Users in new OU in Active Directory have to enter credentials when accessing SharePoint Foundation 2013

Similar Messages

• Can you authenticate user/password from SAP to Active Directory

  I don't want to implement SSO for ABAP because my company doesn't have the license for  "SAP NW Single Sign-On"; but we would like to authenticate our users and their passwords to active directory.  Our goal is to make sure the user/password in SAP is the same as their Active Directory user/password.  Is this possible?
  Thanks!

  This has been discussed many times, for example see SSO with LAN UserID/Password. The short answer is no, you can't synchronize passwords. You can however achieve the requirement assuming you are using Identity Management to provision users and passwords to all systems (AD, SAP, etc). In that case you will have to deal with users changing their password. Recommendation is to enable SSO. If you don't want to get licenses for NWSSO, try to look at other options (X.509 certificates, SPNEGO in AS JAVA and then issue a Logon Ticket, 3rd party solution, etc).

• Create a new group in Active Directory ?

  Hello,
  I'd like to create a new group in Active Directory. Can somebody show me a sample code please ?
  Thanks.

  Someone should show you how to perform a search. There's a sample in this forum.
  http://forums.sun.com/thread.jspa?threadID=623860

• Provision Search in SharePoint Foundation 2013 without Domain Controller / Active Directory - Domain accounts

  Hi,
  I have successfully setup SharePoint Foundation 2013 as single server farm with SQL Server Standard database in a DMZ environment using local accounts since DMZ doesn't have an Active Directory and hence Domain accounts using powershell as described
  in https://theblobfarm.wordpress.com/2012/12/03/installing-sharepoint-2013-without-a-domain-controller 
  When I run Farm configuration wizard to provision search service application, I get an error:
  ERROR: "The service application(s) for the service "Search Service Application" could not be provisioned because of the following error: I/O error occurred."
  The log file logged the details of this error as:
  ERROR: "Failed to create file share Analytics_e441aa1c-1a8d-4f0a-a079-58b499eb4c50 at D:\SharePoint Search\Office Server\Analytics_e441aa1c-1a8d-4f0a-a079-58b499eb4c50 (System.ArgumentException: The SDDL string contains an invalid sid or a sid
  that cannot be translated."
  After investigation, I found that potentially the error could be because the timer service is trying to setup a network share for analytics component (as part of provisioning search). It is trying to setup that share with a domain account that happens to
  be a local user instead in this case and fails with error “System.ArgumentException: The SDDL string contains an invalid sid or a sid that cannot be translated”.
  I got some pointer from the below thread
  https://social.technet.microsoft.com/Forums/en-US/c8e93984-f4e5-46da-8e8a-c5c79ea1ff62/error-creating-search-service-application-on-sharepoint-foundation-with-local-account?forum=sharepointadmin
  However, the above thread doesn't state that the solution worked.
  I have tried creating share manually for Analytics_<Guid> folder but it doesn't work since every time farm configuration wizards is run it creates a new Analytics_<Guid> folder.
  Since, I have setup SharePoint Foundation 2013 on a production environment I cannot test and trial various solutions.
  Can some please guide me on how to successfully provision search for SharePoint Foundation 2013 setup as a single server farm with SQL Server Standard database in a DMZ environment using local accounts (without Active Directory - domain accounts).
  Thanks in advance.
  Himanshu

  Microsoft documentation doesn't always specifically call out all products (Project Server isn't there, either). But it does apply. You'll need to stand up at least one Domain Controller, or allow port access back to a DC.
  Preferably, set up SharePoint on the internal network and use a reverse proxy (which will terminate client connections at the reverse proxy) present in the DMZ.
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• "Active Directory operation failed on DC " when assigning Send As permissions on a distribution group

