I know we've all waited for quite some time on this, but it finally came out of Quality Control and here is the newest fix pack for ActiveRoles Server 6.7!
In addition to many many many fixes, the long awaited mult-browser support is also delevered! Thanks to a great dev team for getting this done!
This patch introduces support for Web browsers other than Windows Internet Explorer. Once this patch has been installed, the following browsers can be used to access ActiveRoles Server's Web Interface:
- Firefox 5.0
- Firefox 6.0
- Google Chrome 13
- Safari 4
- Safari 5
- Windows Internet Explorer 7.0
- Windows Internet Explorer 8.0
- Windows Internet Explorer 9.0
A higher version of Firefox, Google Chrome, Safari or Internet Explorer can be made to work as a Web Interface client; however, the Web Interface pages that are provided by this patch have been tested only against the Web browser versions listed above.
This patch also enables access to the Web Interface from iPad (tested against Safari on iPad with iOS 4.2).
This is a supported patch for ActiveRoles Server 6.7.0 from Quest Software. The patch resolves a number of issues that were reported by our customers or discovered internally after the initial release of ActiveRoles Server version 6.7.0.
The patch addresses the issues listed in the "Resolved Issues" section later in this document, and also includes the updates that were provided with Patch 3597 and Patch 3623 for ActiveRoles Server 6.7.0 to address the issues resolved by those earlier patches. Hence, this patch resolves the issues listed in this Readme document, along with the issues listed in the Readme documents accompanying Patch 3597 and Patch 3623. For information about Patch 3597 and Patch 3623, see Quest Knowledgebase solution SOL68529 at https://support.quest.com/Search/SolutionDetail.aspx?id=SOL68529 and Quest Knowledgebase solution SOL71327 at https://support.quest.com/Search/SolutionDetail.aspx?id=SOL71327, respectively.
This patch may receive additional testing. If you are not severely affected by the issues that this patch addresses, we recommend you to wait for the next full release of Quest ActiveRoles Server which will include all updates provided with this patch.
This patch introduces support for Web browsers other than Windows Internet Explorer. Once this patch has been installed, the following browsers can be used to access ActiveRoles Server's Web Interface:
- Firefox 5.0
- Firefox 6.0
- Google Chrome 13
- Safari 4
- Safari 5
- Windows Internet Explorer 7.0
- Windows Internet Explorer 8.0
- Windows Internet Explorer 9.0
A higher version of Firefox, Google Chrome, Safari or Internet Explorer can be made to work as a Web Interface client; however, the Web Interface pages that are provided by this patch have been tested only against the Web browser versions listed above.This patch also enables access to the Web Interface from iPad (tested against Safari on iPad with iOS 4.2).The patch consists of the following updates:
- ARS-6.7.0-3663.exe This update is for ActiveRoles Server's Administration Service and SDK. Install it on each computer running ActiveRoles Server's Administration Service of version 6.7.0, as well as on each computer where ActiveRoles Server 6.7.0 SDK is installed.
- ARSMMC-6.7.0-3663.exe This update is for ActiveRoles Server's Console (MMC Interface). Install it on each computer running ActiveRoles Server's Console of version 6.7.0.
- ARSWI-6.7.0-3663.exe This update is for ActiveRoles Server's Web Interface. Install it on each computer (Web server) running ActiveRoles Server's Web Interface of version 6.7.0.
- ARSADDIN-6.7.0-149.exe This update is for ActiveRoles Server's Add-in for Outlook. Install is on each computer where version 6.7.0 of ActiveRoles Server's Add-in for Outlook is installed.
- ARSRP-6.7.0-3536.exe This update is for ActiveRoles Server's Report Pack. Install it on the computer that was used to install the Report Pack for ActiveRoles Server 6.7.0. If you have your Report Pack installation updated with Patch 3623 for ActiveRoles Server 6.7.0, then you do not need to install this update.
- ARSLP-6.7.0-2850.exe This update is for ActiveRoles Server's Language Pack. Install it on each computer on which the Language Pack for ActiveRoles Server 6.7.0 is installed. If you have your Language Pack installation updated with Patch 3623 for ActiveRoles Server 6.7.0, then you do not need to install this update.
