OIM cannot Add Users to AD Groups, though it can Create/Modify Users in AD (Doc ID 1469709.1)

Last updated on MARCH 08, 2017

Applies to:

Identity Manager Connector - Version 9.0.3.1.0 and later
Information in this document applies to any platform.
**Checked for Relevance on 02-Dec-2013**

Symptoms

The OIM-AD connector cannot add users to groups that it was able to add users to yesterday.
It is not the OIM Admin user, since it can log onto a DC server in the domain that the group belongs to and service the account.
- Was able to add a user to the group.

OIM is unable to add the any user to any group.

The error message in the OIM logs is:
ERROR,20 Jun 2012 13:25:29,156,[XL_INTG.ACTIVEDIRECTORY],Problem modifying object: javax.naming.NoPermissionException: [LDAP: error code 50 - 00002098: SecErr: DSID-03150A48, problem 4003 (INSUFF_ACCESS_RIGHT
S), data 0
^@]; remaining name ''

The OIM-AD connector is still able to create users, modify their CNs, etc.

OIM 9.0.3.1
AD_Base 9.0.0

Changes

None.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms