Error code 80070005: Error in setting attributes, Access is denied.

Error code 80070005: Error in setting attributes, Access is denied.

Issue description   

Help desk technicians in ADManager Plus may encounter errors such as "Error code: 80070005: Error in setting attributes: Access is denied," when attempting to modify a user account. These errors indicate permission-related issues and prevent technicians from making necessary modifications, potentially delaying administrative tasks and impacting user management operations.

Possible causes   

  1. Impersonate as Admin is unchecked: The technician does not have sufficient privileges to modify user attributes in AD.

  2. Impersonate as Admin is checked, but the service account password is outdated: The stored service account credentials are incorrect, preventing impersonation.

  3. User object is outside the delegated OU scope: The technician is trying to modify a user in an organizational unit (OU) that is not assigned to them.

  4. Modification of an attribute not delegated to the technician: The technician lacks permission to change the specific attribute.

  5. Service account lacks necessary permissions in Active Directory (AD): The service account does not have the required privileges to perform modifications.

  6. Domain controller issues: The ADManager Plus instance may be pointing to a deprecated or unavailable domain controller.

  7. Incorrect CSV headers when modifying via CSV import: Ensure that the correct headers are used in the CSV file.

  8. Incorrect LDAP display name for custom attributes: If modifying a custom attribute, ensure that you are using its correct LDAP display name.

Prerequisites   

Before troubleshooting, ensure:

  • The technician's account is properly assigned and configured in ADManager Plus.

  • You have administrative privileges to update settings in ADManager Plus and AD.

  • You have access to the domain controllers to verify configurations.

Resolution   

Follow these steps to resolve the issue:

Step 1: Update service account credentials  

  1. Navigate to Directory/Application Settings > Active Directory and select the configured domain.

  2. Verify the service account details and update the password if it has changed.

Step 2: Verify service account permissions or the technician's AD access  

  1. Log in to ADManager Plus as an admin.

  2. Navigate to Delegation > Help Desk Technicians and select the affected technician account.

  3. Check if the Impersonate as Admin option:

    • Is enabled: Verify that the service account used in ADManager Plus has the necessary permissions in AD to perform user modifications. You can do this by logging into AD using the service account and attempting to modify a user directly.

    • If you prefer the service account to be disabled: Ensure the technician account has the necessary AD permissions to make changes.

  1. To verify technician permissions in AD:

    1. Open Active Directory Users and Computers (ADUC).

    2. Locate the organizational unit (OU) where the technician needs access.

    3. Right-click the OU and select Properties > Security.

    4. Check if the technician account has Modify and Write permissions.

    5. If needed, compare the permissions with another technician who has access to confirm missing permissions.

This verification step ensures that either the service account (when impersonation is enabled) or the technician account (when impersonation is disabled) has the necessary AD permissions to perform modifications.

Step 3: Ensure the attribute is delegated to the technician  

  1. Navigate to Delegation > Help Desk Roles, and select the technician’s assigned role.

  2. Edit the role and check if the required attribute is available for modification. If it is missing, enable it and save the changes.

Step 4: Verify domain controller configuration  

  1. Check the list of configured domain controllers.

  2. Ensure all active domain controllers are added.

  3. Remove any deprecated or unavailable domain controllers.

Step 5: Verify CSV headers and custom attributes

  1. If modifications are done via CSV import, check that the CSV headers match the required attribute names.

  2. Refer to the AD LDAP attributes list to confirm correct headers.

  3. If modifying custom attributes, ensure you are using their LDAP display names.

Tips  

  • Use UTF-8 encoding to prevent errors.

  • Test by modifying a single user manually before bulk updates via CSV.

How to reach support 

If the issue persists, contact our support team here

                  New to ADSelfService Plus?

                    • Related Articles

                    • Error Code: 5 Access is denied (Terminal service / Folder Creation)

                      Error Code: 5 Access is denied (Terminal service / Folder Creation) Possible Reasons : 1. User does not have the rights to create a home folder. 2. User does not have access to terminal services. 3. The home folder is either not shared or does not ...
                    • Error code: 80070005 - Unable to delete the user. Access is denied.

                      Issue description When attempting to delete a user in ADManager Plus, the operation fails, and an error message "Error code: 80070005: Unable to delete the user. Access is denied. This prevents administrators from removing the user from AD using the ...
                    • Error code 80070035: Error in Setting the Password. The Network Path Not Found

                      Issue description When creating a user or resetting a password in ADManager Plus, you may see the error message Error in setting the Password. The network path is not found - Error Code: 80070035. This indicates that ADManager Plus is unable to ...
                    • Error Code: 80072014

                      Error: Error in setting attributes Error Code: 80072014 Possible Root Cause: The requested operation did not satisfy one or more constraints associated with the class of the object. Resolution: This error may occur when attempting to import a CSV ...
                    • Error Code: 80072016

                      Error Code: 80072016 : Error In Setting Attributes. The directory service cannot perform the requested operation on the RDN attribute of an object Possible Root Cause: This type of error occurs if any of the LDAP headers in the CSV are not mentioned ...