Select the product you need help with
- Internet Explorer
- Windows Phone
- More products
Group Changes for Users with LDAP-Restricted Characters May Not Work
Article ID: 276266 - View products that this article applies to.
This article was previously published under Q276266
When you add a user to a group with the Active Directory Users and Computers snap-in may not work under the following conditions:
Although the error message indicates that when you wait 15 minutes this issue will be corrected, it does not in this case.
The specified user was not found. If the user exists on another domain controller in the enterprise, it may take 15 minutes or more for the user to be replicated to the global catalog.
Before the user is added, the name is compared to the version that is stored in the global catalog cache. Because of the restricted character, the comparison does not succeed.
In this example the user name is First Last; the user name is Flast. The display name is Last, First.
The LDAP version of the entry (the one the snap-in uses) is:
CN=Last\, First,CN=Users,DC=DOMAIN,DC=comThe entry it is compared to from the cache is:
CN="Last, First",CN=Users,DC=DOMAIN,DC=comLDAP protects the comma with a backslash; the cache protects it with quotation marks.
To work around this issue, set the focus of the Users and Computers snap-in to a domain controller that functions as a global catalog server.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.