Active Directory environment
"Insufficient access rights" error returned when saving answers to SSPR challenge response questions
Problem only affects privileged users
Other users answer and save challenge responses without error
One customer reports that workaround 2 from this article resolved their problem.
Alternatively, using ADSI Edit add read and write permissions to the pwm* attributes for SELF, as follows:
1. In ADSI Edit, go into properties of the user or group
2. click the Security tab
3. click the Advanced button
4. click Add, enter SELF
5. go to the properties tab
6. click “Allow” for all of the pwm attributes, as shown below
Other ideas that may help resolve the rights problem:
1. Compare working users vs failing users. Are working users of type "user" while failing users of type "InetOrgPerson?" One issue we have seen is that you need to enable the SELF write rights for "InetOrgPerson" users (note that this issue is resolved in SSPR 3.0).
2. Make sure inheritance is not blocked anywhere between the user and the top of the directory. Inheritance must be enabled so that permissions flow to the user.
3. Look in ADUC or ADSI, on the security tab for the problem users. Make sure adminSDHolder is not set to 1. Set it to 0 if it isn't already.
4. If the above steps don't help, look for any other differences between working users vs failing users. Do they have the same group policy objects, access the same domain controllers, attach to the same SSPR server, etc? Does the problem occur with no group policies applied?
This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.