000020991 - 'Domain Users' group is not a valid RSA ClearTrust group

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000020991
Applies ToRSA ClearTrust 5.0.1 Authorization Server (AServer)
Microsoft Windows 2000 Advanced Server SP4
Microsoft Active Directory
Issue"Domain Users" group is not a valid RSA ClearTrust group
Unable to list users in the "Domain Users" group from RSA ClearTrust Entitlements Manager (or only some users show)
Cause
The "Domain Users" group is not expressed through the Active Directory LDAP interface. User-defined groups contain a member attribute that lists each user of that group. The Domain Users group does not contain any member attributes, and instead uses a proprietary index that is not expressed via LDAP. "Domain Users" is the primaryID of the users object, and users are automatically members of this group, and cannot be added or deleted from this group.

See the following article for more information: http://support.microsoft.com/default.aspx?scid=kb;en-us;322692. "The Domain Users group uses a "computed" mechanism based on the "primary group ID" of the user to determine membership and does not typically store members as multi-valued linked attributes".

See the following article for more information: http://support.microsoft.com/default.aspx?scid=kb;en-us;275523. "When you view Active Directory with a Lightweight Directory Access Protocol (LDAP) utility such as Ldp.exe, the Members attribute is not populated with the Primary group".
Resolution
The default primary group "Domain Users" in Active Directory is not supported by ClearTrust. Create a new group and add all users to it.

To exclude the "Domain Users" group from displaying in the Entitlements Manager, ensure that this group is located in a container outside of the scope of the group.basedn.

NOTE: Active Directory suggests that you do not use more than 5000 users per group
Workaround
ClearTrust ldap.conf file's "group.basedn" parameter includes the container that holds the Active Directory "Domain Users" group
Legacy Article IDa19945

Attachments

    Outcomes