Troubleshooting Tips

    Domain/Tenant Settings

    1. When I start ADManager Plus, none of my domains are discovered. It says "No Domain Configuration available". Why?
    2. When I add my domains manually, the Domain Controllers are not resolved. Why?
    3. When I add the Domain Controller, I get an error as "The Servers are not operational". What does it mean?
    4. When I add the Domain Controller, I get an error as "Unable to get domain DNS / FLAT name". What does it mean?
    5. The status column in the domain settings says that the user do not have Admin Privilege?
    6. When I add an additional Domain, I get the error message"License is applied only to "n" Domains. What should I do now?
    7. When I try to install ADManager Plus, I get the error & quot; The InstallShield Engine (iKernel.exe) could not be installed. What should I do?
    8. Client Secret missing in Azure Active Directory
    9. When I access a Microsoft 365 application in ADManager Plus, I get the error "The certificate used in the REST API application expired, was not registered, or was removed from the portal." Why?

    1. When I start ADManager Plus, none of my domains are discovered. It says "No Domain Configuration available". Why?

    ADManager Plus, upon starting, discovers the domains from the DNS server associated with the machine running the product. If no domain details are available in the DNS Server, it shows this message.

    Questions

    2. When I add my domains manually, the Domain Controllers are not resolved. Why?

    This problem occurs when the DNS associated with the machine running ADManager Plus do not contain the necessary information. You need to add the Domain Controllers manually.

    Questions

    3. When I add the Domain Controller, I get an error as "The Servers are not operational". What does it mean?

    This error could be due to any of the following reasons:

    1. Domain Controllers (DCs) are down.
    2. Servers is not available.
    3. Firewall has been enabled, and port 389 is closed.
    4. Network is busy. Try after some time.

    Questions

    4. When I add the Domain Controller, I get an error as "Unable to get domain DNS / FLAT name". What does it mean?

    This error could be due to any of the following reasons:

    1. When the specified user name or the password is invalid.
    2. Anonymous login (when no user name and password is provided).
    3. When IP Address of the Domain Controller is specified instead of its name.

    Questions

    5. The status column in the domain settings says that the user do not have Admin Privilege?

    This is a warning message to indicate that the specified user do not have administrator privileges i.e., the user is not a member of Domain Admins Group. Hence permissions applicable to Administrator may not be available to this user.

    Questions

    6. When I add an additional Domain, I get the error message "License is applied only to "n" Domains". What should I do now?

    This is a warning message to indicate that you are trying to exceed the maximum number of domains that can be added in the purchased license. To add another domain , you must either delete an existing domain or purchase a license for additional domains based on your requirement.

    Questions

    7. When I try to install ADManager Plus, I get the error " The InstallShield Engine (iKernel.exe) could not be installed. What should do?

    This is a warning message to indicate that you do not have appropriate rights/privileges to copy iKernel.exe to the desired folder where you want to install ADManager Plus.

    Questions

    8. Client Secret missing in Azure Active Directory

    When does this error occur?

    While adding an Azure AD tenant in an ADManager Plus build that is lower than 7202, the Client Secret will not be generated automatically by the product. In this instance, this error is shown. This prevents the user from performing backup operations. To resolve this, a new Client Secret should be created and updated in the product. Below are the steps on how to do the same.

    When you navigate to the Backup tab > Azure AD > Backup Settings in ADManager Plus, if the Client Secret is invalid you will find the Click here link which will redirect you to the steps mentioned below on how to configure a new Client Secret.

    Client Secret missing in Azure Active Directory

    1. Navigate to Domain/Tenant Settings → Microsoft 365.
    2. Client Secret missing in Azure Active Directory

    3. Click the icon-edit icon in the Actions column of the respective tenant.
    4. Client Secret missing in Azure Active Directory

    5. Copy the Client ID from the Application (Client) ID field.
    6. Client Secret missing in Azure Active Directory

    7. Login to the Azure AD Portal and use the Client ID to search for the application created by ADManager Plus. Click on the appropriate search result to open the application.
    8. Client Secret missing in Azure Active Directory

