Click HERE to see how Saviynt Intelligence is transforming the industry. |
06/25/2024 11:02 AM
Hello,
We are running into an issue where our Service account cannot rotate Domain Admin passwords in AD. We are hoping someone has had a similar issue and found a workaround without assigning Domain Admin to their Service account in AD.
We have all the correct permissions set on the account that are suggested in this guide by Saviynt HERE.
We also used CyberArk's guide HERE.
This is what we currently have permissions:
No matter the permissions assigned to our Service account, we always get this error:
Error while change password operation for account-xxx.admin in AD - [LDAP: error code 50 - 00002098: SecErr: DSID-031514B3, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 ]
We also verified this service account can change the passwords of Domain Admin accounts by logging into AD directly as the service account and changing their passwords. The issue seems to be on the Saviynt side. We have ran the sync jobs, re-ran the bootstrap job, and even changed the password on the service account and updated it on the connection with no luck.
06/27/2024 09:54 PM
Hello @aidanryan,
Based on the error, it appears to be a permission issue. Please recheck the permissions.
Also, could you confirm whether you are using the SSL port or the non-SSL port? You should be using the SSL port.
For Ref: Solved: Active Directory Change Password Not Working - Saviynt Forums - 31157
Thanks
07/08/2024 10:59 AM
@sudeshjaiswal yeah, we are using a SSL port for our connection. We have gone through our permissions a few times, and validated directly in AD that the service account can change Domain Admin passwords. Saviynt for some reason still reports insufficient rights when we try from Saviynt with the same account.
07/08/2024 11:00 AM
@sudeshjaiswal Is the expectation that we assign Domain Admin the our service account? Or does Saviynt support what we are trying to do?