I cannot modify UNIX attributes on a group

  • Article

I cannot modify UNIX attributes on a group

 

This was an interesting issue where we were not able to modify the POSIX information in a group object in AD using the IdMU UNIX Attributes tab. Any attempts to perform this task would return the following error -

 

Check your credentials.

There could be a network problem.

Active Directory could be down.

Contact your system administrator.

 

The above error is very generic error and it returned in almost every case the UNIX Attributes tab encounters an error in modifying any part of the AD schema.

 

This problem can occur with user objects as well and it can be isolated by closely examining the corresponding objects using ADSIEdit. In this case, looking at group objects revealed that they didn't have any of the RFC2307 attributes associated with them. As a result, the tab was not able to populate the information and we received the above mentioned error.

 

This seems weird since we were on Windows Server 2003 R2 schema that already contains RFC2307 extension. A little investigation pointed that there were some issues upgrading to R2 schema and the schema was modified to dissociate the posixGroup auxiliary class from the group objects. This posixGroup auxiliary class add the attributes to a group object in AD that store POSIX information about the group.

 

Fixing this problem requires that we associate the posixGroup auxiliary class to the group objects.

 

This can be accomplished using the MMC, by adding the Schema Management extension. This should be accomplished on the Schema Master for the Forest. Once loaded, perform the following:

 

• Ensure you are connected to the Active Directory Schema [Should state the FQDN of Schema Master]

• Open the Classes Folder

• Highlight the Group class

• Right click on it and select Properties

• Select the Relationship tab

• Select Add Class to the right of Auxiliary Classess

• Add the posixGroup auxiliary class

• Click OK all the way out

• On the Action menu, select Reload Schema.

 

You're done and should not get the above mentioned error now when modifying the POSIX information on group objects. The steps are identical for user objects except that you would be working on the Users class above and posixAccount auxiliary class.

 

A word of caution - since the above mentioned error is generic and can be displayed for many other reasons (mostly, related to permissions in AD) - you should try reversing and redoing the above mentioned action plan. Get in touch with us instead.