Cannot import security groups with duplicate names

Article:TECH29063  |  Created: 2007-04-23  |  Updated: 2007-09-19  |  Article URL http://www.symantec.com/docs/TECH29063
NOTE: If you are experiencing this particular known issue, we recommend that you Subscribe to receive email notification each time this article is updated. Subscribers will be the first to learn about any releases, status changes, workarounds or decisions made.
Article Type
Technical Solution


Issue



When trying to import groups from AD, the error "System.ArgumentException caught in GetGroups. Reason: Item has already been added. Key in dictionary" occurs.  The same error can occur while configuring the AD Import rule and searching for security groups where the duplicated name would be returned.

Environment



Altiris Integrated Component for Microsoft Active Directory 6.1.842 with KB29386 hotfix


Cause



This issue will only occur when importing from Windows* 2000 or above native domains. This is because these domains allow security groups with duplicate names to be created; however, directory connector does not allow items with duplicate names to be imported.

Solution



This issue is fixed in AD Connector 6.1 Hotfix 3 KB34704, which introduces the following entry for DirectoryConnector_settings.config:

    <!--
        This setting controls how windows security groups are shown in the selection
        dialog.
       
        If enabled the search results will display each groups reverse canonical name.
        This is useful when dealing with Windows 2003 Native AD domains as security groups with
        duplicate names are allowed.
       
        This setting will take effect the next time the "Find" button on the group selection
        dialog is pressed.
    -->
    <customSetting key="UseCanonicalNameForSecurityGroups" type="local" value="true" />

In order to import resources from security groups where duplicate security group names may exist, you must install AD Connector 6.1 Hotfix 3 KB34704 onto the Notification Server and then edit DirectoryConnector_settings.config to add the following line:

<customSetting key="UseCanonicalNameForSecurityGroups" type="local" value="true" />

Please note that the config file is written as XML, so the line must be entered before the closing </customSettings> tag to ensure the XML format remains valid.  If this entry does not exist in DirectoryConnector_settings.config, the default value is assumed as "false".


Supplemental Materials

SourceDEFECT
ValueSYD 30295
DescriptionLogged in sydd2 (Altiris - Sydney) database

Legacy ID



34488


Article URL http://www.symantec.com/docs/TECH29063


Terms of use for this information are found in Legal Notices