Help desk technicians in ADManager Plus may encounter errors such as "Error code: 80070005: Error in setting attributes: Access is denied," when attempting to modify a user account. These errors indicate permission-related issues and prevent technicians from making necessary modifications, potentially delaying administrative tasks and impacting user management operations.
Impersonate as Admin is unchecked: The technician does not have sufficient privileges to modify user attributes in AD.
Impersonate as Admin is checked, but the service account password is outdated: The stored service account credentials are incorrect, preventing impersonation.
User object is outside the delegated OU scope: The technician is trying to modify a user in an organizational unit (OU) that is not assigned to them.
Modification of an attribute not delegated to the technician: The technician lacks permission to change the specific attribute.
Service account lacks necessary permissions in Active Directory (AD): The service account does not have the required privileges to perform modifications.
Domain controller issues: The ADManager Plus instance may be pointing to a deprecated or unavailable domain controller.
Incorrect CSV headers when modifying via CSV import: Ensure that the correct headers are used in the CSV file.
Incorrect LDAP display name for custom attributes: If modifying a custom attribute, ensure that you are using its correct LDAP display name.
Before troubleshooting, ensure:
The technician's account is properly assigned and configured in ADManager Plus.
You have administrative privileges to update settings in ADManager Plus and AD.
You have access to the domain controllers to verify configurations.
Follow these steps to resolve the issue:
Navigate to Directory/Application Settings > Active Directory and select the configured domain.
Verify the service account details and update the password if it has changed.
Log in to ADManager Plus as an admin.
Navigate to Delegation > Help Desk Technicians and select the affected technician account.
Check if the Impersonate as Admin option:
Is enabled: Verify that the service account used in ADManager Plus has the necessary permissions in AD to perform user modifications. You can do this by logging into AD using the service account and attempting to modify a user directly.
If you prefer the service account to be disabled: Ensure the technician account has the necessary AD permissions to make changes.
To verify technician permissions in AD:
Open Active Directory Users and Computers (ADUC).
Locate the organizational unit (OU) where the technician needs access.
Right-click the OU and select Properties > Security.
Check if the technician account has Modify and Write permissions.
If needed, compare the permissions with another technician who has access to confirm missing permissions.
This verification step ensures that either the service account (when impersonation is enabled) or the technician account (when impersonation is disabled) has the necessary AD permissions to perform modifications.
Navigate to Delegation > Help Desk Roles, and select the technician’s assigned role.
Edit the role and check if the required attribute is available for modification. If it is missing, enable it and save the changes.
Check the list of configured domain controllers.
Ensure all active domain controllers are added.
Remove any deprecated or unavailable domain controllers.
If modifications are done via CSV import, check that the CSV headers match the required attribute names.
Refer to the AD LDAP attributes list to confirm correct headers.
If modifying custom attributes, ensure you are using their LDAP display names.
Use UTF-8 encoding to prevent errors.
Test by modifying a single user manually before bulk updates via CSV.