{"id":109715,"date":"2024-05-07T09:55:52","date_gmt":"2024-05-07T13:55:52","guid":{"rendered":"https:\/\/jumpcloud.com\/?post_type=support&#038;p=109715"},"modified":"2024-05-07T09:55:53","modified_gmt":"2024-05-07T13:55:53","slug":"remove-privileged-status-from-active-directory-users","status":"publish","type":"support","link":"https:\/\/jumpcloud.com\/support\/remove-privileged-status-from-active-directory-users","title":{"rendered":"Remove Privileged Status from Active Directory Users"},"content":{"rendered":"\n<p>This article shows you how to remove privileged status from an Active Directory (AD) user so they can be managed by the JumpCloud Active Directory Integration (ADI). The JumpCloud ADI utility cannot manage privileged users that have been added to a protected group such as Domain Admins, Enterprise Admins, and Backup Operators. <\/p>\n\n\n\n<p>If you have a user that was mistakenly added to one of these groups, or is no longer considered a privileged account, you&#8217;ll see errors like the following in the ADI logs:<\/p>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p>err=&#8217;LDAP Result Code 50 \\&#8221;Insufficient Access Rights\\&#8221;: 00002098: SecErr: DSID-031514A0, problem 4003 (INSUFF_ACCESS_RIGHTS)<\/p>\n<\/div><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"Modifying-a-Single-User\"><strong>Modifying a Single User<\/strong><\/h2>\n\n\n\n<p>To remove privileged status from a single user:<\/p>\n\n\n\n<ol start=\"1\">\n<li>Remove the user account from all protected groups.\n<ul>\n<li>See <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-server\/identity\/ad-ds\/plan\/security-best-practices\/appendix-c--protected-accounts-and-groups-in-active-directory\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Protected Account and Groups in Active Directory<\/a>.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Clear the <strong>adminCount<\/strong> value of the user on the Domain Controller:\n<ol style=\"list-style-type:lower-alpha\">\n<li>In AD Users and Computers, click <strong>View<\/strong>, and select <strong>Advance Features<\/strong>.<\/li>\n\n\n\n<li>Right-click the user and select <strong>Properties<\/strong>.<\/li>\n\n\n\n<li>Click <strong>Attribute Editor<\/strong>.<\/li>\n\n\n\n<li>Double-click the <strong>adminCount<\/strong> attribute, and click <strong>Clear<\/strong>.<\/li>\n\n\n\n<li>Apply your changes.<\/li>\n<\/ol>\n<\/li>\n\n\n\n<li>Then, enable inheritance for this user:\n<ol style=\"list-style-type:lower-alpha\">\n<li>From the user Properties page, click <strong>Security<\/strong>. <\/li>\n\n\n\n<li>Click <strong>Advanced<\/strong>.<\/li>\n\n\n\n<li>Click <strong>Enable Inheritance<\/strong>. <\/li>\n<\/ol>\n<\/li>\n<\/ol>\n\n\n\n<p>The user should now be manageable by the JumpCloud ADI.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"Modify-Multiple-Users\"><strong>Modifying Multiple Users<\/strong><\/h2>\n\n\n\n<p>You can use the attached script and CSV to clear the adminCount value and enable inheritance for multiple users:<\/p>\n\n\n\n<ol start=\"1\">\n<li>Download the <strong>TroubleUsers.csv<\/strong> and <strong>DisableProtectedStatus.ps1<\/strong> files to the same folder.<\/li>\n\n\n\n<li>Add the usernames of the users you would like to modify to the TroubleUsers.csv file.<\/li>\n\n\n\n<li>Run DisableProtectedStatus.ps1 PowerShell script.<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<p>This article shows you how to remove privileged status from an Active Directory (AD) user so they can be managed [&hellip;]<\/p>\n","protected":false},"author":218,"featured_media":0,"template":"","meta":{"_acf_changed":false,"_oasis_is_in_workflow":0,"_oasis_original":0,"_oasis_task_priority":"","inline_featured_image":false,"footnotes":""},"support_category":[2904,2855,3135,2954,3127],"support_tag":[3160],"coauthors":[3011],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v22.9 (Yoast SEO v22.9) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Remove Privileged Status from Active Directory Users<\/title>\n<meta name=\"description\" content=\"Learn how to remove privileged status from Active Directory users to allow them to be managed by the JumpCloud Active Directory Integration (ADI).\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/jumpcloud.com\/support\/remove-privileged-status-from-active-directory-users\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Remove Privileged Status from Active Directory Users\" \/>\n<meta property=\"og:description\" content=\"Learn how to remove privileged status from Active Directory users to allow them to be managed by the JumpCloud Active Directory Integration (ADI).\" \/>\n<meta property=\"og:url\" content=\"https:\/\/jumpcloud.com\/support\/remove-privileged-status-from-active-directory-users\" \/>\n<meta property=\"og:site_name\" content=\"JumpCloud\" \/>\n<meta property=\"article:modified_time\" content=\"2024-05-07T13:55:53+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/07\/202405-MISC-JumpCloudHelpCenter-SiteDisplay-min-2.png\" \/>\n\t<meta property=\"og:image:width\" content=\"890\" \/>\n\t<meta property=\"og:image:height\" content=\"525\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"1 minute\" \/>\n\t<meta name=\"twitter:label2\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data2\" content=\"nickconrad\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/jumpcloud.com\/support\/remove-privileged-status-from-active-directory-users\",\"url\":\"https:\/\/jumpcloud.com\/support\/remove-privileged-status-from-active-directory-users\",\"name\":\"Remove Privileged Status from Active Directory Users\",\"isPartOf\":{\"@id\":\"https:\/\/jumpcloud.com\/#website\"},\"datePublished\":\"2024-05-07T13:55:52+00:00\",\"dateModified\":\"2024-05-07T13:55:53+00:00\",\"description\":\"Learn how to remove privileged status from Active Directory users to allow them to be managed by the JumpCloud Active Directory Integration (ADI).