    9. Go to Certifications & Secrets from the side bar and click on New Client Secret.
    10. Client Secret missing in Azure Active Directory

    11. Click Add.
    12. Client Secret missing in Azure Active Directory

    13. Copy the client secret from the Value field by clicking on the icon-copy icon.
    14. Client Secret missing in Azure Active Directory

    15. Go back to ADManager Plus and click the icon-edit icon in the Applications Details section.
    16. Client Secret missing in Azure Active Directory

    17. In the Application Security Key field, paste the new client secret you copied in Step 7.
    18. Client Secret missing in Azure Active Directory

    19. Click Update.
    20. Wait for the update to complete and check the Backup tab. The tenant will be visible.

    Questions

    9. When I access a Microsoft 365 application in ADManager Plus, I get the error "The certificate used in the REST API application expired, was not registered, or was removed from the portal." Why?

    You will get this error message due to either of the following reasons.

    • Case 1: If the certificate's validity period does not match your local time zone, you might receive this error from Microsoft, and you won't be able to use the certificate.
    • Case 2: If the certificate was recently uploaded on the Azure portal, you might receive this error while trying to update it in the product. In this case, try again after a few minutes to check if the issue has been resolved.

    If your certificate expired, was not registered, or was removed from the portal, add a new one by following these steps:

    1. Log in to the Azure portal using Global Administrator account credentials.
    2. Click Azure Active Directory on the left pane.
    3. Click App registrations.
    4. Search for the application using the client ID.
    5. Click Certificates & secrets on the left pane.
    6. Under Certificates, click Upload certificate. Upload your application certificate as a CER file.
    7. Now, in ADManager Plus, go to Domain/Tenant Settings > Microsoft 365 and click the icon-edit icon for your respective tenant.
    8. In the Modify Application Details pop-up, click the icon-edit icon beside Application Details.
    9. Under Application Secret & Certificate, add the Application Secret Value and upload the Application Certificate as a PFX file.
    10. Client Secret missing in Azure Active Directory

    11. If the user has an SSL certificate, it can be used here. Otherwise, click here for the steps to create a self-signed certificate.
    12. Click Update.
    13. Note: If the issue persists, please contact support@admanagerplus.com.

    Back to Modules

    Admin Settings

    1. SMS server settings and SSLHandshakeException errors

    Why does this error occur?

    This occurs when the configured SMTP mail server or the web server configured with SSL in ADManager Plus uses a self-signed certificate. As self-signed certificates will not be trusted by the Java Runtime Environment used in ADManager Plus, unless they are explicitly imported, it is recommended that the following troubleshooting steps are followed.

    Step 1: Download the required certificates

    • For SMTP servers:
      Note: Ensure you have OpenSSL pre-installed and download the certificate for SMTP server from here.
      • From the Command Prompt, navigate to the bin folder in the location where OpenSSL has been installed.
      • Run the following command,
        openssl.exe s_client -connect SMTPServer:Portno -starttls smtp → certificatename.cer
      • For example, openssl.exe s_client -connect smtp.gmail.com:587 -starttls smtp → gmailcert.cer
    • For web servers:
      • Open the web URL in the browser.
      • In the address bar, click on the padlock icon, then click Certificate.
      • In the Certificate window that opens, click on the Details tab.
      • Then click on the Copy to File button.
      • Choose the 'DRE encoded binary X.509 (.CER)' format and click Next.
      • Enter the file path of the location where the file is to be saved and click Finish.
    • Import the certificates to the JRE package of ADManager Plus
      • Open the Command Prompt and navigate to \jre\bin folder. For example, 'C:\ManageEngine\ADManager Plus\jre\bin'.
      • Run the following command,
        Keytool -importcert -alias myprivateroot -keystore ..\lib\security\cacerts -file
        For example, Keytool -importcert -alias myprivateroot -keystore ..\lib\security\cacerts -file C:\smtpcert.cer
      • When prompted for a password, enter "changeit" and enter "y" when prompted for a yes or no.
      • Now close the Command Prompt window and restart ADManager Plus.