  I'm trying to give a mailbox user Send As right for a distribution group. But the cmdlet comes back with this:
  Get-DistributionGroup MyGroup | Add-ADPermission -user albert -ExtendedRights Send-As
  Active Directory operation failed on <DC fqdn>. This error is not retriable. Additional information: Access is denied.
  Active directory response: 00000005: SecErr: DSID-03151E07, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
      + CategoryInfo          : WriteError: (0:Int32) [Add-ADPermission], ADOperationException
      + FullyQualifiedErrorId : FE24751F,Microsoft.Exchange.Management.RecipientTasks.AddADPermission
  What could be the problem, considering the items below :
  - inheritance is not broken to the level of the distribution group object
  - the account used to run the cmdlet is a member of the Organization Management group
  - creating a new distribution group in the same OU and running the command works as expected; checking the permission for this group against MyGroup (using Get-DistributionGroup testgroup | Get-ADPermission | Sort-Object User,AccessRights | ft user,accessrights,extendedrights,properties)
  shows no differences.
  - adding the permission using ADUC results in the user being able to Send As the group, however I'm trying to find out the root cause of the Powershell cmdlet execution problem
  - there is no Deny permission on the group's ACL
  - the group didn't have the "Hide Membership" feature of Exchange 2003 applied, so there shouldn't be any non-canonical ACL issues

  Anyone ever come up with a solution to this?  I get something similar when Activesync tries to create objects on user containers.
  Exchange ActiveSync doesn't have sufficient permissions to create the "CN=Test User,OU=Domain Users,DC=domain,DC=com" container under Active Directory user "Active Directory operation failed on DELL7S09.domain.com. This error is not retriable.
  Additional information: Access is denied.
  Active directory response: 00000005: SecErr: DSID-03151E07, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
  Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type "msExchActiveSyncDevices" and doesn't have any deny permissions that block such operations.
  Details:%3
  So...I get this after I introduced a MS Exchange 2010 SP3 RU8 server into my environment.  You can find LOTS of people suggesting the same fix but I've not found anything that deviates from those fixes:  check the "inherit permissions",
  and give full permis to msExchActiveSync devices for the Exchange Servers security group, blah blah.
  I got to this point by following a Migrate to Exch2010 paper by MS.  I have no Win2k servers, my old Exchange server is Win2003r2SP2 with Exch2003SP2 fully patched.  The Exch server is also a DC.  I installed a new 2012r2 server and then patched
  it.  Installed Exch2010SP3Ru8 and all seems well.  
  The old Exch2003 server is still in production.  My iPhone army connects remotely for mail, and all works great.  I created a new Test User in AD, gave it a mailbox on the 2003 server, and waited a bit.  It eventually shows up in the Server
  Manager on the new 2010 Exch Server.  I send it a bunch of emails, connect to it with an outook client on a Win7 machine, all works.  I go to the SM on the 2010 box and migrate the mailbox to the new server.  It works.  I can connect with
  outlook, send receive mail to other users in the org.  I then try to connect with my iPhone and I get the message in Event Viewer over and over.
  Went so far as to Promo the new 2012 server to a DC.  seems to be fine.  Now am wondering if I Demote the old Exch2003 server will it help...or cause a new crop of issues....

• Could not connect to the Active Directory. Active Directory Certificate Services will retry when processing requires Active Directory access

  Event properties – Event 91, Level Error, Event ID 91, Date and time 5/10/2012 11:29:48AM, Service CertificationAuthority
  General: 
  Could not connect to the Active Directory.
  Active Directory Certificate Services will retry when processing requires Active Directory access.
  We have a Windows 2008 Server Enterprise with AD . I would like to enable the service  "Certificate Services"  that
  allow me to enable radius to authenticate users wireless with the active directory.

  Hi, 
  Can you please check this forum or someone from Microsoft, as we have post here dating back from October that are not being answered.
  Everything for us is exactly the same as szucsati and Racom
  NMNM, 
  Please give us an answer on this as the link provided is absolutely useless.
  Thank you.

• Since moving to Maverick and the new updated of Keynote, I have a constant problem when typing in a text box, the program crashes. Is there a bug fix for this. Drives me nuts.

