Problem
It is possible to configure a DLO Automated User Assignment to assign users to specific DLO Profiles using specific Active Directory criteria like group membership.
The standard DLO mechanism of "Assign using Domain and Group" does not work when the desired AD Group is of Group Scope "Domain Local" or "Universal".
When configuring "Assign using Active Directory", however, it doesn't properly honor the specified group and users are not added to DLO.
Error Message
Users are not added to DLO automatically.
Cause
The reason why "Assign using Domain and Group" does not display "Domain Local" or "Universal" groups is because of the API which is used to pull data from Active Directory.
The reason why "Assign using Active Directory" doesn't work is because the Full Distinguished Active Directory name of the Group object needs to be specified.
Solution
Use the Microsoft tool 'adsiedit' to figure out what the Full Distinguished name is of the Domain Local group object within Active Directory.
Then, from within the DLO Administration Console,
1. Navigate into Setup > Automated User Assignments > New User Assignment
2. Select Assign using Active Directory > Configure
3. Click Browse to find the "In (LDAP Directory)" Full Distinguished name
Note:
If your domain is jddlo.com, "In (LDAP Directory)" is LDAP://DC=jddlo,DC=com
4. Select "Only the objects in this directory that match the criteria below"
5. For Attributes, select memberOf
6. For Condition, select =
7. For Value, specify the Full Distinguished name of the desired group
Example: CN=DLO_USERS_Local,CN=Users,DC=jddlo,DC=com
Note:
You can find "MemberOf" value for a user by the following command on Powershell if the username is testuser.
Get-ADuser -identity testuser -property memberof
<Return values by Get-ADuser -identity testuser -property memberof>
DistinguishedName : CN=testuser,CN=DLO_USERS,CN=Users,DC=jddlo,DC=com
Enabled : True
GivenName :
MemberOf : {CN=DLO_USERS,CN=Users,DC=jddlo,DC=com}
Name : testuser
ObjectClass : user
ObjectGUID : 7538bcd4-2c87-4b76-8229-4f3ced22ab86
SamAccountName : testuser
SID : S-1-5-21-2109476077-1972574819-3722176548-1113
Surname : testuser
UserPrincipalName : testuser@jddlo.com
8. Click OK to save the changes
The Automated User Assignment should now work as desired.
Note: The Microsoft tool 'adsiedit' can be used after enabling Remote Server Administration Tools (RSAT) for windows:
How to enable Microsoft RSAT Tool and it's usage
Note: If you prefer a different tool to find the Full Distinguished name of the AD Group Object, you may use it.
Applies To
Desktop Laptop Option all versions
Related Knowledge Base Articles
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.