Permissions set in UCServer for a group (ActiveDirectory) are ignored

State of knowledge

March 2021

Observation

The permissions set in the UCServer administration for the members of an AD group (Active Directory) are not considered and do not take effect.

Possible cause

The users/members of the group are set in AD (Active Directory) to be the Primary Group.

Background

In Active Directory, the primary group is stored differently than normal group memberships.

Normal group assignment

Membership in the group is stored in the "member" field of the group.

Primary Group

Here, the primary group is determined directly in the user object via the "primaryGroupID" field. However, this field does not contain the group, but only its RID (Relative Identifier).

This means that the assignment of a primary group is not stored in the "member" field of the respective group. The group itself does not "know" that these members also belong to it!

Checking possible reasons

In the UCServer administration you can check in the group in the tab "Members" what type this membership is.
If there is a 'P' in the "Type" field, it is a primary group.

Example screenshot settings group – members – type P

Solution

In order for the permissions to be evaluated correctly, a primary group must not be used.