\",\"breadcrumb\":{\"@id\":\"https:\/\/jumpcloud.com\/support\/remove-privileged-status-from-active-directory-users#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/jumpcloud.com\/support\/remove-privileged-status-from-active-directory-users\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/jumpcloud.com\/support\/remove-privileged-status-from-active-directory-users#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/jumpcloud.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Support\",\"item\":\"https:\/\/jumpcloud.com\/support\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Remove Privileged Status from Active Directory Users\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/jumpcloud.com\/#website\",\"url\":\"https:\/\/jumpcloud.com\/\",\"name\":\"JumpCloud\",\"description\":\"Daily insights on directory services, IAM, LDAP, identity security, SSO, system management (Mac, Windows, Linux), networking, and the cloud.\",\"publisher\":{\"@id\":\"https:\/\/jumpcloud.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/jumpcloud.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/jumpcloud.com\/#organization\",\"name\":\"JumpCloud\",\"url\":\"https:\/\/jumpcloud.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png\",\"contentUrl\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png\",\"width\":598,\"height\":101,\"caption\":\"JumpCloud\"},\"image\":{\"@id\":\"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Remove Privileged Status from Active Directory Users","description":"Learn how to remove privileged status from Active Directory users to allow them to be managed by the JumpCloud Active Directory Integration (ADI).","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/jumpcloud.com\/support\/remove-privileged-status-from-active-directory-users","og_locale":"en_US","og_type":"article","og_title":"Remove Privileged Status from Active Directory Users","og_description":"Learn how to remove privileged status from Active Directory users to allow them to be managed by the JumpCloud Active Directory Integration (ADI).","og_url":"https:\/\/jumpcloud.com\/support\/remove-privileged-status-from-active-directory-users","og_site_name":"JumpCloud","article_modified_time":"2024-05-07T13:55:53+00:00","og_image":[{"width":890,"height":525,"url":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/07\/202405-MISC-JumpCloudHelpCenter-SiteDisplay-min-2.png","type":"image\/png"}],"twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"1 minute","Written by":"nickconrad"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/jumpcloud.com\/support\/remove-privileged-status-from-active-directory-users","url":"https:\/\/jumpcloud.com\/support\/remove-privileged-status-from-active-directory-users","name":"Remove Privileged Status from Active Directory Users","isPartOf":{"@id":"https:\/\/jumpcloud.com\/#website"},"datePublished":"2024-05-07T13:55:52+00:00","dateModified":"2024-05-07T13:55:53+00:00","description":"Learn how to remove privileged status from Active Directory users to allow them to be managed by the JumpCloud Active Directory Integration (ADI).","breadcrumb":{"@id":"https:\/\/jumpcloud.com\/support\/remove-privileged-status-from-active-directory-users#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/jumpcloud.com\/support\/remove-privileged-status-from-active-directory-users"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/jumpcloud.com\/support\/remove-privileged-status-from-active-directory-users#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/jumpcloud.com\/"},{"@type":"ListItem","position":2,"name":"Support","item":"https:\/\/jumpcloud.com\/support"},{"@type":"ListItem","position":3,"name":"Remove Privileged Status from Active Directory Users"}]},{"@type":"WebSite","@id":"https:\/\/jumpcloud.com\/#website","url":"https:\/\/jumpcloud.com\/","name":"JumpCloud","description":"Daily insights on directory services, IAM, LDAP, identity security, SSO, system management (Mac, Windows, Linux), networking, and the cloud.","publisher":{"@id":"https:\/\/jumpcloud.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/jumpcloud.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/jumpcloud.com\/#organization","name":"JumpCloud","url":"https:\/\/jumpcloud.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/","url":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png","contentUrl":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png","width":598,"height":101,"caption":"JumpCloud"},"image":{"@id":"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/"}}]}},"_links":{"self":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/support\/109715"}],"collection":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/support"}],"about":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/types\/support"}],"author":[{"embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/users\/218"}],"version-history":[{"count":4,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/support\/109715\/revisions"}],"predecessor-version":[{"id":109981,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/support\/109715\/revisions\/109981"}],"wp:attachment":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/media?parent=109715"}],"wp:term":[{"taxonomy":"support_category","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/support_category?post=109715"},{"taxonomy":"support_tag","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/support_tag?post=109715"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/coauthors?post=109715"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}