Issue description   

When attempting to create a user in AD using ADManager Plus, the process may fail with an Access Denied error message. This error typically indicates insufficient permissions or delegation issues, preventing the successful addition of the user to the domain. Resolving the underlying permission restrictions is essential to complete the user creation process.

Possible causes   

1. Insufficient permissions: The ADManager Plus service account lacks the required permissions.

2. Technician privileges: The help desk technician performing the action does not have the required privileges in native AD if they do not have the Impersonate as Admin option checked under their technician account configuration.

3. Service account credentials: The service account password configured has changed or become stale, causing authentication failures.

4. Delegation restrictions: The user or service account is restricted by Group Policy or AD delegation settings.

5. Misconfigured LDAP connection: The connection between ADManager Plus and AD is incorrect.

Prerequisites   

Before proceeding with troubleshooting:

• Ensure the ADManager Plus service account has sufficient permissions to create users in the required organizational units (OUs). Refer to this permissions document for details.

• Verify that the service account is not locked out, disabled, or expired.

• Check that the ADManager Plus server can communicate with the domain controller. Refer to this document for details.

Note: We recommend enabling Implement DC Sort Intelligence to identify the domain controller with latency.

Resolution  

Step 1: Verify the service account's access  

1. Open ADUC.

2. Locate the OU in which user creation is failing.

3. Right-click the OU > Delegate Control, and add the ADManager Plus service account with required permissions.

4. Search for the service account and ensure it is enabled, not locked out, and not expired.

5. Reset the password if needed, then update it in Directory/Application Settings in ADManager Plus.

Step 2: Check the connection between ADManager Plus and the domain controllers  

1. Download the DMZ Port Analyzer and launch the application.

2. Enter the hostname or IP address of the domain controller.

3. The second screen will display the status of ports specific to ADManager Plus.

4. Review the list of required ports and confirm they are Open for proper ADManager Plus functionality.

5. If ports are blocked, update your firewall settings accordingly.

Step 3: Verify the technician's privileges

1. If the issue occurs only for a specific technician account and not for the default built-in admin, log in as the default admin.

2. Navigate to Delegation > Help Desk Technicians and select the affected technician account.

3. If Impersonate as Admin option:

• Is enabled: Verify that the service account used in ADManager Plus has the necessary permissions in AD to perform user modifications. You can do this by logging into AD using the service account and attempting to modify a user directly.

• Is disabled: Ensure the technician account has the necessary AD permissions to make changes.

Step 4: Verify Group Policy restrictions  

1. Open the Group Policy Management Console (GPMC).

2. Review policies applied to the service account and OUs.

3. Look for policies restricting user creation (e.g., Deny access to this computer from the network).

4. Modify policies to allow necessary permissions.

Tips  

• Try configuring a domain admin account as a service account to confirm if it's a permission issue.

How to reach support