The Service / Proxy Account and Common Problems with Active Directory

All updates made by Directory Manager and/or Directory Update are made via a service/proxy account. While we sometimes refer to the account as a "service" account, funtionally the account is a proxy account. Neither Directory Update nor Directory Manager have an active service that runs all of the time. When a user updates their information, the IIS server initiates a connection to the Active Directory via LDAP (authenticating via Kerberos) and using the security credentials of the service/proxy account.

Recommendation for a Service / Proxy Account

Rather than using the Adminstrator account or a user's account, we recommend using a dedicated account with specific properties. Create an account in Active Directory with the following properties.

  • Create a user account named something similar to SVC_IthicosProxy
  • Give the account a strong password (15+ characters with numbers and special characters)
  • Document in the account's description what the account is used for and the point of contact for the account
  • Ensure that the user cannot change their own password
  • Ensure that the password is set to never expire
  • Add the user to a group that will give it permissions to edit user accountrs, such as Account Operators

The service/proxy account needs permissions to update user accounts. This simplest way to give

Common Problems

Problems with the service/proxy account is one of our most common support issues. Common problems include:

  • The password for the service/proxy account expires
  • The password gets changed because the account is used for multiple purposes
  • The account gets disabled
  • The account has insufficient permissions to update all users or object types

By far, the most common problem is related to the service/proxy account not having the necessary permissions.

If you are using Directory Manager to update Contacts, note that the Account Operators group does *not* have permissions to update contacts.

Fixing Common Permissions Problems

If you are not sure if the issue you are having is related to a permissions problem, the quickest and easiest way to verify this is to put the service/proxy account in to the domain's local Administrators group. If Directory Update or Directory Manager is then able to update the user then more than likely the problem is permissions related.

A very common question we get is "Why can I update some but not all of the users?" More than likely, the issue is a "feature" rather than a bug. We recommend that the sevice/proxy account be a member of the domain's Account Operators group. Account Operators can only update regular user accounts. If the user account you are trying to update is a member of any operators group or any domain administrators group, it can not update that user account. The service/proxy account is denied from updating it.

But wait! The account that I'm trying to update is *not* a member of an operators group or an administrator's group. That may be true, but it *might* have been at one time. If a user account is a member of any elevated permissions group, Active Directory automatically clears inherited permissions. When a user is removed from one of the protected groups (such as Account Operators, Administrators, Domain Admins, etc...) inherited permissions is NOT restored. For more information on the protected groups feature, see the article AdminSDHolder, Protected Groups, and SDPROP.

You can check to see if a user's permissions have been cleared and you can fix this following these steps:

  1. Open Active Directory Users and Computers
  2. Ensure that the Advanced Features view is enabled (Click View and there should be a checkmark next to Advanced Features
  3. Locate the user in question and display that user's properties
  4. Go to the Security tab and click the Advanced button
  5. If the checkbox "Include inheritable permissions from this object's parent" is clicked, check it and click OK twice.

Image

Possible Error Messages

This section is merely in place so show some possible errors that may be generated by our applicatoins.

An error occured. Please contact your system administrator and report this message. Directory Manager does not have permissions to update this user account.

Please contact your system administrator and report this message.

Access is denied.

at System.DirectoryServices.Interop.UnsafeNativeMethods.IAds.SetInfo()
at System.DirectoryServices.DirectoryEntry.CommitChanges()
at Ithicos.DirectoryManager.ADUser.SetUserProperties(Dictionary`2 table)
at Ithicos.DirectoryManager.SingleUpdate.UpdateUserProperties()
at Ithicos.DirectoryManager.SingleUpdate.toolbar_OnClick(Object sender, RadToolBarEventArgs e)