Symptoms
Unable to update AD user account properties using Active Directory Event/Account Management SmO. Process/operation fails with the following error:
"Message: The user does not have the sufficient permissions to perform this operation. Please ensure you have Account Operator of Arministrator permissions. ServiceName: Account Management Service"
Diagnoses
You getting this error message only when your K2 service account has been added to Account Operators group instead of Domain Administrators AND only when you try to update information for user who is a member of Domain Administrators group. Otherwise this functionality should work.
The only case when you can get this error is when your K2 service account is member of Account Operators group and you are trying to update data Administrator user account, the user accounts of administrators, or the group accounts Administrators, Server Operators, Account Operators, Backup Operators, and Print Operators.
As per K2 documentation:
"Active Directory requires that the K2 service account or the account designated as the Run As account for the event has the appropriate permissions to update user information. AD contains granular permission levels as well as delegation that must be configured if the event is to successfully execute at runtime. For more information see the TechNet Magazine article Active Directory: Protect your Active Directory data.
Be aware that Account Operators can't manage the Administrator user account, the user accounts of administrators, or the group accounts Administrators, Server Operators, Account Operators, Backup Operators, and Print Operators. Account Operators also can't modify user rights."
Source: Active Directory Event Wizard - Overview (Permissions section)
Resolution
Make sure that you not trying update sensitive accounts while using Account Operator level rights and there are no custom ACL modifications/granular permissions preventing used account from performing required operation. See details above.