  Since moving to Maverick and the new updated of Keynote, I have a constant problem when typing in a text box, the program crashes. Is there a bug fix for this. Drives me nuts. Like many who can type quite quickly but at secretarial level, the text box freezes, nothing works and you know what's coming...crash!
  This is most annoying. Is there bug fixes for this. Apparently I have the current updates and this problem still exists. Is it a Maverick bug or Keynote.
  Barry

  How did you install Mavericks, as an update ontop of the previous OS or did you wipe the drive and install clean?

• Sharepoint Foundation 2013 User field issue

  Guys, I have an issue with Sharepoint Foundation 2013 site that we have created some custom workflows for. We have a couple required fields that we type in a users name and it automatically pulls up a user based on Active directory. once we choose that name
  and then save the form. the field immediately becomes blank when i open the workflow item back up. I'm kind of at a loss. I've already totally hosed the server once and was forced to restore.  This seams to have started when we installed share point server
  patch KB2881077 but i cannot uninstall or roll back the patch as there is no option to.
  Thoughts?

  If you're using SharePoint 2013 April 2013 CU or higher, this is a known issue where the People data is missing in Edit view. There is a separate issue that is resolved in the September 2014 CU:
  http://support.microsoft.com/kb/2995905
  Consider the following scenario:
  You create a SharePoint 2013 list that contains a Person or Group (people picker) column.
  You create or edit an item, and then you select a person whose name contains a comma in the Person or Group field.
  In this scenario, the value of the Person or Group field is lost when you save the item. 
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Site Login Behavior For SharePoint Foundation 2013 Users With Expired Passwords?

  What are the most user-friendly ways of getting external users with expired AD passwords back into the SharePoint site with a new working password?
  We already send automated email notifications to users reminding them to change their soon-to-expire passwords.  However, sometimes they miss seeing the email notifications before the password expires (such as after returning from vacation or just carelessness
  and lack of attention to email messages) or they see the warning messages and forget to act on it.
  When this happens and they try to log into the SharePoint site from the Internet, their login fails without telling the user the reason they can't log in is because their password expired.  So, they end up confused and call the help desk to get their
  password reset.
  Is there a way to set up SharePoint Foundation 2013 login in a similar way to the OWA login so that, when a user with a correct but expired password tries to log in, it gives them a prompt to set a new password right there rather than just an error indicating
  their login failed for unknown reasons or password is "incorrect?"

  It could be done. You get a different event log entry for an expired login attempt than for a wrong password, 4625 events denote a login failure and an error ID of 23 denotes a logon failure.
  A naff, but simple, approach would be to create a tool that checks your server logon event log for 4625 entries and then emails that user, or the help desk, or security, that they're trying to get onto your system with expired credentials.
  For a more polished experience you've got a lot more work and bluntly it's going to be impractical for you. You'd have to re-write sections of the SharePoint authentication process or intercept the process, both are risky and not a good idea to try.
  There's a really interesting paper here that might be of interest, it won't help you in your current situation but it might shed more light on the overall authentication/authorisation process.
  http://www.sans.org/reading-room/whitepapers/forensics/windows-logon-forensics-34132

• When connecting to a server farm in sharepoint foundation 2013 cannot create new farm error: One or more types failed to load