- ARSADSI-6.7.0-3663.exe This update is for a standalone installation of ActiveRoles Server's ADSI Provider. Install it on computers where ActiveRoles Server's ADSI Provider of version 6.7.0 is installed as a standalone component. Do not install it on the computers running the Administration Service, MMC Interface or Web Interface since the ADSI Provider on those computers is updated during installation of the respective update for the Administration Service, MMC Interface or Web Interface. If you have your standalone ADSI Provider installation updated with Patch 3623 for ActiveRoles Server 6.7.0, then you do not need to install this update.
For details on how to install and configure this patch, see "Installing This Patch" later in this document.Back to Top
Information about this patch is published in the Quest Knowledgebase solution SOL78214 at https://support.quest.com/Search/SolutionDetail.aspx?id=SOL78214.Back to Top
The following is a list of issues resolved by this patch. Each item in the list includes an ID number, which identifies the item, and a brief description of the issue. The list is divided by component so that the items related to each individual component of the product are grouped together:
This patch also includes the updates that were provided with ActiveRoles Server 6.7.0 Patch 3597 and Patch 3623. Hence, it resolves the issues listed in this section, along with all the issues listed in the Readme documents accompanying Patch 3597 and Patch 3623. For information about Patch 3597 and Patch 3623, see Quest Knowledgebase solution SOL68529 athttps://support.quest.com/Search/SolutionDetail.aspx?id=SOL68529 and Quest Knowledgebase solution SOL71327 at https://support.quest.com/Search/SolutionDetail.aspx?id=SOL71327, respectively.
TF00037644
Fixed: The ActiveRoles Server console displays incorrect data in the "Operation counters" area on the "Client Activity" tab in the "Properties" dialog box for a client session object. To access that tab, go to the "Configuration/Server Configuration/Client Sessions" container in the console tree, double-click a list entry in the details pane, and then click the "Client Activity" tab in the dialog box that appears. All operation counters on the "Client Activity" tab are zeroes even though certain operations were performed during the given session. The root cause of the issue is that ActiveRoles Server's Administration Service does not provide the console with operations counter data on client session objects. To address the issue, the Administration Service has been updated to include the operations counter data into each client session object. Note that the Administration Service does not provide separate data for the "Rename" operation counter since the operation of renaming objects is treated as an operation of the "Modify" category and therefore the number of the "Rename" operations is added to the "Modify" operation counter.
TF00156605
Fixed: The Administration Service may return incorrect status information for an unmanaged domain. A symptom of this issue is that the domain status displayed by the ActiveRoles Server console for an unmanaged domain changes from "Available as unmanaged domain" to "Available for management." The issue occurs if the domain was temporarily unavailable to the Administration Service (for instance, added as a fully managed domain, removed, and then re-added as an unmanaged domain). Sometime after the domain becomes available, the Administration Service provides the console with the domain status information as if this were a fully managed (rather than unmanaged) domain.
TF00156606
Fixed: The ActiveRoles Server Web Interface does not allow you to unlock a local user account that is locked out because of a number of failed logon attempts. Even though a local user account is locked out, the "Account is locked out" check box is unavailable (grayed out) on the Properties/General page for that account in the Computer Management section of the Web Interface, no matter what permissions are granted to the Web Interface user. The issue is due to an incorrect ActiveRoles Server schema definition provided by the Administration Service for the edsLocalUser object class which is used to represent local user accounts in ActiveRoles Server.
TF00159481
Fixed: ActiveRoles Server approval workflow may not function as expected in a scenario that needs conditional approval for adding members to a group and the condition of the approval is based on certain properties of objects being added to the group. The issue occurs with a workflow that starts upon a request to add objects to a group, and analyzes certain object properties to determine if single-level approval (by a single person) or multi-level approval (by several persons in sequence) is required for the request to be performed.
The issue manifests as follows. Suppose ActiveRoles Server has been requested to add a batch of objects to a particular group, with the properties of some objects in the batch configured so that single-level approval will suffice, whereas the properties of others dictate multi-level approval. When processing such a request, ActiveRoles Server adds the entire batch of the objects to the group once it receives the approval to add any object found in the batch. As a result of this behavior ActiveRoles Server may add an object to the group despite the fact that all the necessary approvals are not received. Thus, upon receipt of the approval for an object that only needs single-level approval, ActiveRoles Server will add all objects to the group, including those for which multi-level approval is required.
The root cause of the issue is that ActiveRoles Server treats a request to add a batch of objects to a group as a single operation of updating the "member" attribute of that group. To address the issue, the behavior of ActiveRoles Server's Administration Service has been changed to allow the request to be split into a number of child requests each of which applies to a single object and thereby assumes a separate approval process based on the properties of that particular object.
