The service account that was set in Configure Directory and Audit login/password doesn't have permissions to modify the Enatel attributes in Active Directory or the account does not have sufficient permissions in Active Directory to make the password change.
解决办法
1. From the install media run TOOLS\WGSrvConfig\WGSRVConfig.exe
2. Click on Configure Directory and Audit login/password, then click on the Directory tab
3. Confirm that the user account listed is correct, and is a member of the group you specified when setting up the the ACLs.
If the issue persists, ensure the ESSO service account has the delegated right of "Reset user passwords and force password change at next logon" for the user. This can be confirmed at the OU or user level.
To confirm which account ESSO is using as the service account, check the following attribute value in Active Directory.
CN=IAMConfig,CN=Quest ESSO,CN=Program Data,DC=domain,DC=com (Assuming that ESSO is using the default location. You may have to check this to be sure.)
Open the properties for IAMConfig and view the attributes. The value of 'enatelAdmObject' should be the account specified for ESSO during the initial configuration.
其他信息
Please note that, when using QESSO integration for Password Manager, a similar issue may be seen. In such a case the QPM - Quest One Password manager Event Viewer log may report:
'LDAP error: insufficient access rights.
Error code: 0x81020023 (0x80004005)' with system <>
