AD Import Rule for Role and Account is failing with: No security groups defined and 'ImportAllGroups' is not set.
search cancel

AD Import Rule for Role and Account is failing with: No security groups defined and 'ImportAllGroups' is not set.

book

Article ID: 173150

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

You are trying to bring Roles and Accounts to your SMP Server. You created an "Import Role and Account resources" Rule that points to one of this OUs in AD. However, when you run the rule, you get this error:

No security groups defined and 'ImportAllGroups' is not set.

 

Directory import failed.

No security groups defined and 'ImportAllGroups' is not set.
   [Altiris.DirectoryServices.RuleImportException @ Altiris.DirectoryServices]
   at Altiris.DirectoryServices.NSDirectoryItems.DirectoryImportTask.DoDirectoryImportTask(String taskid, String importXml, Boolean bUpdateImport)

Exception logged from:
   at Altiris.DirectoryServices.NSDirectoryItems.DirectoryImportTask.SetException(Int32, Int32, Altiris.NS.StatusMessage.LocalizableInterpocessMessage, Exception)
   at Altiris.DirectoryServices.NSDirectoryItems.DirectoryImportTask.DoDirectoryImportTask(String, String, Boolean)
   at RuntimeMethodHandle.InvokeMethod(Object, Object[], Signature, Boolean)
   at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object, Object[], Object[])
   at System.Reflection.RuntimeMethodInfo.Invoke(Object, System.Reflection.BindingFlags, System.Reflection.Binder, Object[], System.Globalization.CultureInfo)
   at Altiris.NS.TaskManagement.TaskThread.Execute(Altiris.NS.TaskManagement.TaskManagerServiceArgs, Altiris.NS.ContextManagement.ProgressContext)
   at Altiris.NS.TaskManagement.CoreTaskServiceThreadBase<T,TStartArgs>.ExecuteThreadProc(Object)
   at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, Object, Boolean)
   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, Object, Boolean)
   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, Object)
   at System.Threading.ThreadHelper.ThreadStart(Object)

-----------------------------------------------------------------------------------------------------
Tick Count: 1612182625 (18.15:49:42.6250000), Size: 1.97 KB
Process: AeXSvc (1352), Thread ID: 406, Module: Altiris.DirectoryServices.dll
Priority: 1, Source: Altiris.DirectoryServices.NSDirectoryItems.DirectoryImportTask.SetException

Environment

ITMS 7.x, 8.x

Cause

The message refers that for the "Import Role and Account resources" AD Rule, it requires that a security Group is selected.

In this example, we have setup a new OU (organizational unit) called "Contractors". As well a sub-OU called "Sales". In the sub-OU "Sales" a new user was created called "Lab Tester" in this fictional EPM.local domain.

When we selected the OU for this Import Role and Account resources AD Rule, we selected the "Sales" sub-OU.

However, this OU doesn't contain a security group that has this user as a member. The Import Rule requires a Security Group as part of the OU that is been imported to work properly.

Resolution

  1. Create a Security Group in the desired OU and make sure these users are part of it.





     
  2. OR use the "Users" OU for this import Role and Account resources AD Import Rule, which should bring any user for all the security groups already present (in this example this user called " Lab Tester" also belongs to the "Domain Users" security group as shown in the previous screenshot)