Select the product you need help with

Group Changes for Users with LDAP-Restricted Characters May Not Work

Article ID: 276266 - View products that this article applies to.

This article was previously published under Q276266

SYMPTOMS

When you add a user to a group with the Active Directory Users and Computers snap-in may not work under the following conditions:

The user name includes a comma.
The domain controller that the snap-in is focused on is not a global catalog.
The user account is from a different domain than the domain controller.

The error message you receive is:

The specified user was not found. If the user exists on another domain controller in the enterprise, it may take 15 minutes or more for the user to be replicated to the global catalog.

Although the error message indicates that when you wait 15 minutes this issue will be corrected, it does not in this case.

Back to the top | Give Feedback

Before the user is added, the name is compared to the version that is stored in the global catalog cache. Because of the restricted character, the comparison does not succeed.

In this example the user name is First Last; the user name is Flast. The display name is Last, First.

The LDAP version of the entry (the one the snap-in uses) is:

CN=Last\, First,CN=Users,DC=DOMAIN,DC=com

The entry it is compared to from the cache is:

CN="Last, First",CN=Users,DC=DOMAIN,DC=com

LDAP protects the comma with a backslash; the cache protects it with quotation marks.

Back to the top | Give Feedback