Issue description  

Possible causes   

1. The service account configured under Domain Settings lacks the necessary permissions to perform the requested self-service actions.
2. If a Group Managed Service Account (gMSA) is used to run ADSelfService Plus, the account may not have sufficient permissions in Active Directory (AD) for these operations.

Prerequisite   

• Administrative access to both ADSelfService Plus and AD.

Resolution   

Verify service account permissions

• To verify service account permissions

1. In ADSelfService Plus, click Domain Settings located in the top-right corner.

2. Note down the service account configured for your domain. This is the account ADSelfService Plus uses to interact with AD.

3. Using an AD administrator account, ensure the identified service account has the following permissions delegated in AD for the organizational units or domains where users reside:

• Reset password

• Unlock account

• Read/write permissions for user objects (This typically includes properties like sAMAccountName, userPrincipalName, pwdLastSet, lockoutTime, etc., relevant to self-service operations.)

• To verify gMSA permissions (if applicable)

1. If a gMSA account is used, confirm that it has been explicitly granted the required permissions within AD to perform all self-service operations delegated to ADSelfService Plus. This often involves specific PowerShell commands or delegation wizards.

• After making any changes to AD permissions, restart the ADSelfService Plus service to ensure the new permissions are recognized.

How to reach support