For this fix to have an effect, it is necessary to enable a policy that forces ActiveRoles Server to split requests for adding or removing objects from groups as needed in the case of approval workflow. For each object whose addition or removal from a given group requires approval, the policy creates a separate operation request, thereby ensuring the object is properly handled by approval workflow. If this policy is not enabled, a request to add multiple objects to a particular group (or remove them from that group) is performed as a single operation, which causes the operation to be completed for all objects once the request is approved, although additional approvals may be required for some of the objects involved in the operation.
The policy is enabled if the object "CN=Split Group Membership Change Requests,CN=ActiveRoles Server,CN=Services,CN=Application Configuration,CN=Configuration" exists and has the "edsaExtensionAttribute1" attribute set. Otherwise, this policy is not enabled. To enable the policy, use the ActiveRoles Server console in Raw view mode as follows:
1. In the "Configuration/Application Configuration/Services" container, create an object of the "EDS-Application-Settings-Container" object class with the object name of "ActiveRoles Server". You can do this by using the "All Tasks | Advanced Create" command.
2. In the "Configuration/Application Configuration/Services/ActiveRoles Server" container, create an object of the "EDS-Application-Setting" object class with the object name of "Split Group Membership Change Requests". You can do this by using the "All Tasks | Advanced Create" command.
3. On the "Split Group Membership Change Requests" object, set the "edsaExtensionAttribute1" attribute to any non-null value. You can view or change the "edsaExtensionAttribute1" attribute value by using the "All Tasks | Advanced Properties" command.
You can disable this policy, if needed, by clearing the "edsaExtensionAttribute1" attribute or by deleting the "Split Group Membership Change Requests" object altogether.
TF00161198
Fixed: After you restart ActiveRoles Server's Administration Service, you may experience a long delay before the Administration Service completes the process of building domain information. This slows down the service startup, making the Administration Service unavailable for up to several tens of minutes. The issue is due to a defect in how the Administration Service processes the existing Access Template or Policy Object links applied to Active Directory objects that are unavailable at the time of the service startup. When building domain information, the Administration Service looks up each of the link target objects in Active Directory. If there are many links whose target objects cannot be found in Active Directory (for example, objects that no longer exist or objects from a domain that is not available on the network), then the lookup process causes a long delay during the service startup.
TF00161319
Fixed: In a complex environment where a single Exchange mailbox-enabled user has two user accounts in different Active Directory forests (for instance, an environment with Quest Collaboration Services deployed), ActiveRoles Server encounters an error condition when attempting to look up the sender of a response to approval notification e-mail. The issue occurs when you use ActiveRoles Server's capability to approve or reject an operation request by responding to the e-mail message that notifies of the operation request. The response message is delivered to ActiveRoles Server's mailbox but the operation is neither approved nor rejected, remaining in the "waiting for approval" (pending) state. A symptom of the issue is the following event in the EDM Server event log:
Event ID: 1533
Task Category: ApprovalMailFlow
Level: Information
Description: Administration Service encountered a problem when processing approval response received via e-mail.
Details: Sender of approval response cannot be identified from the response message.
The root cause of the issue is that the Administration Service cannot verify the user account of the response sender since the sender's e-mail address is associated with more than one user account.
To address the issue, ActiveRoles Server now provides the ability to specify primary lookup domains - the domain or domains where to look up user accounts of response senders. Once the Administration Service has found the sender's user account in a primary domain, it does not search other domains; otherwise, the search is performed across all managed domains.
