000024979 - How to add users to groups in Microsoft Active Directory datastore

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000024979
Applies ToRSA ClearTrust 5.5.3 Authorization Server (AServer)
RSA ClearTrust Administrative API
Microsoft Active Directory Service
IssueHow to add users to groups in Microsoft Active Directory datastore
TransportException Error: "A Windows 2000 constraint on Groups was encountered while saving this group. You may have added a group member of unacceptable scope." when using RSA ClearTrust Administrative API to add a user to a group
CauseThis exception is thrown within the RSA ClearTrust Entitlements Server in response to an "Unwilling to perform" response from Microsoft Active Directory when executing the update, and not on any sort of internal error in the entitlements server. Active Directory doesn't explain why it's unwilling to perform the update, but generally this indicates a problem with either the configuration of your LDAP datastore (e.g. you're trying to update something through a pool of AD connections that are to the Global Catalog, which is read only) or a permissions issue.
ResolutionOne test that can help determine where the problem lies is to use the same account as is configured for the Microsoft Active Directory datastore in the ldap.conf file, then execute the update manually using the normal Active Directory tools available with Windows. If the update is successful, this suggests that the pool of connections configured in ldap.conf is to some interface of Active Directory that is read only or otherwise constrained. If the update is unsuccessful, then the issue probably has to do with the permissions under which the update is being executed.
Legacy Article IDa26178