All updates made by Directory Manager, Directory Update, and Directory Password are made via a proxy account. While we sometimes refer to the account as a "service" account, functionally the account is a proxy account. Neither Directory Update, Directory Password, nor Directory Manager have an active service that runs all of the time. When a user updates their information, the IIS server initiates a connection to the Active Directory via LDAP (authenticating via Kerberos) and using the security credentials of the service/proxy account.
Rather than using the Administrator account or a user's account, we recommend using a dedicated account with specific properties. Create an account in Active Directory with the following properties.
The service/proxy account needs permissions to update user accounts. This simplest way to give
Problems with the service/proxy account is one of our most common support issues. Common problems include:
By far, the most common problem is related to the service/proxy account not having the necessary permissions.
If you are not sure if the issue you are having is related to a permissions problem, the quickest and easiest way to verify this is to put the service/proxy account in to the domain's local Administrators group. If Directory Update or Directory Manager is then able to update the user then more than likely the problem is permissions related.
A very common question we get is "Why can I update some but not all of the users?" More than likely, the issue is a "feature" rather than a bug. We recommend that the sevice/proxy account be a member of the domain's Account Operators group. Account Operators can only update regular user accounts. If the user account you are trying to update is a member of any operators group or any domain administrators group, it can not update that user account. The service/proxy account is denied from updating it.
But wait! The account that I'm trying to update is *not* a member of an operators group or an administrator's group. That may be true, but it *might* have been at one time. If a user account is a member of any elevated permissions group, Active Directory automatically clears inherited permissions. When a user is removed from one of the protected groups (such as Account Operators, Administrators, Domain Admins, etc...) inherited permissions is NOT restored. For more information on the protected groups feature, see the article AdminSDHolder, Protected Groups, and SDPROP.
You can check to see if a user's permissions have been cleared and you can fix this following these steps:
This section is merely in place so show some possible errors that may be generated by our applications.