Affected Versions: All
Using a non-administrator service account to bind to Active Directory (AD) causes a permissions error when updating certain users.
Users are part of a Protected Group. By default inheritance permissions is disabled for members of such groups.
Enable permission inheritance for the AdminSDHolder (temporary solution, as AD will disable permission inheritance at the next replication cycle)
Apply the required permission(s), such as "write", "reset password", etc, for the service account to the AdminSDHolder object.
This is located at: CN=AdminSDHolder,CN=System,DC=domain,DC=com
You can find out if the user is a member of the protective group by search the AD attribute "AdminCount" . If the value is set to 1, the user is part of the protective group.
More information on AD Protected Groups and AdminSDHolder can be found here: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory
Please sign in to leave a comment.