Not able to update AD attributes for some users using different Service Account

Follow

Affected Versions: All

Description: You're using a non-administrator service account to bind to Active Directory (AD) and encounter error when updating for some users. 

Cause: These users are part of the protective group. By default inheritance permissions is disabled for member of this group.

Resolution:
Enable permission inheritance for the AdminSDHolder (temporary solution, as AD will disable permission inheritance at the next replication cycle)

or

Apply the required permission for the service account to the AdminSDHolder 

More Information:
You can find out if the user is a member of the protective group by search the AD attribute "AdminCount" . If the value is set to 1, the user is part of the protective group.

 

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.