Error granting access to an App-V package: Invalid input was passed

Article ID: 2797968 - View products that this article applies to.
Expand all | Collapse all

Symptoms

Using the Microsoft Application Virtualization (App-V) Management Server website in an attempt to grant access to a package to an Active Directory group fails with the following error:

Invalid input was passed: contoso\appvusers. Specify a group as domain\group.

- OR -

Using the Application Virtualization Management Server PowerShell cmdlet Grant-AppvServerPackage in an attempt to grant access for a package to an Active Directory group fails with the following error:

PS C:\Users\appvadmin> Grant-AppvServerPackage -Name YourAppVPackageName -Groups contoso\appvusers

Grant-AppvServerPackage : An unexpected error occurred during processing.At line:1 char:1
+ Grant-AppvServerPackage -Name YourAppVPackageName  -Groups contoso\appvusers
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
+ CategoryInfo          : NotSpecified: (:) [Grant-AppvServerPackage], Exception   
+ FullyQualifiedErrorId : System.Exception,Microsoft.AppV.Server.Cmdlets.GrantAppvServerPackageCommand

- OR -

Using the Application Virtualization Management Server in an attempt to add a user or group in the Administrators tab fails with the following error:

There was an error on the server. Please view event logs on the server for more information.

NOTE A corresponding event is not registered in the event logs

In each of the above scenarios, in a Fiddler trace you will see an HTTP 500 error. The error is listed as: 

The specified directory service attribute or value does not exist. ImproperADArgument.

Cause

These symptoms can occur if the permissions in Active Directory on one or more of the following Active Directory containers are restricted:

CN=Computers (the default Computers container)
CN=Users (the default users container)
DC=Contoso (the domain container)

By default, the Authenticated Users group has 'Read All Properties' on the above 3 containers. Using this permission, the Management Server account is able to query Active Directory.

Resolution

To resolve this issue, give the 'Authenticated Users' group 'Read All Properties' permissions on each of the above mentioned Active Directory containers. Alternatively, you can add only the computer account of the Management Server(s) with 'Read All Properties' permissions on each of the above mentioned containers.

More information

The AppVManagement Application Pool, by default, runs under the NetworkService account. The NetworkService account in turn impersonates the computer account when accessing network resources. In this scenario, the network resource is Active Directory.
Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Properties

Article ID: 2797968 - Last Review: January 15, 2013 - Revision: 2.0
Applies to
  • Microsoft Application Virtualization 5.0 for Terminal Services
  • Microsoft Application Virtualization 5.0 for Windows Desktops
  • Microsoft Application Virtualization Hosting 5.0 for Windows Desktops
Keywords: 
KB2797968

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com