Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Error granting access to an App-V package: Invalid input was passed


View products that this article applies to.

Symptoms

Using the Microsoft Application Virtualization (App-V) Management Server website in an attempt to grant access to a package to an Active Directory group fails with the following error:

Invalid input was passed: contoso\appvusers. Specify a group as domain\group.

- OR -

Using the Application Virtualization Management Server PowerShell cmdlet Grant-AppvServerPackage in an attempt to grant access for a package to an Active Directory group fails with the following error:

PS C:\Users\appvadmin> Grant-AppvServerPackage -Name YourAppVPackageName -Groups contoso\appvusers

Grant-AppvServerPackage : An unexpected error occurred during processing.At line:1 char:1
+ Grant-AppvServerPackage -Name YourAppVPackageName  -Groups contoso\appvusers
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
+ CategoryInfo          : NotSpecified: (:) [Grant-AppvServerPackage], Exception   
+ FullyQualifiedErrorId : System.Exception,Microsoft.AppV.Server.Cmdlets.GrantAppvServerPackageCommand

- OR -

Using the Application Virtualization Management Server in an attempt to add a user or group in the Administrators tab fails with the following error:

There was an error on the server. Please view event logs on the server for more information.

NOTE A corresponding event is not registered in the event logs

In each of the above scenarios, in a Fiddler trace you will see an HTTP 500 error. The error is listed as: 

The specified directory service attribute or value does not exist. ImproperADArgument.

↑ Back to the top


Cause

These symptoms can occur if the permissions in Active Directory on one or more of the following Active Directory containers are restricted:

CN=Computers (the default Computers container)
CN=Users (the default users container)
DC=Contoso (the domain container)

By default, the Authenticated Users group has 'Read All Properties' on the above 3 containers. Using this permission, the Management Server account is able to query Active Directory.

↑ Back to the top


Resolution

To resolve this issue, give the 'Authenticated Users' group 'Read All Properties' permissions on each of the above mentioned Active Directory containers. Alternatively, you can add only the computer account of the Management Server(s) with 'Read All Properties' permissions on each of the above mentioned containers.

↑ Back to the top


More Information

The AppVManagement Application Pool, by default, runs under the NetworkService account. The NetworkService account in turn impersonates the computer account when accessing network resources. In this scenario, the network resource is Active Directory.

↑ Back to the top


Keywords: kb

↑ Back to the top

Article Info
Article ID : 2797968
Revision : 2
Created on : 3/27/2020
Published on : 3/27/2020
Exists online : False
Views : 496