Unable to change AD password if using restricted (non-domain Admin) rights

  • 7023371
  • 24-Sep-2018
  • 24-Sep-2018

Environment

Identity Manager Driver - Active Directory

Situation

Error when changing a user's password in Active Directory when using a user with only limited rights in Active Directory.  When using a user with Domain Admin rights in Active Directory, the password is changed successfully.
Error is as follows:
<output>
  <status level="error" type="driver-general" event-id="....">
   <message>Password set failed.</message>
   <ldap-err ldap-rc="50" ldap-rc-name="LDAP_INSUFFICIENT_RIGHTS">
    <client-err ldap-rc="50" ldap-rc-name="LDAP_INSUFFICIENT_RIGHTS">Insufficient Rights</client-err>
    <server-err>00000005: SecErr: DSID-031A11D7, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
</server-err>
    <server-err-ex win32-rc="5"/>
   </ldap-err>
  </status>
 </output>

Resolution

This may be caused if the user does not have all the rights needed to change the password.
With Windows server 2016, you may find that additional rights are needed.
Also based on your security policies changes may be needed.
Below is one possible configuration that may work depending on the setup of the domain.  Because of the countless ways a domain may be configured and the ways a driver may be configured, only suggestions may be made.
Grant the user the following permissions:
Replicating Directory Changes
Replicating Directory Changes All
Replicating Directory Changes in Filtered Set
Replication synchronization
Also the following delegation:
Create, delete, and manage user accounts
Reset user passwords and force password change at next logon
Read all user information
 
It may also be caused if the user had ever been a member of a domain admin group or other security group that caused the user to receive the attribute admincount=1 in active directory.  Even if the user is later removed from the security group, the attribute will often remain on the user.
Here is a command to check the user from a powershell prompt.
get -aduser <username> -Properties admincount
If admincount is set to 1, unless the driver is using a domain admin account, you will not be able to change the password.
 
There are two Microsoft links that discuss this: