Administration in Member Mode


one of our customers uses UCS (5.0.2) in member mode.
(so the UCS server is joined as member in an AD domain)

This works quite well, however there’s a problem with the administration.
As an AD domain administrator, actions in the UMC can be done (mostly) without problems - like save changes to UCS-only attributes in OpenLDAP.
Other admins, which only got the “umc-all” policy cannot save UCS specific changes. They get “Zugriff verweigert”.
Also, even as AD domain admin, when adding the umc-all-policy to a group, another error message appears: “Das LDAP-Objekt konnte nicht gespeichert werden: Der Wert darf nicht verändert werden: Attribut=mailAddress alter Wert=None neuer Wert=.”
This error indicates an unnecessary attribute change and might be a bug. However, even if we could add this policy to the whole group, it wouldn’t change the fundamental problem.

TL;DR: which action must be taken to upgrade AD users to Univention Domain Admins without making them to MS AD Domain Admins?

Thanks for reading,

Really no ideas?