Problem
You want to create or modify an LDAP object and get the following message with any domain admins account.
Solution
You have to check, if the cn=domain admins is moved out of cn=groups at first
Also you can check it in the terminal with: (the dn is importan, for example i create the ou=faketest)
univention-ldapsearch cn='Domain Admins'
**dn: cn=Domain Admins,ou=faketest,dc=univention-windows,dc=de**
univentionObjectType: groups/group
univentionGroupType: -2147483646
cn: Domain Admins
sambaSID: S-1-5-21-2846578403-2289919452-1137481256-500
sambaGroupType: 2
gidNumber: 5000
memberUid: Administrator
uniqueMember: uid=Administrator,cn=users,dc=univention-windows,dc=de
univentionPolicyReference: cn=default-umc-all,cn=UMC,cn=policies,dc=univention-windows,dc=de
objectClass: posixGroup
objectClass: univentionGroup
objectClass: sambaGroupMapping
objectClass: univentionPolicyReference
objectClass: univentionObject
objectClass: top
or check it with:
udm groups/group list --filter cn='Domain Admins'
cn=Domain Admins
DN: cn=Domain Admins,ou=faketest,dc=univention-windows,dc=de
adGroupType: -2147483646
description: None
gidNumber: 5000
isOxGroup: None
mailAddress: None
name: Domain Admins
oxContext: None
sambaGroupType: 2
sambaRID: 500
univentionObjectIdentifier: None
univentionSourceIAM: None
users: uid=Administrator,cn=users,dc=univention-windows,dc=de
univentionPolicyReference: cn=default-umc-all,cn=UMC,cn=policies,dc=univention-windows,dc=de
The position for the Domain Admins are moved to ou=faketest so they don’t have the permissions. They have to be on the correct position for cn=groups, to get the permission back.
With the following command you move the pisition for the cn=Domain Admins and put it back to cn=groups: (you have to put your output from the dn to use the command)
udm groups/group move --dn ‘cn=Domain Admins,ou=faketest,dc=univention-windows,dc=de,dc=local’ –position cn=groups,dc=ad,dc=univention-windows,dc=local