To specify primary lookup domains, you have to change the edsvaExchangeProperties attribute of the "Configuration/Server Configuration" object. You can do this by using the "All Tasks | Advanced Properties" command on that object in the ActiveRoles Server console. The edsvaExchangeProperties attribute contains an XML document similar to the following:
<?xml version="1.0"?><ExchangeProperties NeverUsePowerShellCmdlets = "false" UseMapiIfExchangeCmdletsNotInstalled = "false" />
Modify the edsvaExchangeProperties XML document by adding an XML element named PrimaryLookupDomains with one or more child elements named PrimaryLookupDomainDN each of which specifies the Distinguished Name (DN) of the domain DNS object representing one of your primary lookup domains. As a result, the edsvaExchangeProperties XML document will look similar to the following:
<?xml version="1.0"?>
<ExchangeProperties NeverUsePowerShellCmdlets = "false" UseMapiIfExchangeCmdletsNotInstalled = "false">
<PrimaryLookupDomains>
<PrimaryLookupDomainDN>
DC=domain1,DC=company,DC=com
</PrimaryLookupDomainDN>
<PrimaryLookupDomainDN>
DC=domain2,DC=company,DC=com
</PrimaryLookupDomainDN>
</PrimaryLookupDomains>
</ExchangeProperties>
Note that you must be logged on as an ActiveRoles Server administrator (AR Server Admin) and you must use a script to change the edsvaExchangeProperties attribute. Otherwise, ActiveRoles Server will not allow you to make the change. A sample script that modifies edsvaExchangeProperties is as follows:
option explicit
Const NewExchangeProperties ="<?xml version=""1.0""?><ExchangeProperties NeverUsePowerShellCmdlets = ""false"" UseMapiIfExchangeCmdletsNotInstalled = ""false""><PrimaryLookupDomains><PrimaryLookupDomainDN> DC=domain1,DC=company,DC=com </PrimaryLookupDomainDN><PrimaryLookupDomainDN> DC=domain2,DC=company,DC=com </PrimaryLookupDomainDN></PrimaryLookupDomains></ExchangeProperties>”
Dim ServiceObject
Set ServiceObject=GetObject("EDMS://CN=Server Configuration,CN=Configuration")
ServiceObject.Put "edsvaExchangeProperties", NewExchangeProperties
ServiceObject.SetInfo
TF00162379
Fixed: If a large number (100+) of Script Modules are defined in ActiveRoles Server, each containing an empty policy script or library script, then the Administration Service is unable to execute any policy script. The issue has been reported to occur with empty Script Modules intended to contain PowerShell scripts. A large number of empty Script Modules causes an error condition in the host being used by the Administration Service to execute PowerShell commands.
TF00163139
Fixed: Query-based Distribution Groups created by ActiveRoles Server in an Exchange 2007/2010 organization cannot receive e-mail. The root cause of this issue is that the Administration Service does not use Exchange Management Shell when creating a Query-based Distribution Group. The use of Exchange Management Shell is required to create a valid distribution group in an Exchange 2007/2010 organization. To address the issue, the Administration Service has been updated to ensure that it applies Exchange Management Shell as required when creating Query-based Distribution Groups.
TF00166888
Fixed: When creating an Exchange mailbox for an existing user account, the Administration Service attempts to clear the quotaNotificationSchedule and quotaNotificationStyle attributes on that user account. If the Administration Service does not have permission to change those attributes, an "insufficient rights" condition occurs. To address this issue, the Administration Service has been updated so that it no longer attempts to change the quotaNotificationSchedule or quotaNotificationStyle attribute when creating an Exchange mailbox.
TF00167307
Fixed: ActiveRoles Server does not provide the ability to convert a linked mailbox into a user mailbox by clearing the edsva-msExch-LinkedMasterAccountSID attribute. The root cause of the issue is that ActiveRoles Server's Administration Service is unable to perform a request to clear that attribute, returning an error message such as "An invalid value has been specified for ' edsva-msExch-LinkedMasterAccountSID' attribute." To address this issue, ActiveRoles Server has been updates to enable the edsva-msExch-LinkedMasterAccountSID attribute to be cleared on a linked mailbox thereby converting the linked mailbox to a user mailbox. After this update is installed, you can perform the conversion by using ActiveRoles Server's Web Interface: In the Exchange (resource) forest, locate the user account associated with the linked mailbox (this is normally a disabled account), enable that user account, go to the "Exchange Properties/Master Account" page, and clear the master account field on that page. Then, go to the "Exchange Properties/Mailbox Rights" page, and remove the master account from the "Mailbox rights" list. After you have saved the changes, the linked mailbox is converted to a user mailbox.
TF00167954; TF00168075
Fixed: ActiveRoles Server may take longer than expected to configure a request for joining a group. A symptom of the issue is a long delay that occurs in ActiveRoles Self-Service Manager when you use the "Request Access" page. On that page, after you have selected a group to join, Self-Service Manager may stop responding, and may eventually encounter a timeout condition. As a result, the request to join the group is not properly configured for approval and you are not prompted for request reason. The root cause of the issue is a long-running search involved in the request configuration process.