  When trying to create a new server farm in the sharepoint foundation 2013 we get a following error :
  The local farm is not accessible. Cmdlets with FeatureDependencyId are not registered.
  PS C:\Users\Administrator> New-SPConfigurationDatabase
  cmdlet New-SPConfigurationDatabase at command pipeline position 1
  Supply values for the following parameters:
  DatabaseName: SharePoint_Config
  DatabaseServer: PC78\SQLEXPRESS,25111
  FarmCredentials
  Passphrase: *********
  New-SPConfigurationDatabase : One or more types failed to load. Please refer
  to the upgrade log for more details.
  At line:1 char:1
  + New-SPConfigurationDatabase
  + ~~~~~~~~~~~~~~~~~~~~~~~~~~~
  + CategoryInfo : InvalidData: (Microsoft.Share...urationDatabase:
  SPCmdletNewSPConfigurationDatabase) [New-SPConfigurationDatabase], SPUpgra
  deException
  + FullyQualifiedErrorId : Microsoft.SharePoint.PowerShell.SPCmdletNewSPCon
  figurationDatabase
  And the error log is shown below :
  Microsoft.SharePoint.Upgrade.SPUpgradeException: One or more types failed to load.
  Please refer to the upgrade log for more details.
  at Microsoft.SharePoint.Upgrade.SPActionSequence.LoadUpgradeActions()
  at Microsoft.SharePoint.Upgrade.SPActionSequence.get_ActionsInternal()
  at Microsoft.SharePoint.Upgrade.SPUtility.GetLatestTargetSchemaVersionByMajorVersion(Type typeActionSequence, Int32 majorVer)
  at Microsoft.SharePoint.Upgrade.SPUtility.get_CurrentSPSiteWssTargetSchemaVersion()
  at Microsoft.SharePoint.Administration.SPSiteCollection.Add(SPContentDatabase database, SPSiteSubscription siteSubscription, String siteUrl, String title, String description, UInt32 nLCID, Int32 compatibilityLevel, String webTemplate, String ownerLogin, String ownerName, String ownerEmail, Strin... b712a522-fa85-49eb-b59c-dedf55295504
  ...g secondaryContactLogin, String secondaryContactName, String secondaryContactEmail, String quotaTemplate, String sscRootWebUrl, Boolean useHostHeaderAsSiteName, Boolean overrideCompatibilityRestriction)
  at Microsoft.SharePoint.Administration.SPSiteCollection.Add(SPSiteSubscription siteSubscription, String siteUrl, String title, String description, UInt32 nLCID, Int32 compatibilityLevel, String webTemplate, String ownerLogin, String ownerName, String ownerEmail, String secondaryContactLogin, String secondaryContactName, String secondaryContactEmail, Boolean useHostHeaderAsSiteName)
  at Microsoft.SharePoint.Administration.SPAdministrationWebApplication.CreateDefaultInstance(SqlConnectionStringBuilder administrationContentDatabase, SPWebService adminService, IdentityType identityType, ... b712a522-fa85-49eb-b59c-dedf55295504
  ...String farmUser, SecureString farmPassword)
  at Microsoft.SharePoint.Administration.SPFarm.CreateAdministrationWebService(SqlConnectionStringBuilder administrationContentDatabase, IdentityType identityType, String farmUser, SecureString farmPassword)
  at Microsoft.SharePoint.Administration.SPFarm.CreateBasicServices(SqlConnectionStringBuilder administrationContentDatabase, IdentityType identityType, String farmUser, SecureString farmPassword)
  at Microsoft.SharePoint.Administration.SPFarm.Create(SqlConnectionStringBuilder configurationDatabase, SqlConnectionStringBuilder administrationContentDatabase, IdentityType identityType, String farmUser, SecureString farmPassword, SecureString masterPassphrase)
  at Microsoft.SharePoint.Administration.SPFarm.Create(SqlConnectionStringBuil... b712a522-fa85-49eb-b59c-dedf55295504
  ...der configurationDatabase, SqlConnectionStringBuilder administrationContentDatabase, String farmUser, SecureString farmPassword, SecureString masterPassphrase)
  at Microsoft.SharePoint.PowerShell.SPCmdletNewSPConfigurationDatabase.InternalProcessRecord()
  at Microsoft.SharePoint.PowerShell.SPCmdlet.ProcessRecord() b712a522-fa85-49eb-b59c-dedf55295504
