Remove Privileged Status from Active Directory Users

This article shows you how to remove privileged status from an Active Directory (AD) user so they can be managed by the JumpCloud Active Directory Integration (ADI). The JumpCloud ADI utility cannot manage privileged users that have been added to a protected group such as Domain Admins, Enterprise Admins, and Backup Operators.

If you have a user that was mistakenly added to one of these groups, or is no longer considered a privileged account, you'll see errors like the following in the ADI logs:

err='LDAP Result Code 50 \"Insufficient Access Rights\": 00002098: SecErr: DSID-031514A0, problem 4003 (INSUFF_ACCESS_RIGHTS)

Modifying a Single User

To remove privileged status from a single user:

  1. Remove the user account from all protected groups.
  2. Clear the adminCount value of the user on the Domain Controller:
    1. In AD Users and Computers, click View, and select Advance Features.
    2. Right-click the user and select Properties.
    3. Click Attribute Editor.
    4. Double-click the adminCount attribute, and click Clear.
    5. Apply your changes.
  3. Then, enable inheritance for this user:
    1. From the user Properties page, click Security.
    2. Click Advanced.
    3. Click Enable Inheritance.

The user should now be manageable by the JumpCloud ADI.

Modifying Multiple Users

You can use the attached script and CSV to clear the adminCount value and enable inheritance for multiple users:

  1. Download the TroubleUsers.csv and DisableProtectedStatus.ps1 files to the same folder.
  2. Add the usernames of the users you would like to modify to the TroubleUsers.csv file.
  3. Run DisableProtectedStatus.ps1 PowerShell script.
Back to Top

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case