We have recently setup a new policy that uses MFA. Until you try to unlock an account or reset a password, everything works fine. When you try either option, we are getting a native exceptions:
adssp.error.native.no_unlock_priviledge::::: For the Key :::S-1-5-21-1999524357-1755730847-1553874782-4152|
This is the SID of the logged on user (the person trying to unlock their account, instead of the service account we use.
The other policy we have works fine and uses the service account. I've looked around the policy configuration but can't see any setting to force the use of the service account.
Am I missing something obvious?