TF00168566
Fixed: A policy script that sets the user account's attribute edsaDialinAccessPermissions upon creation of a user account may cause an error condition in ActiveRoles Server. A symptom of the issue is that creation of a user account fails with an error stating "There is no such object on the server." The issue occurs because the Administration Service may attempt to set the edsaDialinAccessPermissions attribute on a domain controller other than the domain controller on which the user account was created.
TF00168938
Fixed: After an upgrade to a later version, ActiveRoles Server ceases to process temporal group members that were configured before the upgrade. Thus, when you use an earlier version of ActiveRoles Server to add a member to a group with the option to have that member automatically removed from the group on a certain date, and then upgrade ActiveRoles Server, the member is not removed from the group as expected even though, after the upgrade, you have set the attribute edsva-TemporalGroupMemberships-Service to the DNS name of the computer running ActiveRoles Server's Administration Service. The root cause of the issue is that setting the attribute edsva-TemporalGroupMemberships-Service does not update the identifier of the Administration Service on the pending operations of updating temporal group memberships. As a result, the operations have an outdated identifier that was configured by the earlier version of ActiveRoles Server, and are therefore disregarded after the upgrade.
TF00171018
Fixed: A scheduled update of the members list for a dynamic group may cause an infinite loop in the Administration Service. The issue occurs in the following scenario. Suppose a certain user is explicitly added to a dynamic group by the group's membership rules (the user is a static member of the dynamic group). If you delete that user by using a tool other than ActiveRoles Server (for example, by using Active Directory Users and Computers) and then run ActiveRoles Server's scheduled task "Dynamic Group Checker", the Administration Service falls into a loop continuously rebuilding the members list of the dynamic group. This causes ceaseless updates of the group's attributes accountNameHistory and edsaDGStatus, which may eventually result in the overgrowth of ActiveRoles Server's Management History database. A symptom of the issue is a rapidly increasing number of error events in the EDM Server event log on the computer running the Administration Service. The root cause of the issue is that the deleted user object is not recognized as such by the Administration Service since the deletion was made outside of ActiveRoles Server.
TF00172528
Fixed: When adding or removing a member from a group in accord with a Group Membership AutoProvisioning policy, the Administration Service does not record the "Add to Group" or "Remove from Group" operation into the management history log. As a result, the operation is missing from the "Change History" report for that group.
Back to Components List
TF00161500
Fixed: When adding a user to a domain local group, the ActiveRoles Server may encounter an error condition. A symptom of the issue is an error message stating "The specified account does not exist (Exception from HRESULT: 0x80070525)."
The issue occurs under the following conditions:
- The user and the group are from different Active Directory forests.
- The domain of the group and the domain of the user are registered with ActiveRoles Server, and trust each other.
- The group is a member of a certain Managed Unit.
The error occurs when you perform the following steps:
1. Select the user and run the "Add to a Group" command.
2. In the "Select Objects" dialog box that appears, click Browse and select the Managed Unit containing the group.
3. In the list of Managed Unit members displayed by the "Select Objects" dialog box, double-click the group and then click OK.
Note that the "Browse for Container" dialog box, which appears when you click Browse, does not allow you to select the domain of the group under the "Active Directory" node. None the less, you can select a Managed Unit under the Managed Units node, and then select the group from the list of Managed Unit members.
TF00166422
Fixed: The ActiveRoles Server console does not correctly identify the filter setting of a query-based distribution group that was created by using ActiveRoles Server's Web Interface. Suppose, for example, you have created a query-based distribution group in the Web Interface, with the following filter options selected:
- Include in this query-based distribution group
- Users with Exchange mailbox
If you then open the Properties dialog box for that group in the ActiveRoles Server console, you may see that the "Customize filter" option is selected in the Filter area on the General tab, instead of the filter options you selected when creating the group in the Web Interface.
TF00166582
Fixed: Incorrect behavior of the "E-mail server settings" field on the "Attestation Review Configuration/Notification" page in the ActiveRoles Server console: When you choose a list item other than "Default Mail Settings" from the "Configuration of the outgoing mail server" list, the console may disregard your choice. If you close and then reopen the Attestation Review Configuration panel, the configuration reverts to "Default Mail Settings". The issue occurs if "Default Mail Settings" is at the top of the "Configuration of the outgoing mail server" list. The root cause of the issue is that the console displays the topmost list item even though the configuration was saved with a different list item selected.
