Not able to update AD attributes for some users using different Service Account

    Applies to:
  • Legacy SecureAuth IdP
Deployment model:
  • On Premises
  • Affected Versions: All

    Description: You're using a non-administrator service account to bind to Active Directory (AD) and encounter error when updating for some users. 

    Cause: These users are part of the protective group. By default inheritance permissions is disabled for member of this group.

    Enable permission inheritance for the AdminSDHolder (temporary solution, as AD will disable permission inheritance at the next replication cycle)


    Apply the required permission(s), such as "write", "reset password", etc, for the service account to the AdminSDHolder object.

    This is located at:  CN=AdminSDHolder,CN=System,DC=domain,DC=com

    AD Users and Computers: Benutzer kann Kennwort nicht ändern

    More Information:
    You can find out if the user is a member of the protective group by search the AD attribute "AdminCount" . If the value is set to 1, the user is part of the protective group.


    0 out of 0 found this helpful



    Please sign in to leave a comment.