Versions Affected: All Versions
Description: SecureAuth IdP displays an "Access Denied" message when user attempts to change password.
Cause: The Service Account does not have the necessary permissions to change the password on behalf of the user in Active Directory
Resolution: Set the permissions through Active Directory manually at the Container or Organizational Unit level so that permissions propagate user accounts.
Note: steps written below are for Server 2012 and above. Instructions may differ on older versions.
1. From the Active Directory Users and Computers console, right-click on the Individual User Object, Organizational unit, or Container that holds the accounts you are delegating permissions.
2. Select Delegate Control...
3. In the Delegation of Control Wizard dialogue box that opens, click Next >
4. In the next window, click on Add...
5. Enter the Service Account name and select Check Names, then OK.
6. Click Next, then choose the Create a custom task to delegate option.
7. Click Next, then select the "Only the following objects in the folder:" option.
8. Check the box next to "User objects" in the combo box below.
9. Click Next, then check the following boxes as displayed:
10. Click Next, then Finish.