K2 and Active Directory: The sAMAccountName Attribute


We’ve sent a request to security to delete an security group and to create a new one. The ticket is completed, but I can’t assign the new group to a role in K2 because I can’t see the new group. What I can see, though, is the old group name when I search for the new group. What gives?

The security team did not delete the old group and create a new group as requested. Instead, they renamed the old group… partially.

Active Directory assigns multiple name attributes to the group object in order to maintain compatibility with older domains.

In the example above, the security team renamed the old group with the new name — but did not also modify the Pre-Windows 2000 name (also known as a sAMAccountName) attribute to match. K2 returns results for searches on AD objects using the sAMAccountName attribute.

So while the search (on the new name) found a group, it didn’t appear to be the correct group because the sAMAccountName attribute still showed the old name.