  Error Category: InvalidData Target Object Microsoft.SharePoint.PowerShell.SPCmdletNewSPConfigurationDatabase Details NULL RecommendedAction NULL b712a522-fa85-49eb-b59c-dedf55295504
  Leaving ProcessRecord Method of New-SPConfigurationDatabase. e9ae5ba6-c499-0000-d35c-aee999c4cf01
  we are using server 2012 R2 and we don't have office 2010 installed

  Yes,SQL server is on the same server as SharePoint 
  SQL has both the permissions Securityadmin
  and  DBcreator roles on SQL Server.
  When we run those sharepoint management shell commands the database  will be created with the error
  msg (shown in attachment)

• Restrict Which Users Can Enter Data In List Form in SharePoint Foundation 2013

  Is there a way to restrict which users can enter data in particular fields in a list item entry form?
  We are using a SharePoint Foundation 2013 list and calendar to manage vacation time. We need to restrict non-supervisor users users from entering a value in a certain field in the vacation request form.
  Here is how the system works now:
  1. Employees complete the vacation request form (which creates a list item)
  2. An email is sent to their supervisor to either approve or decline the request
  3. Approved requests are automatically entered onto the vacation calendar
  We have restricted the list so that only supervisors can edit items (the pending vacation requests). The problem is that all users can mark their own requests as approved when they fill out the request form in the first place. Is there a way to restrict
  which users can enter data in particular fields on a list item entry form?

  Thanks for the suggestion. We ended up 1) hiding the approval column and 2) creating a second list, workflow, etc. The user no longer sees the approval column when filling out the form. Requests are now submitted to list A. Workflow #1 copies the request
  to List B, then deletes the item from List A. Once the request is added to List B, Workflow #2 emails the user that the request has been received and emails the supervisor that a request needs to be approved. Only supervisors have editing permissions on List
  B. Approved requests are automatically added to the vacation calendar (the calendar view of List B).
  We found the following site to be helpful in learning how to hide the list column:
  http://community.bamboosolutions.com/blogs/bambooteamblog/archive/2013/06/03/how-to-hide-a-sharepoint-list-column-from-a-list-form.aspx

• Do I have to install SharePoint Foundation 2013 via a script in order to name my content databases without the GUID references?

  Hi,
  I want to install SharePoint Foundation 2013 on a standalone server with SQL Express but I want to be able to name the content databases without their GUID references. Will I have to use an install script (AutoSPInstaller perhaps?) to achieve this?
  Thanks.

  You can't do a standalone install if you want the alias (also if you plan to move the databases in the future)
  You'll need to create the alias before you create the farm with the Configuration wizard or PowerShell so you can specify the alias. Whether you create the alias before or after installing SQL Express doesn't matter as long as it points to the instance.
  Jason Warren
  @jaspnwarren
  jasonwarren.ca
  habaneroconsulting.com/Insights

• How to add a new schema in active directory by jndi?

  I can add new objectclass schema and new attribute into eDirectory from JNDI. But I failed doing the same to active directory. I search all topic in this forums and seems like there is no such answer. So for active directory, the only way to add new schema is by using MS MMC + AD schema snap-in?

  You can update the schema via LDAP. Any tool that uses LDAP, such as Active Directory Services Interface (ADSI), Java/JNDI, LDAP Data Interchange Format (LDIF) can be used. You are not restricted to the Active Directory Schema Management snap-in.
  I strongly recomend that you read the following article http://windowssdk.msdn.microsoft.com/en-us/library/ms677995.aspx as schema extensions are not to be undertaken lightly.
