Workflow and ServiceDesk Community

I have a workflow that I'm trying to use the "Update User" Acitive Directory component to update 4 custom attributes on a given user. Whenever it hits the Update User component however, I am getting a "General access denied error" Active Directory error. I have a "GetUsersWithDetailsComponent" ahead of that in the Workflow and it works fine to gather all the user's AD info so I know my AD connection settings in the Workflow are correct. I also verified I can write to the 4 AD custom attributes using the same account I'm using in the Workflow by running a VB script outside of the workflow to make sure it wasn't a problem with the service account I'm using. How should I be setting up the "Update User" component so it gets past the error?

Check out this video starting at 13:20.  He talks about how he is able to update user properties with the update user component by first creating a single value data mapping to update individual user properties instead of updating the properties within the UpdateUser component.  Hope that helps. 

https://www-secure.symantec.com/connect/videos/workflow-use-case-active-directory-account-expiration-management

Joe Van

Thanks for the reply. I've already got my values for the custom attributes mapping into a "CurrentADUser" variable of ADUserInfo datatype and I am passing that variable name to the Update User component's Input tab's User Info section. I've tried CurrentADUser.CommonName and CurrentADUser.UserLogonNamePreWindows2000 as the User Name section (video and other examples I have seen show they use CommonName). I've actually tried so many variations of things I'm starting to get a nervous tick from the stress

I'm trying to make a password reset workflow and find that I get the same "General access denied error" Active Directory error when I'm trying to use the "Reset User Password" component. I'm pretty sure this is boiling down to a permissions/rights issue where the WF components are trying to write to more fields than my service account has permissions for. The service account I'm using does have reset password permissions, but apparently this is not enough for the "Reset User Password" component too. Our environment is on super-duper security lockdown, so the service account I'm using only has write permissions in AD for the 4 custom attributes and reset password permission. Unfortunately I can't admin AD myself and must go through our Networking department to get permissions adjusted on the service account I'm using after two different approvals are granted. This makes being able to test this myself impossible.

So, does anyone know what the minimum AD permissions are for a service account to successfully use the "Update User" and "Reset User Password" AD Workflow components?

Per the information provided by the help screen for the Reset Password component the user must be a Domain Admin.

Yes I saw that. The Get User With Details component says the same thing and it works fine without the service account I'm using being a member of the Domain Admins group.

Resolved this by not using the Reset User Password component and used a Code (Script) component instead.