0

I'm using a rust program to perform a modify_replace command on an Active Directory group. This command modify_replaces aroung 30,000 users. I verified the user has read/write access to the group. I'm modifying the member attribute on a group object.

Adding the largest successful modify_replace is about 8,000 objects.

The error I receive is:

2022-08-26T17:02:55.001Z ERROR [groupsyncer::ldap::ad] "000021B1: SvcErr: DSID-0315154A, problem 5005 (UNABLE_TO_PROCEED),

Brandon Kauffman
  • 1,515
  • 1
  • 7
  • 33
  • Please update your question to mention the attribute(s) you are modifying. – ixe013 Aug 26 '22 at 18:25
  • 1
    Are you trying to add all 30,000 users in a single modify_replace operation? If so, I think you will need to add them one at a time, or possibly just do less at a time (1000 or less). – Gabriel Luci Aug 26 '22 at 18:51
  • @GabrielLuci Can you use modify_replace in intervals, or will I need use modify_add and modify_delete? – Brandon Kauffman Aug 26 '22 at 19:14
  • @ixe013 I updated the post. I am attempting to modify the member attribute – Brandon Kauffman Aug 26 '22 at 19:15
  • Going in chunks is the best suggestion. Also beware that you might be [reaching the maximum number of groups for a given user](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc756101(v=ws.10)#group-memberships-for-security-principals) (by adding that user to a single, but one-to-many group). – ixe013 Aug 26 '22 at 21:48

1 Answers1

0

The issue for me was that a few users in the modify_replace could not be added to the group. By adding them one at a time using modify_replace, I could narrow it down. For safety I chose modify_add as the only option.

Brandon Kauffman
  • 1,515
  • 1
  • 7
  • 33