  Also, if you are extending the schema, DO NOT use other organization's schema OID's. Imagine how directories would become inoperable because you defined hat size as an integer value with an OID of 1.2.3 and someone else defined Social Security Number as a string with an OID of 1.2.3 ! You can obtain your own OID branch from either Microsoft (http://msdn.microsoft.com/certification/ad-registration.asp) or from a standards organization such as ANSI.
  I'm kind of hoping that seeing as though you have mentioned that you have extended the schema for e-Directory, that you understand LDAP schemas and that you have your own valid OID. Do not use my shoe size OID !
  The following snippet illustrates how to extend the schema using JNDI.....
  String attrName = "cn=ms-ShoeSize,cn=Schema,cn=Configuration,dc=antipodes,dc=com";
  LdapContext ctx = new InitialLdapContext(env,null);
  Attributes attr = new BasicAttributes(true);
  attr.put("cn","ms-ShoeSize");
  attr.put("objectClass","attributeSchema");
  attr.put("ldapDisplayName","msShoeSize");
  attr.put("isSingleValued","TRUE");
  attr.put("attributeID","1.2.840.113556.1.4.7000.141");
  attr.put("attributeSyntax","2.5.5.9");
  Context newattr = ctx.createSubcontext(attrName,attr);Having created a new attribute, you could then either add it to an existing class, or create another abstract class, add it to the new abstract class, and add the the new abstract class as an auxilliary class to an existing structural class. For example create a new auxilliary class called "clothes Sizes", add the attribute "Shoe Size" as a mayContain attribute, and then add "Clothes Sizes" as an auxilliary class to inetOrgPerson.
  Note that you need to wait for the schema cache to refresh, before adding attribute or class definitions to one another, and before instantianting new objects with the new classes & attribute definitions. You can either wait for teh schema cache to refresh itself, or you can force a refresh by writing the value of 1, to the attribute "schemaUpdateNow" on the RootDSE.
  As I mentioned at the start of this response, I personally prefer to use LDIF, simply because it enables end-users/customers to review the schema extensions and understand their potential impact before applying them. A sample that accomplishes the above would look something like:dn: CN=ms-ShoeSize,CN=Schema,CN=Configuration,DC=Antipodes,dc=com
  changetype: add
  objectClass: attributeSchema
  cn: ms-ShoeSize
  ldapDisplayName: msShoeSize
  attributeID: 1.2.840.113556.1.4.7000.141
  attributeSyntax: 2.5.5.9
  isSingleValued: TRUE
  dn:
  changetype: modify
  replace: schemaupdatenow
  schemaupdatenow: 1
  dn: CN=inetOrgPerson,CN=Schema,CN=Configuration,DC=Antipodes,dc=com
  changetype: modify
  add: mayContain
  mayContain: mSShoeSize
  dn:
  changetype: modify
  replace: schemaupdatenow
  schemaupdatenow: 1
  -

• Need to automatically add newly created user account in an existing active directory group.

  Hi All ,
  In my  environment we are having window server 2012 active directory environment.We need to have the newly created active directory user account to get added automatically to the existing active directory group after that new user account creation.
  Please tell us the possible ways to achieve this scenario.
  Regards
  S.Nithyanandham
  Thanks S.Nithyanandham

  Hi,
  Can you please confirm your requirement,
  When you create a new user account in AD, based on the user's property like Department, Job or Location, the user need to be added to your specific AD groups?
  Regards,
  Gopi
  JiJi
  Technologies

• DBMS_LDAP adding user to security group on Active Directory

  Hi forum members,
  I am accessing and manipulating Active Directory using the DBMS_LDAP package and its API's.