    Back to Modules

    Active Directory User Management

    1. While creating a user, I get the following error "Error in setting the Password. The network path not found - Error Code: 80070035"
    2. While creating a user, I get the following error "Error in setting the Password. There is a naming violation - Error Code : 80072037"
    3. While creating/modifying a user, I get the following error "The server is unwilling to process the request - Error Code : 80072035"
    4. While creating a user, I get the following error " Error In Setting Terminal service Properties. The specified user does not exist - Error Code : 525"
    5. I have updated the exchange attributes using ADManager Plus, but the properties are not updated in the Exchange Server yet.
    6. A Legacy mailbox was unexpectedly created.
    7. I am not able to set the Terminal Services properties for the user?
    8. I am getting an error as "The attribute syntax specified to the directory service is invalid - Error Code : 8007200b"?
    9. When I create/modify an user, I get the following error "Error In Creating User. A device attached to the system is not functioning - Error Code : 8007001f "
    10. Email address for user not showing up or not set properly?
    11. Error - The server is unwilling to process the request while setting Password, which did not match password complexity
    12. Error code: 8007052e
    13. Error code: 80070775
    14. Error code: 800708c5
    15. 5 -Access is denied (Terminal Service / Folder Creation)
    16. No such user matched. Verify the LDAP attribute in search query
    17. Error Code: 80072035
    18. Error Code: 80072030
    19. Error Code:80070005
    20. Error Code: 80072014
    21. Error Code: 80072016
    22. Error Code 35
    23. Error Code: 800704c3
    24. Error Code b7
    25. Error Code :6
    26. Error Code 8007200a
    27. 'License Level Exceeded' error message while adding user(s).
    28. "Error while enabling Lync services for the user" or "Error occurred while enabling Lync Telephony options"
    29. Error Code 78
    30. Error Code 80004005
    31. Technician does not have permissions to perform the required operation on this object
    32. While creating or modifying Room mailboxes with Resource In Policy Request/Resource Out Policy Request, you get these errors: 'The values is already present in the collection' or ' The parameter 'legacyExchangeDN must be a non-empty string'.
    33. Some users who are not present in AD are displayed, or some users who are present in AD are not displayed.
    34. While selecting OUs to generate a report, I get the following message "There is no matching data for your input(s). Click here to troubleshoot"
    35. While creating a Google Workspace user, I get the "Error in creating a Google Workspace user. User creation in Google Workspace failed: Invalid Email Address" error message.
    36. While creating a Google Workspace user, I get the "Error in creating a Google Workspace user. Invalid Recovery Email" error message.
    37. While Creating a Google Workspace User, I get the "Error in creating Google Workspace user. Invalid Recovery Phone" error message.

    1. While creating a user, I get the following error "Error in setting the Password. The network path not found - Error Code: 80070035"

    While setting the password for the user, if the target machine could not be contacted, this error is shown. The possible reasons could be:

    • The DNS associated with the machine running ADManager Plus does not point to the Domain Controller where the user account has been created (possibly both are in different domains).
    • Port 445 in the Firewall might be blocked. Try setting the password after opening port 445.

    Questions

    2. While creating a user, I get the following error "Error in setting the Password. There is a naming violation - Error Code : 80072037"

    One possible reason for this error could be creation of a user in an invalid container.

    Questions

    3. While creating/modifying a user, I get the following error "The server is unwilling to process the request - Error Code : 80072035"

    Possible reasons for this error could be:

    1. While setting the password, if the password complexity requirement as defined in the password policy is not met. For example, the password policy might state that the password should be alphanumeric and if the password specified do not comply this, you might get this error.
    2. When you try to remove a non-existing user object from a group.
    3. When you try to remove a user from his/her primary group.
    4. When modifying the sAMAccountName format for multiple users and when more than one user happens to have the same sAMAccountName.

    Questions

    4. While creating a user, I get the following error " Error In Setting Terminal service Properties. The specified user does not exist - Error Code : 525"

    One possible reason could be that the user or the system account as which the product is run do not have an account in the target domain. Terminal Service properties can only be set if the user account or the system account (applies when ADManager Plus is run as a service) that runs ADManager Plus has an account on the target domain.

