Date: March 25, 2014
You have delegated to Windows global security groups from one or more Active Directory domains and:
- [Enterprise] Random Password Manager may fail to let users login to the E/RPM web portal with a message of "User has no permissions" or similar.
- [Enterprise] Random Password Manager may fail to let users login to the E/RPM web portal with a message of "Component Error: E_FAIL message; check database connectivity" or similar.
However, if you delegate to the users directly without, rather than relying solely on the global security groups, the users can login to the website without a problem.
Ruling out the obvious statement of "password validation", the following are the most likely causes for this problem:
- Case 1: The Windows COM identity that runs the website's COM object does not have the ability to enumerate group memberships.
- Case 2: The Authenticated Users group has been removed from the Pre-Windows 2000 Compatible Access group in the domain.
In either case, some groups may be properly enumerated which could permit some users to login while other users fail miserably.
Regarding Case 2, Pre-Windows 2000 Compatible Access has rights to read almost all properties of most objects and is how most non-admin security principals read object properties. Group membership is determined for a user by reading the memberOf attribute. The reason users who are in protected groups are not broken but users who are not in protected groups are broken is because the AdminSDHolder grants more permissive rights to read properties of protected objects than unprotected objects.
- Resolution 1: In Active Directory Users and Computers, go to the View menu and select Advanced Features. Next, navigate to the group in question. Select Properties from the context menu, then open the Security tab. Ensure that the ERPM COM identity or a group that it belongs to is granted the List Contents permission for the group.
- Resolution 2: Open Active Directory Users and Computers and find the Pre-Windows 2000 Compatible Access group. Open the group properties and add the Authenticated Users group to the members list.
- Enterprise Random Password Manager (ERPM)
- Random Password Manager (RPM)