one of our customers uses UCS (5.0.2) in member mode.
(so the UCS server is joined as member in an AD domain)
This works quite well, however there’s a problem with the administration.
As an AD domain administrator, actions in the UMC can be done (mostly) without problems - like save changes to UCS-only attributes in OpenLDAP.
Other admins, which only got the “umc-all” policy cannot save UCS specific changes. They get “Zugriff verweigert”.
Also, even as AD domain admin, when adding the umc-all-policy to a group, another error message appears: “Das LDAP-Objekt konnte nicht gespeichert werden: Der Wert darf nicht verändert werden: Attribut=mailAddress alter Wert=None neuer Wert=.”
This error indicates an unnecessary attribute change and might be a bug. However, even if we could add this policy to the whole group, it wouldn’t change the fundamental problem.
TL;DR: which action must be taken to upgrade AD users to Univention Domain Admins without making them to MS AD Domain Admins?
Thanks for reading,