Back to Components List
TF00161275
Fixed: The "Home folder" and "Terminal services home directory" entries cannot coexist on a single page in the Web Interface. A symptom of the issue is that the home folder settings are removed when you save changes on a page containing both the "Home folder" and "Terminal services home directory" entries. The issue results from a conflict on the page which is due to the same internal identifier assigned to both entries. The issue is addressed by correcting the entries to ensure that each entry has a unique identifier.
TF00163191
Fixed: The "Browse for Objects" dialog box in the Web Interface indicates a collapsed node of the tree view as if the node were expanded and empty. Thus, when you expand the "Active Directory" node, the domain nodes under that node, which are collapsed by default, have a minus ![]()
instead of plus ![]()
expander button. Since a domain node is collapsed, its child nodes are not displayed. The minus expander button in this case causes a confusion, suggesting that the node is actually expanded and has no child items. To address the issue, the "Browse for Objects" dialog box has been updated to display correct expander buttons indicating the state (expanded or collapsed) of each container node in the tree view.
TF00165893
Fixed: Security vulnerabilities in the Web Interface:
- A Unicode conversion Cross-Site Scripting (XSS) vulnerability caused by an input validation error in the filtration of special HTML characters supplied as Unicode characters. By exploiting this vulnerability, an attacker could craft a malicious link containing arbitrary HTML or script code to be executed in a user's browser.
- A Cross-Site Scripting (XSS) vulnerability of the LeftRightPanelSize parameter allows an attacker to embed a malicious script in a dynamically-generated Web Interface page and then execute the script on the computer of any user who views that page. In this instance, the Web Interface was vulnerable to an automatic payload, meaning the user simply has to visit a page to make the malicious script execute.
- The Web Interface does not meet the following security requirement: All areas of a Web application that contain sensitive information or access to privileged functionality must send cookies via a Secure Sockets Layer (SSL) connection.
TF00166111
Fixed: Unable to remove the policy description buttons from Web Interface pages: Setting the ShowEffectivePolicyIcons flag to FALSE in the edsaWIForms attribute of the Web Interface configuration has no effect. The issue is due to a defect in the Web Interface that causes the ShowEffectivePolicyIcons flag setting to be disregarded.
TF00169996
Fixed: In the Web Interface, the "Read only" option of the "Group scope" entry has no effect. Suppose you customize the "General Properties" page for a group as follows: Open that page in the Form Editor; click "edit" next to the "Group scope" entry on the "General" tab; select the "Read only" check box on the "Properties" page for that entry; save the changes and click "Reload" to apply the changes. As a result, the "Group scope" and "Group type" options on the "General Properties" page for a group should be read-only, but this is not so.
TF00170698
Fixed: Implementation of the IADSObjectOptions::SetOption method in ActiveRoles Server's ADSI Provider does not support the option ADS_OPTION_SECURITY_MASK of the ADS_OPTION_ENUM enumeration type. As a result, a script that modifies the Security Descriptor of a user object via ActiveRoles Server's ADSI Provider may cause an error condition. A symptom of the issue is the following error that occurs when a script attempts to apply changes to the DACL portion of a Security Descriptor: "The security ID may not be assigned as the owner of this object. (Exception from HRESULT: 0x8007051B)"
TF00170699
Fixed: The IADSObjectOptions::SetOption method in ActiveRoles Server's ADSI Provider requires the second argument to have a value of the Int32 value type. Since VBScript treats integer literals as Int16 by default, this causes an error condition in the following VBScript code:
Set ADS_OPTION_SECURITY_MASK = 3
Set ADS_SECURITY_INFO_DACL = 4
objUser.SetOption ADS_OPTION_SECURITY_MASK, ADS_SECURITY_INFO_DACL
A symptom of the issue is a script error "The parameter is incorrect."
TF00170847
Fixed: The Web Interface displays a list of possible values for an attribute entry even though the entry is marked as read-only. Suppose, for example, you add a single-value virtual attribute to the Computer object class and configure the following Property Generation and Validation policy rule for that attribute:
Attribute
must be:
'Value 1' (default value) or
'Value 2' or
'Value 3'
Upon object creation, this policy generates default value: Yes
Then, you customize your Web Interface by adding an entry for that attribute to a certain page and configuring the entry as read-only. When you open that page, the entry appears as a combo-box with a list of possible values. The expected behavior is that the entry only displays the value of the attribute, without showing a list of possible values.
