Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

Domain Admin Password Rotation CPAM INSUFF_ACCESS_RIGHTS

aidanryan
New Contributor III
New Contributor III

Hello,

We are running into an issue where our Service account cannot rotate Domain Admin passwords in AD. We are hoping someone has had a similar issue and found a workaround without assigning Domain Admin to their Service account in AD.

We have all the correct permissions set on the account that are suggested in this guide by Saviynt HERE.

We also used CyberArk's guide HERE.

This is what we currently have permissions:

 

aidanryan_1-1719337902063.png

 

No matter the permissions assigned to our Service account, we always get this error:
Error while change password operation for account-xxx.admin in AD - [LDAP: error code 50 - 00002098: SecErr: DSID-031514B3, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 ] 

 

We also verified this service account can change the passwords of Domain Admin accounts by logging into AD directly as the service account and changing their passwords. The issue seems to be on the Saviynt side. We have ran the sync jobs, re-ran the bootstrap job, and even changed the password on the service account and updated it on the connection with no luck. 

3 REPLIES 3

sudeshjaiswal
Saviynt Employee
Saviynt Employee

Hello @aidanryan,

Based on the error, it appears to be a permission issue. Please recheck the permissions.
Also, could you confirm whether you are using the SSL port or the non-SSL port? You should be using the SSL port.

For Ref:  Solved: Active Directory Change Password Not Working - Saviynt Forums - 31157 

Thanks

If you find the above response useful, Kindly Mark it as "Accept As Solution".

@sudeshjaiswal yeah, we are using a SSL port for our connection. We have gone through our permissions a few times, and validated directly in AD that the service account can change Domain Admin passwords. Saviynt for some reason still reports insufficient rights when we try from Saviynt with the same account.

@sudeshjaiswal Is the expectation that we assign Domain Admin the our service account? Or does Saviynt support what we are trying to do?