Our dedicated Product Specialist team is always ready to help you when you need it the most.Contact Support
Enrolling Admin Accounts and Troubleshooting AD Permissions Issues Affecting Enrollment
When a user is enrolling in uReset or Specops Authentication, they might receive one of the following error messages:
Your organization’s server is not configured properly to access your account
Unable to write enrollment data due to your account being a member of an elevated group.
When this happens, this indicates the Specops Authentication Gatekeeper service account does not have the proper permissions. The Gatekeeper service account is granted least-privilege access to AD users accounts for enrollment and resetting passwords; this means by default the service account does not have any access to enroll administrative accounts in AD protected by AdminSDHolder.
Stale AdminSDHolder User Accounts
If you have users who are not in admin groups receiving one of these errors this is likely due to stale permissions on the user account; this can happen for user accounts who were once admins in AD but are no longer members of any administrative groups in AD. Please see the following blog post for steps for how to identify and resolve permissions issues on your user account: Troubleshooting user account permissions – AdminSDHolder
Enable Enrollment for Admin Accounts
Please confirm you have set the ‘Allow accounts in protected groups to enroll’ option to ‘Yes’ via the Specops Authentication Gatekeeper Administration console on your Gatekeeper server. If it is set to ‘no’ click the Edit link to the right and enable the setting. Note: it may take up to an hour plus additional delays in AD replication for this change to take effect.
Multi-Domain Environments
The ‘Allow accounts in protected groups to enroll’ option described above will only apply to accounts in the Gatekeeper domain. If admin accounts in other scoped domains need to enroll, we can effect the same change manually using the dsacls command. Please allow up to 60 minutes after making this change for it to be propagated out to all of your admin accounts.