    Questions

    5. I have updated the Exchange attributes using ADManager Plus, but the properties are not updated in the Exchange Server yet.

    ADManager Plus modifies the Exchange properties in the Active Directory. The changes may not be immediately reflected in the Exchange Server. It will get updated after some time.

    Questions

    6. Legacy Mailboxes

    Prerequistes for Exchange 2007

    1. 64 bit Edition of ADManager Plus should be installed on a compatible machine. (You can find the architecture of the existing installation from the "Product.conf" file located at <Installation Folder>\ManageEngine\ADManager Plus\conf). Download the 64 bit Edition of ADManager Plus from: https://www.manageengine.com/products/ad-manager/download.html

    2. To create Mailbox Enabled Users in Exchange 2007, you would require the corresponding version of Exchange Management Console (EMC) in the same machine where ADManager Plus is installed, failing which the legacy Mailbox will be created.

    3. If ADManager Plus is running in console mode, then you must log on to the machine as an administrator (Exchange administrator).

    4. If ADManager Plus is installed as a service, kindly configure the service account with administrator (exchange administrator) privileges by following the below procedure,

    • Step 1: Click Start → run → services.msc
    • Step 2: Locate the service name "Manageengine ADManager Plus"
    • Step 3: Right click the service and select Properties → Log On
    • Step 4: Select "This account" and provide the credentials.

    Prerequisites for Mailbox Creation in Exchange 2010

    1. 1.Windows  PowerShell 2.0 or above should be installed on this machine.
    2. 2.TCP port 80 must be open between this machine and the remote Exchange 2010 Server.
    3. 3.Remote PowerShell must be enabled for the user account specified in ‘Domain Settings’.

    Questions

    7. I am not able to set the Terminal Services properties for the user?

    One possible reason could be that the user or the system as which the product is run do not have an account in that domain.

    Refer to here for starting ADManager Plus in User or System account.

    Questions

    8. I am getting an error as "The attribute syntax specified to the directory service is invalid - Error Code : 8007200b"?

    This error could popup in the following scenarios:

    1. When you try to remove (or make the value as blank) a non-existing attribute, during bulk user modification.
    2. When you specify a blank value for an attribute during user creation.
    3. When the specified LDAP attribute does not follow the syntax.

    Questions

    9. When I create/modify a user, I get the following error " A device attached to the system is not functioning - Error Code : 8007001f "

    The possible reasons for this error could be:

    1. When creating a user, if the naming attributes, such as Name, Logon Name, SAM Account Name, etc., has some special characters in it.
    2. When modifying a user, if an unacceptable format is chosen for the naming attributes. For example, if the format chosen for the Logon Name is LastName.FirstName.Initials and if the user does not have any one of these attributes specified, this error will occur.

    Questions

    10. Email address for user not showing up or not set properly?

    The possible reason could be:

    1. Email may not be set as per Recipient Policy. Check whether all LDAP attributes in recipient policy query are set to specific value.
    2. Check in the user account properties whether you have entered the attribute for email. Ex: xyz@company.com. The company should be entered to the users.

    Questions

    11.Error-The server is unwilling to process the request while setting Password which not matches to password complexity

    The possible reason could be:

    You may not have specified or opted for any options in 'Password Complexity' while creating user account.

    Ex: There will be options for password complexity like length of password, characters that can be used or number of bad login attempts etc. You need to select any degree of complexity. Ignoring so will throw above error.

    Questions

    12. Error code: 8007052e

     

      This error is caused when the supplied credentials are invalid.

    13. Error code: 80070775

      Reason: The referenced account is currently locked out and may not be logged on.

    14. Error code: 800708c5  

        

      Reason: The password does not meet the password policy requirements. Check the minimum password length, password complexity and  password history requirements.

    Questions

    14. 5 -Access is denied (Terminal Service / Folder Creation)

        Reasons:

    1. User does not have rights to create a home folder.
    2. Users do not have access over terminal services.

    Questions

    16. No such user found. Verify the LDAP attribute in search query

    Reason: No Users in AD matches with the criteria provided by you. Try choosing the correct matching attributes by checking with the query provided in the "Match criteria for Users in AD", this is obtained by clicking on "Update in AD" button and expanding "Select Attributes" box. Also, ensure that the help desk technician has rights/privileges in that particular OU.

