Issue description     

When attempting to create or modify a user account in Active Directory, the operation may fail with the following error message:

Error code 80072035: The server is unwilling to process the request

This error prevents the user account from being created or updated successfully.

Possible causes  

The error typically occurs due to the following reasons:

1. Password policy violation: The password may not meet complexity requirements or is left blank.

2. Schema restrictions: Active Directory schema rules may be blocking the change.

3. Insufficient permissions: The service account may not be part of the account operator or may lack the delegated rights, such as being able to reset passwords, unlock accounts, or enable or disable users to perform user modifications.

4. Primary group conflict: You're attempting to remove a user from their primary group.

 Prerequisites     

• Ensure the account used in ADManager Plus has sufficient administrative permissions, either as a domain admin or with delegated rights.

• Verify the password complies with the domain policy (complexity, length, and history).

• Ensure the domain controller is reachable and in a writable state, and that time is synchronized between ADManager Plus and the domain controller.

• If LDAPS is enabled, confirm the domain controller has a valid SSL certificate.

 Resolution     

 Step 1: Verify password policy compliance (in case of password reset issues)     

1. Open Group Policy Management (gpmc.msc).

2. Navigate to Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy.

3. Check if the password meets the following policy requirements:

• Minimum password length

• Password complexity requirements

• Password history enforcement

4. If necessary, update the policy to align with business requirements.

5. Retry setting the password.

Step 2: Ensure the user exists before removing them from a group (in case of group modification)  

1. Log in to ADManager Plus.

2. Navigate to Reports > Group Reports > Member-based Reports > Group Members.

3. Select the domain and relevant group from which the user is being removed and click Generate.

4. Review the list of members and confirm whether the user is present in the group.

Step 3: Modify the primary group before removing (in case of group modification)  

1. Open Active Directory Users and Computers (dsa.msc).

2. Locate the user and go to the Member Of tab.

3. Change the primary group of the user before removing them from their primary group.

Step 4: Check for a duplicate sAMAccountName (in case of account creation or modification)  

1. Log in to ADManager Plus.

2. Navigate to Reports > User Reports > General Reports > Users with Duplicate Attributes  .

3. Choose the domain and set the attribute to sAMAccountName.

4. If duplicates exist, rename one of the accounts to ensure uniqueness.

5. Modify only one account at a time to prevent conflicts.

 Tips  

• Always use strong passwords that comply with policy settings.

• Regularly check Group Policy settings to ensure they align with business needs.

How to reach support  

If the issue persists, contact our support team here.