Unable to manage users and groups in a cross domain configuration

book

Article ID: 220471

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Suite

Issue/Introduction

Unable to remove Groups from Modify Active Directory Account if the group is from another domain but for the same Active Directory forest.

Example1 :

We have three active directory domains (example A, B and C) in one Active Directory forest.

User xyz from domain B can be members of Groups from A/B/C domains.

When we access B.xyz account from Modify User's Endpoint Accounts > Modify Active Directory Accounts. We can see Groups from A/B/C domains in the Groups tab.

When we try to remove groups from domain A or C, the task completes but does not remove groups.

 

Example 2:

Unable to view/remove Group Members from another domain in the same forest.

When we access any Group under Endpoint > Manage Endpoint Groups > Modify Endpoint Group:

We can add members from another domain for the same forest but

it does not show existing members from other domains, so we cannot remove members from other domains in the same forest.

Cause

There are two causes of this issue.

The first cause is that Active Directory Endpoint is not configured with SSL

The second cause is due to a defect.

Environment

Release : 14.4,14.3CP2

Component : IdentityMinder(Identity Manager)

Resolution

There are two steps to resolving this issue.

The first step is to ensure that you have configured the Active Directory Endpoint to be configured using SSL:

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-management-and-governance-connectors/1-0/connectors/microsoft-connectors/microsoft-active-directory-exchange-and-skpye-for-business(lync)/known-issues-with-active-directory,-exchange,-skype-for-business.html

The second step is to open a support case and request the hotfix: DE503852