TF00170859
Fixed: The commands for creating special-purpose Exchange mailboxes, such as a resource, linked or shared mailbox, are available in the Web Interface if the Web Interface user is only allowed to create user accounts. The expected behavior is that the Web Interface displays the command for creating a special-purpose mailbox only if the user has the appropriate mailbox-creation permission configured by applying an Access Template in ActiveRoles Server:
- "New Room Mailbox" command requires the "Create Room Mailboxes" permission
- "New Equipment Mailbox" command requires the "Create Equipment Mailbox" permission
- "New Linked Mailbox" command requires the "Create Linked Mailboxes" permission
- "New Shared Mailbox" command requires the "Create Shared Mailboxes" permission
TF00170862
Fixed: The "Exchange Custom Attributes" dialog box in the Web Interface has an incorrect label on the commit button - "Save" instead of "OK."
TF00170865
Fixed: The Web Interface displays an inaccurate confirmation message when removing a member from a computer local group. The confirmation message reads "Do you want to remove "%s" from the selected group(s)?" In this message the Web Interface is expected to replace the %s variable with the name of the member that is going to be removed from the group.
TF00170868
Fixed: Upon a Web browser connection, the Web Interface does not display an error message as expected in case of a non-supported Web browser.
TF00170902
Fixed: When switched to a non-English user interface language, the Web Interface may encounter a script error on the "Customize Navigation Bar" page. The issue has been reported to occur with the Web Interface for self-administration (ActiveRoles Self-Service Manager) switched to the German user interface language. In that case, you encounter a script error when you try to change the "Eigener Zugriff" item in the "Self-Service" group of menu items.
TF00170904
Fixed: The "Confirm password" option does not function as expected on the "Set Password" page for a local user account in the computer management section of the Web Interface. Regardless of whether the password you typed in the "Password" field on that page matches what you typed in the "Confirm password" field, the Web Interface successfully sets the new password. The expected behavior is that an error message appears if what you typed in the "Confirm password" field is not the same as the password you typed in the "Password" field.
TF00170908
Fixed: On the "Exchange Properties/Delivery Options" page for a mailbox-enabled user account in the Web Interface, the "Modify" button is available in the "Forwarding address" area regardless of the option selected in that area. The "Modify" button should only be available if the "Forward to" option is selected.
TF00170909
Fixed: The Web Interface does not allow you to complete the "Enable Unified Messaging" wizard once you have manually specified an invalid PIN on the "Unified Messaging PIN" page in the wizard. Suppose you select the option to specify a PIN manually, enter a PIN that does not comply with the PIN policy, and click Next. The wizard displays an error message and does not allow you to proceed to the next step. However, if you then select the option to generate a PIN automatically, the error message persists so you cannot access the next step of the wizard.
TF00170924
Fixed: Incorrect behavior of the UPN suffix part of the "User logon name" entry in the Web Interface: In case of multiple UPN suffixes available in the Active Directory forest, the entry requires that you click two times on the arrow button next to the "User logon name" field to display a complete list of UPN suffixes. A single click on the arrow button causes the entry to display an incomplete list containing a single UPN suffix. See also TF00171657.
TF00170926
Fixed: Incorrect vertical alignment of the "Generate" button next to the "Alias" field on the Web Interface pages for creating mailbox-enabled user accounts.
TF00170929
Fixed: Incorrect vertical alignment of the combo-box for selecting the UPN suffix in the "User logon name" field on the Web Interface pages for creating user accounts.
TF00170938
Fixed: Incorrect appearance of the "Approve Selected" and "Reject Selected" buttons on the "Pending Tasks" page in the Approval area of the Web Interface: When one or more approval tasks are selected on that page, the buttons remain grayed out, as if they were unavailable. The expected behavior is that the buttons are only grayed out if no approval tasks are selected on the "Pending Tasks" page.
TF00170939
Fixed: Incorrect attribute names in the "Exchange Custom Attributes" dialog box for a mailbox-enabled user account in the Web Interface: The attribute names read "extensionAttribute1" through "extensionAttribute15" instead of "Custom Attribute 1" through "Custom Attribute 15."
TF00170958
Fixed: A search for an object whose name ends with a backslash character (\) causes a script error in the "Select Object" dialog box in the Web Interface. An error occurs in the following scenario. You open the "Select Object" dialog box (for example, by clicking the "Add" button on the "Members" page for a group in the Web Interface); then, in the "Name" box, you type a name with a backslash character at the end of the name (for example, SomeName\), and click the "Search" button. As a result, you receive a script error message that reads "Object does not support this property or method." The "Select Object" dialog box displays an error message such as "Exception has been thrown by the target of the invocation."
