Service / Proxy Account for Active Directory

All updates made by Directory Manager, Directory Update, and Directory Password are made via a proxy account. While we sometimes refer to the account as a "service" account, functionally the account is a proxy account. Neither Directory Update, Directory Password, nor Directory Manager have an active service that runs all of the time. When a user updates their information, the IIS server initiates a connection to the Active Directory via LDAP (authenticating via Kerberos) and using the security credentials of the service/proxy account.

Recommendation for a Service / Proxy Account

Rather than using the Administrator account or a user's account, we recommend using a dedicated account with specific properties. Create an account in Active Directory with the following properties.

The service/proxy account needs permissions to update user accounts. This simplest way to give

Common Problems

Problems with the service/proxy account is one of our most common support issues. Common problems include:

By far, the most common problem is related to the service/proxy account not having the necessary permissions.

  If you are using Directory Manager to update Contacts, note that the Account Operators group does *not* have permissions to update contacts.

Fixing Common Permissions Problems

If you are not sure if the issue you are having is related to a permissions problem, the quickest and easiest way to verify this is to put the service/proxy account in to the domain's local Administrators group. If Directory Update or Directory Manager is then able to update the user then more than likely the problem is permissions related.

A very common question we get is "Why can I update some but not all of the users?" More than likely, the issue is a "feature" rather than a bug. We recommend that the sevice/proxy account be a member of the domain's Account Operators group. Account Operators can only update regular user accounts. If the user account you are trying to update is a member of any operators group or any domain administrators group, it can not update that user account. The service/proxy account is denied from updating it.

But wait! The account that I'm trying to update is *not* a member of an operators group or an administrator's group. That may be true, but it *might* have been at one time. If a user account is a member of any elevated permissions group, Active Directory automatically clears inherited permissions. When a user is removed from one of the protected groups (such as Account Operators, Administrators, Domain Admins, etc...) inherited permissions is NOT restored. For more information on the protected groups feature, see the article AdminSDHolder, Protected Groups, and SDPROP.

You can check to see if a user's permissions have been cleared and you can fix this following these steps:

  1. Open Active Directory Users and Computers
  2. Ensure that the Advanced Features view is enabled (Click View and there should be a check-mark next to Advanced Features
  3. Locate the user in question and display that user's properties
  4. Go to the Security tab and click the Advanced button
  5. If the check-box "Include inheritable permissions from this object's parent" is clicked, check it and click OK twice.

Image


Possible Error Messages

This section is merely in place so show some possible errors that may be generated by our applications.

An error occurred.

Please contact your system administrator and report this message.

Directory Manager does not have permissions to update this user account.

Access is denied.

at System.DirectoryServices.Interop.UnsafeNativeMethods.IAds.SetInfo()
at System.DirectoryServices.DirectoryEntry.CommitChanges()
at Ithicos.DirectoryManager.ADUser.SetUserProperties(Dictionary`2 table)
at Ithicos.DirectoryManager.SingleUpdate.UpdateUserProperties()
at Ithicos.DirectoryManager.SingleUpdate.toolbar_OnClick(Object sender, RadToolBarEventArgs e)
Last Review: 7 Feb 2020