    Questions

    17. Error Code 80072035 : Error In Setting Attributes. The server is unwilling to process the request.

    Reason: The primary group specified in User Creation has been moved or deleted.
     

    Questions

    18 Error Code : 80072030 : Error In Setting Attributes. The server is unwilling to process the request.

    Reason: The primary group/container specified in User Template that was selected during User Creation has been moved or deleted. (You are trying to create a child object inside an OU, but that parent OU does not exist)
     

    Questions

    19. Error Code : 80070005 - Access Denied

    Reason: The User may be trying to access an object to which he has no permissions granted.
     

    Questions

    20. Error Code : 80072014 Error In Setting Attributes. The requested operation did not satisfy one or more constraints associated with the class of the object

    Reason: You may encounter this type of error when the CSV file you are using to import values, does not satisfy the conditions associated with the attribute.
     

    Questions

    21. Error Code : 80072016 Error In Setting Attributes. The directory service cannot perform the requested operation on the RDN attribute of an object

    Reason: You may encounter this type of error if any of the LDAP headers in the CSV file are mentioned inappropriately.
     

    Questions

    22. Error Code 35 : Error in Creating Terminal Services Home Directory/ Error in Creating Home Directory. The network path was not found. 

    Reason: The remote server path might not be accessible.

    Questions

    23. Error Code: 800704c3 - Error While accessing User in Setting Account Properties

    Reason:Multiple connections to a server or shared resource by the same user, using more than one username, is not allowed. Disconnect
    all previous connections to the server or shared resource and try again.

    Questions

    24. Error Code b7 : Error in Creating Profile Path

    Reason: There may be a File/Folder that already exists with the same name.

    Questions

    25. When I delete the Remote Profile folder, it throws "Unable to Delete the profile. The handle is invalid - Error code:6."

    Reason : There might not be any inherited permission on the folder. Check whether the particular user has delete permissions on that folder. This can happen even in a  condition when the folder is currently  in use.

    Questions

    26. When I try to modify users, I get an error message saying, "Unable to modify the user. Error: The specified directory service attribute value does not exist. Error code : 8007200a" What should I do now?

    Reason: The following are the possible reasons why this error could occur:

    • The specified LDAP attributes are incorrect.
    • There are misplaced commas in the imported CSV file.
    • The specified custom LDAP attributes do not exist in the selected domain.

    Please check the syntax of the specified attributes and the CSV file for misplaced commas. Also, ensure that the specified attributes are a part of the domain where you would like to use the attribute.

    Questions

    27. While adding user(s), I get the error message: 'License Level Exceeded'. What should I do now?

    This message indicates that you have reached the limit for the maximum number of users permitted as per your license. To add more user(s), you should upgrade your license.

    Questions

    28. While creating new user(s) along with Lync Telephony options, either of these error messages is displayed: "Error while enabling Lync services for the user" or "Error occurred while enabling Lync Telephony options". What could be the possible reasons?

    Mentioned below are the possible reasons for the above errors. Rectifying them would help you in avoiding these errors:

    • Missing values required for the settings of the required Telephony type. The values could be missing because of:
      • Providing an empty value for the settings / the settings being left empty.
      • You might have used a naming format but the attributes specified in the naming format might not have any values. For example, for 'Line URI' you might have specified the value as 'tel:%telephoneNumber%' but the attribute telephone number might have been empty.
    • Duplicate values for the settings that must have unique values. For example, in 'Line URI' you might have provided a value that another user already has and this might have caused the error.
    • The LDAP attributes provided in the settings might have some special characters. For example, you might have user '%mail%' to provide values to a Lync Telephony setting and the email address could have special characters like: %, $, #, etc. Though the mail attribute supports special characters, the Lync settings do not support these special characters.

    Questions

    29. Error Code 78: This function is not supported on this system.

    Reason: The remote server path might not be accessible due to insufficient rights.

    Questions

    30. Error Code 80004005: Unspecified Error.

    Reason: An object with same name already exists in the restore path.

