Trying to troubleshoot a customer. We have a service running on their AD domain controller. The service rotates passwords for certain accounts defined by customer at a predetermined timeout. The service works on every customer site so far.
However, new potential customer, it does not work.
The service is in .NET and calls UserPrincipal.SetPassword() with a new password. That call throws an E_ACCESSDENIED (0x80050007) exception. I can duplicate the same exact error with using a user account that is not a domain administrator.
Since the error seems to be a permissions issue, I am wondering how this can be? It is running on the domain controller. That domain controller is running ntds. The service is running/logging in as the Local System account. AFAIK, the service since it is running on the Local System account should be omnipotent on 1) the computer, 2) AD that it is running
What permissions could I look for to see why the Local System account on the AD controller might not be able to change the password? Is there some registry setting to inspect? Some command I can run with gpresult? Something to look at in the local security policy? Really trying to figure this out.
Thanks in advance.
OS Version: Microsoft Windows NT 6.2.9200.0