TF00171320
Fixed: An error condition occurs in the Web Interface when you click "Examine in detail" on the "My Reviews" page and then click the "Save" button. The error message reads "Object reference not set to an instance of an object."
TF00171431
Fixed: When applying changes to the "Mailbox Rights" setting, the Web Interface also makes changes to the "Unified Messaging Is Enabled" attribute. The expected behavior is that the Web Interface leaves the "Unified Messaging Is Enabled" attribute intact unless the changes are made via the Web Interface to enable or disable Unified Messaging for the mailbox user.
TF00171434
Fixed: An error condition occurs in the Web Interface when you click "Change" on the "My Reviews" page, make any changes, and then click the "Save" button. The error message reads "Object reference not set to an instance of an object."
TF00171436
Fixed: Incorrect behavior of the Hide/Unhide button on the "Customize Navigation Bar" page in the Customization section of the Web Interface: The label on the button does not change as expected when you change properties of a list item on that page to hide or unhide the corresponding menu item. Suppose, for example, you select a list item, click the "Properties" button, and then clear the "Display this item on the menu" check box and click OK in the "Item Properties" dialog box. Since the item is now configured to be hidden, the label on the Hide/Unhide button is expected to change to "Unhide"; however, the label reads "Hide" and only changes after you select a different list item and then select the item you have changed.
TF00171657
Fixed: Incorrect behavior of the UPN suffix part of the "User logon name" entry in the Web Interface: In case of multiple UPN suffixes configured by applying a Property Generation and Validation policy rule to the attribute edsaUPNSuffix, the entry requires that you click two times on the arrow button next to the "User logon name" field to display a complete list of UPN suffixes. A single click on the arrow button causes the entry to display an incomplete list containing a single UPN suffix. See also TF00170924.
TF00171666
Enhancement: The regular Web Interface that ships with ActiveRoles Server can now be integrated with Web Interface Lite, a scaled-down version of the Web Interface that supports Microsoft Internet Explorer 6.0. This integration capability makes it possible for Web Interface Lite to coexist with the regular Web Interface so that one could use a single address (URL) to access both the regular Web Interface and Web Interface Lite. The configuration file of the regular Web Interface has been extended to include a parameter that specifies the address of Web Interface Lite, which enables the regular Web Interface to redirect Internet Explorer 6.0 to Web Interface Lite instead of denying access (note that the regular Web Interface itself does not support Internet Explorer 6.0). As a result, if you open the address of a regular Web Interface site in a Web browser supported by the regular Web Interface, you gain access to the regular Web Interface; if you open that same address in Internet Explorer 6.0, then you see the pages provided by Web Interface Lite. For further details, refer to the Web Interface Lite documentation.
TF00171782
Fixed: On a Web Interface page for conducting Attestation Review, in case of an error condition the error message may not appear until you refresh the page.
TF00172033
Fixed: On the Search page in the Web Interface, pressing the ENTER key has no effect. The expected behavior is that the Web Interface starts the search when you type in a text field on the Search/Basic page and then press ENTER.
TF00172173
Fixed: Performance issue in ActiveRoles Self-Service Manager: In an environment with a large number (30,000+) of published groups, the "My Access" page may appear to stop responding for a long time. The issue is due to inefficient LDAP filters used to build a list of groups on that page.
Back to Components List
TF00172476
Fixed: ActiveRoles Server's add-in may prevent Outlook from opening an MSG file. A symptom of the issue is an error message that appears when you open an MSG file in Outlook, close and then reopen that file: "Cannot open file: <name>. The file may not exist, you may not have permission to open it, or it may be open in another program." The root cause of the issue is that the add-in may not promptly close the 'Inspector' and 'Inspector.CurrentItem' COM objects after an MSG file has been closed, which places the MSG file in a locked state. To address the issue, the add-in has been updated to ensure that the 'Inspector' and 'Inspector.CurrentItem' COM objects that are no longer needed are closed immediately.
Back to Components List
Back to Top
instead of plus 
expander button. Since a domain node is collapsed, its child nodes are not displayed. The minus expander button in this case causes a confusion, suggesting that the node is actually expanded and has no child items. To address the issue, the "Browse for Objects" dialog box has been updated to display correct expander buttons indicating the state (expanded or collapsed) of each container node in the tree view.
