Enrolling Admin Accounts and Troubleshooting AD Permissions Issues Affecting Enrollment
When a user is enrolling in uReset or Specops Authentication, they might receive one of the following error messages:
Your organization’s server is not configured properly to access your account
Unable to write enrollment data due to your account being a member of an elevated group.
When this happens, this indicates the Specops Authentication Gatekeeper service account does not have the proper permissions. The Gatekeeper service account is granted least-privilege access to AD users accounts for enrollment and resetting passwords; this means by default the service account does not have any access to enroll administrative accounts in AD protected by AdminSDHolder.
Table of contents
Enable Enrollment for Admin Accounts
Please confirm you have set the ‘Allow accounts in protected groups to enroll’ option to ‘Yes’ via the Specops Authentication Gatekeeper Administration console on your Gatekeeper server. If it is set to ‘no’ click the Edit link to the right and enable the setting. Note: it may take up to an hour plus additional delays in AD replication for this change to take effect.
Multi-Domain Environments
The ‘Allow accounts in protected groups to enroll’ option described above will only apply to accounts in the Gatekeeper domain. If admin accounts in other scoped domains need to enroll, we can effect the same change manually using the dsacls command. Please allow up to 60 minutes after making this change for it to be propagated out to all of your admin accounts.
dsacls "CN=AdminSDHolder, CN=System, DC=domain, DC=com" /G "DOMAIN\Specops Authentication Gatekeepers:CCDC;classStore;" "DOMAIN\Specops Authentication Gatekeepers:RP;userAccountControl;" "DOMAIN\Specops Authentication Gatekeepers:RPWP;mobile;" "DOMAIN\Specops Authentication Gatekeepers:RP;tokenGroups;"
For example, to add enrollment capabilities for the specopsdemo2.com domain from a Gatekeeper in the SPECOPSDEMO1 domain:
dsacls "CN=AdminSDHolder, CN=System, DC=specopsdemo2, DC=com" /G "SPECOPSDEMO1\Specops Authentication Gatekeepers:CCDC;classStore;" "SPECOPSDEMO1\Specops Authentication Gatekeepers:RP;userAccountControl;" "SPECOPSDEMO1\Specops Authentication Gatekeepers:RPWP;mobile;" "SPECOPSDEMO1\Specops Authentication Gatekeepers:RP;tokenGroups;"
Stale AdminSDHolder User Accounts
If the above steps have been completed and/or you have users who are not in admin groups affected, and you still encounter the same error when enrolling, this is likely due to stale permissions on the user account; this can happen for user accounts who were once admins in AD but are no longer members of any administrative groups in AD. Please see the following blog post for steps for how to identify and resolve permissions issues on your user account: Troubleshooting user account permissions – AdminSDHolder