Not able to update AD attributes for some users using different Service Account


Affected Versions: All

Description: You're using a non-administrator service account to bind to Active Directory (AD) and encounter error when updating for some users. 

Cause: These users are part of the protective group. By default inheritance permissions is disabled for member of this group.

Enable permission inheritance for the AdminSDHolder (temporary solution, as AD will disable permission inheritance at the next replication cycle)


Apply the required permission(s), such as "write", "reset password", etc, for the service account to the AdminSDHolder object.

This is located at:  CN=AdminSDHolder,CN=System,DC=domain,DC=com

AD Users and Computers: Benutzer kann Kennwort nicht ändern

More Information:
You can find out if the user is a member of the protective group by search the AD attribute "AdminCount" . If the value is set to 1, the user is part of the protective group.


0 out of 0 found this helpful



Please sign in to leave a comment.