Not able to update AD attributes for some users using different Service Account


Affected Versions: All

Description: You're using a non-administrator service account to bind to Active Directory (AD) and encounter error when updating for some users. 

Cause: These users are part of the protective group. By default inheritance permissions is disabled for member of this group.

Enable permission inheritance for the AdminSDHolder (temporary solution, as AD will disable permission inheritance at the next replication cycle)


Apply the required permission for the service account to the AdminSDHolder 

More Information:
You can find out if the user is a member of the protective group by search the AD attribute "AdminCount" . If the value is set to 1, the user is part of the protective group.


0 out of 0 found this helpful



Please sign in to leave a comment.