Not able to update AD attributes for some users using different Service Account

Follow
    Applies to:
  • Legacy SecureAuth IdP
Deployment model:
  • On Premises
  • Affected Versions: All

     

    Description:
    Using a non-administrator service account to bind to Active Directory (AD) causes a permissions error when updating certain users. 

    Cause:
    Users are part of a Protected Group. By default inheritance permissions is disabled for members of such groups.

    Resolution:
    Enable permission inheritance for the AdminSDHolder (temporary solution, as AD will disable permission inheritance at the next replication cycle)

    or

    Apply the required permission(s), such as "write", "reset password", etc, for the service account to the AdminSDHolder object.

    This is located at:  CN=AdminSDHolder,CN=System,DC=domain,DC=com

     

    More Information:
    You can find out if the user is a member of the protective group by search the AD attribute "AdminCount" . If the value is set to 1, the user is part of the protective group.

    More information on AD Protected Groups and AdminSDHolder can be found here: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory

     

     

    0 out of 0 found this helpful

    Comments

    0 comments

    Please sign in to leave a comment.