Directory Wizards Inc.

Solutions For Your Directory Needs

• Products
• Support
• Knowledgebase
• Blog
• DirWiz Gear
• About
• Home

RSS feed

Categories

• Active Directory
• ADAM
• Address Manipulation
• BPOS
• Exchange 200x
• Exchange 5.5
• Exclusions
• General
• Group as Group Sync
• Groupwise
• LDAP SSL
• LDIF
• Licensing & Keys
• Lotus Notes / Domino
• Map Files
• Master/Spoke
• Netscape
• ODBC
• Oracle
• Outlook
• Profiler
• SharePoint
• Troubleshooting
• UnitySync
• USync
• Windows 2000

Knowledgebase

LDAP_INSUFFICIENT_ACCESS (50)

Category:Troubleshooting

Last Updated:2011-08-03

Download PDF version

SUMMARY:

Insufficient_Access errors indicate the user login (specified on the Destination tab) does not have adequate permissions to perform the necessary action.

Review your sync log file to determine which actions are causing the errors: Add, Mod and/or Delete? Does the error occur when Adding/Deleting Structure? Or person objects?

NOTE: If this connection has the JOIN parameters enabled, your destination account login must be a Domain Admin, or the login used must have FULL Control of the entire destination directory (or starting at the optional Base DN).

#1 LDAP_INSUFFICIENT_ACCESS on ADD, Delete and Modify of structure or person/group objects (all functions are causing an error).

The user login account does not have adequate permissions to perform the necessary action. For more information on the recommended configuration of your user login account, refer to the product help file in the Configuring Directory Servers section. Review the sub topic for your directory type to confirm setup has been completed accurately. If you are using Special Permissions on your destination sync container, reapply the permissions as outlined 'Applying Special Permissions' below

#2 LDAP_INSUFFICIENT_ACCESS on Modify of Person/Group Objects (Add and Delete functions are successful).

If your log file shows Insufficient_Access errors on Modifies only (while Adds/Deletes occur successfully) then it is likely that you missed a step when setting up Special Permissions on the Sync container.

When setting up Special Permissions on the sync container, you must select Full Control and be sure to specify ’This object and all child objects’. ** This is the setting that is sometimes forgotten and results in errors on Modify. **

The below instructions explain exactly how to do this.

Applying Special Permissions

1. In AD Users & Computers, Click 'View' and click 'Advanced Features'. This allows you to see the Security Options.
2. Highlight your sync container, Right Click and Select Properties. Click the Security tab.
3. Add the UnitySync user account to the Access Control List and give it 'Full Control'.
4. Click on Advanced button. Select the UnitySync user account and click View/Edit.
   Choose: Apply onto: This object and all children objects
5. Click OK.

Please note, once set, it is not possible to confirm that the ’this object and all child objects’ option was selected when Full Control was applied. The only way to be sure this option is selected, is to reapply the permissions, selecting Full Control and ’this object and all child objects’.

For more information on the recommended configuration of your UnitySync login account (including setup of Special Permissions), refer to the product help file, in the Configuring Directory Servers topic for AD/Exchange 2000.

© 2011 Directory Wizards Inc.