Troubleshooting domain administrative accounts

The Privileged Access Service cannot reconcile domain administrative account passwords that may be locked or out of sync. If the domain administrative account encounters an issue, operations using the domain administrative account will fail and an error message is displayed when you browse to the Resources portion of the Admin Portal. To troubleshoot the issue, see the following:

Issue

Description

Troubleshoot

Insufficient Permissions

The administrative account has insufficient access rights to perform the required operation on a domain account.

For example, if the administrative account does not have permission to reset domain account passwords, the managed domain account password cannot be rotated.

If you suspect that the administrative account has insufficient permissions, check for proper account permissions in your domain controller.

Navigate to Properties > Member of... to check administrative account’s group configuration. Then, navigate to Properties > Security (you may need to enable View > Advanced Features) for the managed account, and check the permissions for that group.

Once you correct the issue, you can click the X in the banner to dismiss it.

Invalid credentials

The administrative account may have invalid credentials due to:

Multiple logins with invalid credentials causing the account to lock.

Disabled or deleted account.

Non-existent domain account.

Expired or out-of-sync password.

Password update required at the next logon.

If you suspect the account has invalid credentials, you can run a check on the domain administrative account in Privileged Access Service to verify the password, or check the credentials of that account in the domain controller directly. In the domain controller you can:

  • Enable the account if it was disabled.
  • Reset the account password and unlock the account (if it was locked) in domain controller. Then, update the account password in Privileged Access Service.
  • Change the administrative account to use an account that does exist in the domain (if the account did not exist in the domain).

Once you correct the issue, you can click the X in the banner to dismiss it.