Our dedicated Product Specialist team is always ready to help you when you need it the most.
Contact Support
“Access denied” message when enrolling with an admin account
Admin accounts are affected by the adminSDHolder rule, which resets the security permissions on privileged AD accounts every 15 minutes.
Possible solution
Log in with an account with Domain Admin permissions and run the following command.
dsacls "CN=AdminSDHolder, CN=System, <Domain DN>" /G "<ServiceAccount>:CCDC;classStore;" "<ServiceAccount>:LC;;" "<ServiceAccount>:CA;Reset Password;" "<ServiceAccount>:RP;userAccountControl;" "<ServiceAccount>:RPWP;mobile;" "<ServiceAccount>:RPWP;pwdLastSet;" "<ServiceAccount>:RPWP;lockoutTime;"
Example:
dsacls "CN=AdminSDHolder, CN=System, DC=example, DC=com" /G "EXAMPLE\sprsvc:CCDC;classStore;" "EXAMPLE\sprsvc:LC;;" "EXAMPLE\sprsvc:CA;Reset Password;" "EXAMPLE\sprsvc:RP;userAccountControl;" "EXAMPLE\sprsvc:RPWP;mobile;" "EXAMPLE\sprsvc:RPWP;pwdLastSet;" "EXAMPLE\sprsvc:RPWP;lockoutTime;"
Replace <domainDN> and <serviceAccount> with the domain components of your domain and the name of the SPR service account.
Note: Allowing Specops Password Reset to work with an account with administrative permissions is not best practice for security reasons. Enable these settings only if it is required by the practical reality of your organization.