Enrolling Admin Accounts and Troubleshooting AD Permissions Issues Affecting Enrollment
When a user is enrolling in uReset or Specops Authentication, they might receive one of the following error messages:
Your organization’s server is not configured properly to access your account
Unable to write enrollment data due to your account being a member of an elevated group.
When this happens, this indicates the Specops Authentication Gatekeeper service account does not have the proper permissions. The Gatekeeper service account is granted least-privilege access to AD users accounts for enrollment and resetting passwords; this means by default the service account does not have any access to enroll administrative accounts in AD protected by AdminSDHolder.
Please confirm you have set the ‘Allow accounts in protected groups to enroll’ option to ‘Yes’ via the Specops Authentication Gatekeeper Administration console on your Gatekeeper server. If it is set to ‘no’ click the Edit link to the right and enable the setting. Note: it may take up to an hour plus additional delays in AD replication for this change to take effect.
If this is set to yes and you still encounter the same error when enrolling, this is likely due to stale permissions on the user account; this can happen for user accounts who were once admins in AD but are no longer members of any administrative groups in AD. Please see the following blog post for steps for how to identify and resolve permissions issues on your user account: Troubleshooting user account permissions – AdminSDHolder