Article ID: 2797968 - View products that this article applies to.
Using the Microsoft Application Virtualization (App-V) Management Server website in an attempt to grant access to a package to an Active Directory group fails with the following error:
Invalid input was passed: contoso\appvusers. Specify a group as domain\group.
- OR -
Using the Application Virtualization Management Server PowerShell cmdlet Grant-AppvServerPackage in an attempt to grant access for a package to an Active Directory group fails with the following error:
PS C:\Users\appvadmin> Grant-AppvServerPackage -Name YourAppVPackageName -Groups contoso\appvusers
Grant-AppvServerPackage : An unexpected error occurred during processing.At line:1 char:1
+ Grant-AppvServerPackage -Name YourAppVPackageName -Groups contoso\appvusers
+ CategoryInfo : NotSpecified: (:) [Grant-AppvServerPackage], Exception
+ FullyQualifiedErrorId : System.Exception,Microsoft.AppV.Server.Cmdlets.GrantAppvServerPackageCommand
- OR -
Using the Application Virtualization Management Server in an attempt to add a user or group in the Administrators tab fails with the following error:
There was an error on the server. Please view event logs on the server for more information.
NOTE A corresponding event is not registered in the event logs
In each of the above scenarios, in a Fiddler trace you will see an HTTP 500 error. The error is listed as:
The specified directory service attribute or value does not exist. ImproperADArgument.
These symptoms can occur if the permissions in Active Directory on one or more of the following Active Directory containers are restricted:
CN=Computers (the default Computers container)
CN=Users (the default users container)
DC=Contoso (the domain container)
By default, the Authenticated Users group has 'Read All Properties' on the above 3 containers. Using this permission, the Management Server account is able to query Active Directory.
To resolve this issue, give the 'Authenticated Users' group 'Read All Properties' permissions on each of the above mentioned Active Directory containers. Alternatively, you can add only the computer account of the Management Server(s) with 'Read All Properties' permissions on each of the above mentioned containers.
The AppVManagement Application Pool, by default, runs under the NetworkService account. The NetworkService account in turn impersonates the computer account when accessing network resources. In this scenario, the network resource is Active Directory.
(http://go.microsoft.com/fwlink/?LinkId=151500)for other considerations.
Article ID: 2797968 - Last Review: January 15, 2013 - Revision: 2.0