INSUFF_ACCESS_RIGHTS

94 views
Skip to first unread message

Chirag Darji

unread,
Apr 8, 2024, 6:47:55 AM4/8/24
to pwm-general
Hi
Getting such error while i unlocking AD user from the PWM portal they are able to change password from the helpdesk section but not able to unlock the user

Error, http.PwmResponse, {iJedw,t testuser} 5015 Error_internal {javax.naming.NoPermissionException: [LDAp: error code 50 - 00002098: SecErr: DSID-031514A0, problem 4003 {INSUFF_ACCESS_RIGHTS}, data 0 ]}

Jason Rivard

unread,
Apr 12, 2024, 7:38:34 PM4/12/24
to pwm-general
This is an error from AD.  You can use PWM logs and LDAP wire trace settings to find out what LDAP operation it is occurring on, but why AD is giving this error is something beyond the scope of PWM.  Probably rights related but AD errors are often misleading.

Chirag Darji

unread,
Aug 25, 2025, 2:58:39 AM (12 days ago) Aug 25
to pwm-general
Thanks for the reply.
Issue has been resolved after performing the below steps
There issue with AD, i've deleget the permission and set the  Read lockoutTime check box, click to select the Write lockoutTime in the delegation. 

To delegate the right to a group or user:
  1. Create the group or user account that you want to have the right to unlock user accounts in Active Directory Users and Computers (for example, Help Desk Admins).
  2. Right-click the domain in Active Directory Users and Computers (ADUC), and then click Delegate Control from the menu that is displayed.
  3. The Delegation of Control Wizard should be displayed. On the Welcome dialog box, click Next.
  4. On the Users and Groups dialog box, click Add. Select the group in the list that you want to give the right to unlock accounts, and then click OK. On the Users and Groups dialog box, click Next.
  5. On the Tasks to Delegate dialog box, click Create a custom task to delegate, and then click Next.
  6. On the Active Directory Object Type dialog box, click Only the following objects in the folder:. In the list, click User objects (the last entry in the list), and then click Next.
  7. On the Permissions dialog box, click to clear the General check box, and then click to select the Property-specific check box. In the Permissions list, click to select the Read lockoutTime check box, click to select the Write lockoutTime check box, and then click Next.
  8. On the Completing the Delegation of Control Wizard dialog box, click Finish.

Jason Rivard

unread,
Aug 25, 2025, 6:28:20 PM (11 days ago) Aug 25
to pwm-general
Thanks for posting your solution!
Reply all
Reply to author
Forward
0 new messages