Error when searching in management console with specific access template


I do have a problem when searching with a user of HR-department. They do have a specific access template for creating users in a specific OU. After creating the user gets moved to the correct OU.

While the user creation works fine and i also gave the HR user read access for all user object, i do get an error (object not set to an instance of an object) when this user search.

My admin account is able to search everything in the structe.

Do you have any idea which permission a user needs to be able to search for all users in the AD without seeing the whole AD structure?

Best regards and thanks in advance,


  • I have an access template I created and applied wherever I need users to be made visible.  It contains the following entries:

    Allow List   User

    Allow List Contents  User

    Allow Read All Properties User

  • Hi Johnyy,

    i tried that but i do still get the error "object not set to an instance of an object". I applied the access template on the "active directory" level and used interitance.

    you have another idea here?

    Best regards,


  • Hi  

    Lets split the question into two

    1. HR create a user, but then receive a "Object not set to an instance of an object" error
    2. HR search for a user

    Issue 1

    My assumption here is that when the HR Department are creating users, they create is a specific OU (a general OU), then some workflow has been configured to move the newly created user from one OU to another based upon either as a post operation, where a service of If/Else and Move activity steps move the freshly created user.

    In the web interface this might result in the "Object not set to an instance of an object" error, as the DN being returned from the operation (Request) it likely to be the DN of the Created User, rather than the DN of the moved users.

    Try changing the workflow, so that instead of moving the user, the OU were the user is create is set before the operation executes, something like:

    Where you would use the "Modify Requested Changes" activity step to replace the specific OU with the OU you want the account to be moved into:

    In this instances I've pointed mine to a script, which you could write to choose an OU based on your own rules, based on the request object (whats in the user creation request), find some OU and return the OU's DN.

    For issue 2,

    Can you confirm that HR are search for the users after they are created (from the Console, or Web Interface via Quick Search etc)?

    Kind regards