Subscribe to Help Center RSS FeedThis article shows you how to remove privileged status from an Active Directory (AD) user so they can be managed by the ºÚÁϺ£½Ç91Èë¿Ú Active Directory Integration (ADI). The ºÚÁϺ£½Ç91Èë¿Ú ADI utility cannot manage privileged users that have been added to a protected group such as Domain Admins, Enterprise Admins, and Backup Operators.
If you have a user that was mistakenly added to one of these groups, or is no longer considered a privileged account, you'll see errors like the following in the ADI logs:
err='LDAP Result Code 50 \"Insufficient Access Rights\": 00002098: SecErr: DSID-031514A0, problem 4003 (INSUFF_ACCESS_RIGHTS)
Modifying a Single User
To remove privileged status from a single user:
- Remove the user account from all protected groups.
- See .
- Clear the adminCount value of the user on the Domain Controller:
- In AD Users and Computers, click View, and select Advance Features.
- Right-click the user and select Properties.
- Click Attribute Editor.
- Double-click the adminCount attribute, and click Clear.
- Apply your changes.
- Then, enable inheritance for this user:
- From the user Properties page, click Security.
- Click Advanced.
- Click Enable Inheritance.
The user should now be manageable by the ºÚÁϺ£½Ç91Èë¿Ú ADI.
Modifying Multiple Users
You can use the attached script and CSV to clear the adminCount value and enable inheritance for multiple users:
- Download the TroubleUsers.csv and DisableProtectedStatus.ps1 files to the same folder.
- Add the usernames of the users you would like to modify to the TroubleUsers.csv file.
- Run DisableProtectedStatus.ps1 PowerShell script.
In this Article
Attached Files
DisableProtectedStatus
Learn More