Error: LDAP_INSUFFICIENT_ACCESS (50)
Created: 2012-04-20 08:09:59Modified: 2022-09-10 09:03:13
Tags: Active Directory Errors Troubleshooting UnitySync
Insufficient access errors indicate the user login (specified on the Destination tab) does not have adequate permissions to perform the necessary action.
Review your Sync log file. Does the error occur on Add, Mod and/or Delete pf objects? Does the error occur when Adding/Deleting structure or person objects?
NOTE: If this connection has Join parameters enabled (a Sync/Join Mode of Join or Both), your Destination account login must be a Domain Admin or the login used must have full control of the entire Destination directory or, at minimum, starting at the optional Base DN.
1) Error on Add, Delete and Modify of structure or person/group objects - ALL functions are causing an error
The user login account does not have adequate permissions to perform the necessary actions. For more information on the recommended configuration of your user login account, refer to the Administrator’s Guide in the Configure Directory Servers section. Review the sub-topic for your specific directory type to confirm setup has been completed accurately. If you are using Special Permissions on your Destination Sync Container, reapply the permissions as outlined Setting Special Permissions on the AD Sync container.
2) Error on Modify of Person/Group Objects, but Add and Delete functions are successful
If your log file shows insufficient access errors on Modifies only (while Adds/Deletes occur successfully) then it is likely that you missed a step when setting up Special Permissions on the Sync container.
When setting up special permissions on the Sync container, you must select Full Control and be sure to specify This object and all child objects (may be This object and all descendant objects). This is the setting that is sometimes forgotten and results in errors on Modify. The knowledge base article Setting Special Permissions on the AD Sync container explains exactly how to do this.
Please note, once set, it is not possible to confirm that the This object and all child objects option was selected when Full Control was initially applied. The only way to be sure this option is selected is to reapply the permissions, selecting Full Control and This object and all child objects.
For more information on the recommended configuration of your UnitySync login account (including setup of Special Permissions), refer to the Administrator’s Guide in the Configuring Directory Servers topic for AD/Exchange 20xx.