OneLogin - ADC cannot unlock some Active Directory users due to insufficient access rights (4383423)

OneLogin - ADC cannot unlock some Active Directory users due to insufficient access rights

Some Active Directory-synchronized users remain in a locked or pending unlock state in OneLogin. Attempts to unlock the affected user through OneLogin or through the Active Directory Connector fail.

ADC logs may show errors similar to:

Error Code: [8344 (-2147467259)] - Insufficient access rights to perform the operation
DirectoryOperationException - Result Code: [InsufficientAccessRights]
problem 4003 (INSUFF_ACCESS RIGHTS)
Attribute: [lockoutTime] => Operation: [Replace] - Values: [0]

The issue may affect only specific users while other standard users can be unlocked normally.

The ADC service account does not have sufficient permission to modify the affected Active Directory user object.

For users that are or were members of privileged Active Directory groups, AdminSDHolder protection may apply. This protection can:

• Disable permission inheritance on the user object.
• Apply a restricted access control list to the object.
• Reapply protected permissions periodically.
• Prevent delegated or service accounts from modifying sensitive attributes such as lockoutTime.

When this condition exists, even an otherwise valid ADC service account configuration can return insufficient access rights for only the protected user objects.

1. Confirm which account is running the OneLogin Active Directory Connector service.
   
   
2. Validate whether the ADC service account can unlock the affected user directly from PowerShell:
   

      runas /user:DOMAIN\ADCServiceAccount "powershell.exe"
      Unlock-ADAccount -Identity "CN=End User,OU=Users,DC=example,DC=local"

3. If PowerShell returns an insufficient permissions error, verify whether the affected user object is protected by AdminSDHolder:
   

      Get-ADUser username -Properties adminCount, MemberOf

4. If adminCount is set to 1, review the user’s group memberships and remove the user from privileged groups if administrative membership is not required. Examples of privileged groups include:
   • Domain Admins
   • Enterprise Admins
   • Administrators
   • Account Operators
   • Server Operators
   • Backup Operators
   • Protected Users
     
     
5. Re-enable inheritance on the affected user object:
   • Open Active Directory Users and Computers.
   • Select View | Advanced Features.
   • Open the affected user object.
   • Go to Properties | Security | Advanced.
   • Enable permission inheritance if it is disabled.
     
     
6. Clear the adminCount attribute if the user should no longer be protected:
   

      Set-ADUser username -Clear adminCount

7. Retry the unlock operation from Active Directory or OneLogin after permissions and inheritance are corrected.
   
   
8. Confirm that the ADC service account follows the recommended permission model for the environment. Grant only the permissions required by organizational policy and security standards.