Troubleshooting Permissions Issues

Justin Tung -

Note: Applies to Hyperfish hybrid (on-premises AD) deployments only

If you find that some changes are not being committed, the Hyperfish Service Account may not have sufficient privileges for either the specific user, or the organizational unit (OU).

When permissions are the issue, the 'Approve' page in the Hyperfish Web Application will state that some changes have failed to be applied, and debug logging will reveal the following error: 

ERROR [TIMESTAMP] Error updating AD. Message: Error updating AD, The user has insufficient access rights.

To confirm that this is a permissions issue, you can run a PowerShell session as the Hyperfish service account:

runas /user:<hyperfishserviceaccountname> powershell.exe

Then, attempt to apply a failed change to the affected user object(s) using the Set-ADUser (ActiveDirectory module) cmdlet, e.g.:

Import-Module ActiveDirectory

Set-ADUser <username> -City "Seattle"

If the service account doesn't have permissions to write to that object, the error message will state that there are insufficient access rights to perform the operation:

If you aren't able to reproduce the issue with this method, be absolutely sure you are running the cmdlet as the Hyperfish service account. If you are unsure of the service account identity, run the following in PowerShell: 

Get-WmiObject Win32_Service | where-object {$_.name -eq "HyperfishAgent"} | select StartName

Also, be sure to try against multiple user objects to see if permissions change between OUs. 

 

Once confirmed, here are some things to check:

1 Make sure the Hyperfish Service account has sufficient privileges

If the multiple objects within the same AD container cannot be written to, make sure the Hyperfish service account has been granted delegated rights to the OU. 

2 Make sure the user object is not a member of a Protected Group

MS Active Directory considers Domain Admins, Enterprise Admins, and Schema Admins groups as “Protected Groups” and switches the user object inheritance flag to disable inheritance from the parent object. Therefore, a Hyperfish service account with delegated permissions will not be able to modify these objects.

Even if the user object is manually set to inherit from the parent, the SDProp job runs every hour to scan for objects that are considered “protected” and resets the inheritance flag.

Refer to the SDProp section in this TechNet article for more information: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory

3 Make sure inheritance is enabled for the object

This is especially applicable if the user object was previously a member of a protected group. 

 

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.