Affected Versions: All
Description: You're using a non-administrator service account to bind to Active Directory (AD) and encounter error when updating for some users.
Cause: These users are part of the protective group. By default inheritance permissions is disabled for member of this group.
Enable permission inheritance for the AdminSDHolder (temporary solution, as AD will disable permission inheritance at the next replication cycle)
Apply the required permission(s), such as "write", "reset password", etc, for the service account to the AdminSDHolder object.
This is located at: CN=AdminSDHolder,CN=System,DC=domain,DC=com
You can find out if the user is a member of the protective group by search the AD attribute "AdminCount" . If the value is set to 1, the user is part of the protective group.