  My initial code is to add a new entry in our MUsers group.After establishing the session and binding it , I supply the required credentials and the user , ex: 366944 is created successfully in the MUsers group which is a global users group.
  My package then calls another function to now add the same user to the MGroups group and under that the Researcher security group.
  When I do a search on the "Researcher" group this is the result : (I have deleted a few irrelevant entries)
  ATTIBUTE_NAME: objectClass = top
  ATTIBUTE_NAME: objectClass = group
  ATTIBUTE_NAME: cn = Researcher
  ATTIBUTE_NAME: member = CN=3,OU=MUsers,DC=xxx,DC=yyy
  ATTIBUTE_NAME: member = CN=2,OU=MUsers,DC=xxx,DC=yyy
  ATTIBUTE_NAME: member = CN=1,OU=MUsers,DC=xxx,DC=yyy
  ATTIBUTE_NAME: distinguishedName =
  CN=Researcher,OU=MGroups,DC=xxx,DC=yyy
  ATTIBUTE_NAME: instanceType = 4
  ATTIBUTE_NAME: whenCreated = 20100315150614.0Z
  ATTIBUTE_NAME: whenChanged = 20100322172413.0Z
  ATTIBUTE_NAME: uSNCreated = 97190
  ATTIBUTE_NAME: uSNChanged = 102960
  ATTIBUTE_NAME: name = Researcher
  ATTIBUTE_NAME: objectGUID = ?P??|F?
  ?Q?'
  ATTIBUTE_NAME: objectSid =
  ATTIBUTE_NAME: sAMAccountName = $1B1000-EVVA2O0MRRBE
  ATTIBUTE_NAME: sAMAccountType = 268435456
  ATTIBUTE_NAME: groupType = -2147483646
  ATTIBUTE_NAME: objectCategory =
  CN=Group,CN=Schema,CN=Configuration,DC=xxx,DC=yyy
  My add_in_group function is : (I am hardcoding certain values for simplicity)
  FUNCTION add_in_group
  (ldap_session dbms_ldap.SESSION
  RETURN PLS_INTEGER
  IS
  lv_vals dbms_ldap.string_collection;
  lv_array dbms_ldap.mod_array;
  ln_retval PLS_INTEGER;
  l_group VARCHAR2(256);
  BEGIN
  -- Initialize the varray for the modify command
  lv_array := dbms_ldap.create_mod_array(10);
  IF lv_array = NULL THEN
  dbms_output.put_line('Error add_in_group: lv_array not initialized.');
  NULL;
  END IF;
  dbms_output.put_line ('lv_array successfully initialized');
  -- Populate the varray
  lv_vals(1) := 'CN=366944,OU=MUsers,DC=xxx,DC=yyy';
  dbms_ldap.populate_mod_array(lv_array,DBMS_LDAP.MOD_ADD,'member',lv_vals);
  --Populate the object class variables
  lv_vals(1) := 'group';
  BEGIN
  DBMS_LDAP.populate_mod_array(lv_array,DBMS_LDAP.MOD_ADD,'objectclass',lv_vals);
  EXCEPTION
  WHEN OTHERS THEN
  DBMS_OUTPUT.PUT_LINE('Populating object classes failed');
  END;
  --BEGIN
  -- Group Modification
  l_group := 'cn=Researcher,OU=Mgroups,DC=xxx,DC=yyy';
  BEGIN
  ln_retval := dbms_ldap.modify_s(ldap_session, l_group, lv_array);
  --EXCEPTION
  --WHEN OTHERS THEN
  --dbms_output.put_line ('Error in modify_s ');
  END;
  -- Free the varray
  dbms_ldap.free_mod_array(lv_array);
  RETURN ln_retval;
  EXCEPTION
  WHEN OTHERS THEN
  dbms_output.put_line('add_in_group : '|| SQLCODE||' '||SQLERRM);
  RETURN -1 ;
  END add_in_group;
  My error is :
  ORA-31202: DBMS_LDAP: LDAP client/server error: Already exists. 00000562:
  UpdErr: DSID-031A0F4F, problem 6005 (ENTRY_EXISTS), data 0
  The error descriptions reads like this :
  Indicates that the add operation attempted to add an entry that already exists, or that the modify operation attempted to rename an entry to the name of an entry that already exists.
  In this case , I am using the modify_s operation.I am supplying the credentials of the researcher group and trying to set the 'member' attribute as the user already existing in a diff group(MUsers).
  The researcher group already has 3 uers , namely ,1,2 and 3 as members . These users are also part of MUsers group.
  Hence I am not trying to rename any entry to the name of an entry that already exists.
  Any help on this would be appreciated.

  Hi,
  I tried the same code that you have mentioned and did some changes as follows and now able to add members to a group.
  remove the section that contains the following commands, then it will work
  h5. lv_vals(1) := 'group';
  h5. DBMS_LDAP.populate_mod_array(lv_array,DBMS_LDAP.MOD_ADD,'objectclass',lv_vals);
  Thanks & Best Regards,
  Indika