services

    • Marked as answer by Graham Starfelt Wednesday, December 17, 2014 11:37 PM
    Wednesday, December 17, 2014 10:00 PM
  • First, make sure your correct domain is selected. 

    Richard Mueller - MVP Directory Services

    And this is what led to me finding the solution. For whatever reason, with this particular user, I need to have "Entire Directory" selected as the Location, instead of Domainname.com. Nobody else in the organization is like that. If you have any ideas why that might be, I'd love to hear them.
    Wednesday, December 17, 2014 11:37 PM
  • My test domain has many users (and groups) with unusual names, strange characters, foreign characters, etc. plus unusual OU and container names and nesting. Every name I tried worked. I did not need to select "Entire Directory" for any of the users or groups. I cannot duplicate your problem.


    Richard Mueller - MVP Directory Services

    Thursday, December 18, 2014 6:59 PM
  • I forgot to try users with RDN that has a leading space. I did fail to find these users when assigning manager. The dialog seems to automatically remove leading spaces when you click "Check Name". However, it did not help when I selected "Entire Directory", and the user was found by sAMAccountName no problem (leading spaces are not allowed in sAMAccountNames). Also, the user was found on the "Advanced" tab, where users are searched by names starting with a string. Actually, users are found regardless of the leading space, so seaching for " fred" found users starting with " fred" or "fred". So the leading space is ignored. None of this explains your experience.

    Richard Mueller - MVP Directory Services

    Thursday, December 18, 2014 7:43 PM
  • Correction. ADUC does not allow you to assign a sAMAccountName with a leading space, but you can do it in a script. A user with sAMAccountName that starts with a space cannot be found in the assign manager dialog (searching by sAMAccountName), but selecting "Entire Directory" does not help, so that cannot be your problem. ADUC seems to automatically strip out any leading spaces. A user with leading space in both RDN and sAMAccountName could not be found in a search at all in ADUC, except using the "Advanced" tab where it can only be found by RDN.

    Richard Mueller - MVP Directory Services

    Thursday, December 18, 2014 7:57 PM