    Questions

    31.Technician does not have permissions to perform the required operation on this object.

    Reason: You may not be authorized to perform the required operation in this OU. Please contact your administrator to get the rights for this OU too.

    Questions

    32. While creating or modifying Room mailboxes with Resource In Policy Request/Resource Out Policy Request, you get these errors: 'The values is already present in the collection' or ' The parameter 'legacyExchangeDN must be a non-empty string'. What could be the possible reasons?

    Reason: These errors would occur if the mailboxes selected for the Resource In Policy Request/Reqource Out Policy Request policies are legacy mailboxes. Just remove legacy mailboxes from the selected list, and perform the operation again.

    Questions

    33. Some users who are not present in AD are displayed, or some users who are present in AD are not displayed.

    Reason: This mismatch could occur when the data is not synchronized with Active Directory.

    Solution: Click the refresh icon to synchronize ADManager Plus database with your AD.

    Questions

    34. While selecting OUs to generate a report, I get the following message "There is no matching data for your input(s). Click here to troubleshoot"

    Reason: There may be no users matching the specified filter criteria.

    Solution: Ensure that the selected OU is not empty. Now, reset the filter criteria and generate the report again.

    Questions

    35. While creating a Google Workspace user, I get the "Error in creating a Google Workspace user. User creation in Google Workspace failed: Invalid Email Address" error message.

    Reason: The email suffix may not have been a valid Google domain name.

    Solution: While creating a Google Workspace user, ensure that it has a valid Google domain name. For example, if a Google domain name is gapp1.testing.com then a user's email ID must be testuser@gapp1.testing.com.

    Questions

    36. While creating a Google Workspace user, I get the "Error in creating a Google Workspace user. Invalid Recovery Email" error message.

    Reason: The recovery email format might not be valid.

    Solution: Ensure that the recovery email is in a valid format. For example: testuser@<domain name.com>.

    Questions

    37. While Creating a Google Workspace User, I get the "Error in creating Google Workspace user. Invalid Recovery Phone" error message.

    Reason: The phone number may not be a valid phone number.

    Solution: The recovery phone number should be in E.164 format, which is an international standard format for phone numbers.

    Questions

    Active Directory Reports

    1. When I specify the details and generate the report, it says "No Reports available" or incomplete data
    2. AD Reports shows an object that does not exist in the Active Directory?
    3. Error Code : 80070035- Error in getting Shares. The network path was not found
    4. Cannot process the argument transformation on the parameter 'Credential'.

    1. When I specify the details and generate the report, it says "No Reports available" or incomplete data

    It could be because of any of the following reasons:

    1. When ADManager Plus could not contact the Domain Controller as it is not operational or due to network unavailability.
    2. In case of multiple Domain Controllers, when the data is not replicated in all the Domain Controllers.
    3. The LastLogonTime that is used to determine the inactive users and computers is not replicated in all the Domain Controllers. Hence, you need to specify all the Domain Controllers in the Domain Settings to enable ADManager Plus to retrieve the data from all the Domain Controllers.
    4. When the password policy is not set (i.e., Max Password Age is set to zero), the Password Expired Users report and Soon to Password Expiry users report will not show any data.
    5. For time-based reports like inactive users, inactive computers, recently logged on users, etc., the date and time of the machine running ADManager Plus should be in sync with the domain controllers.
    6. Originally there would have been no data available in the corresponding Report.

    Questions

    2. AD Reports shows an object that does not exist in the Active Directory?

    This mismatch could occur when the data is not synchronized with the Active Directory. The data synchronization with the Active Directory happens every day at 1.00 hrs. If ADManager Plus is not running at that time, you can initiate the data synchronization manually by clicking the refresh icon of that domain from the Domain Settings.

    3.Error Code : 80070035- Error in getting Shares. The network path was not found

    Reason - The remote server path might not be accessible.

    4. Cannot process the argument transformation on the parameter 'Credential'.

    Reason: This error occurs when authentication credentials are not specified in the Domain Settings. To resolve this error,

    1. Go to Domain Settings.
    2. Click the Edit icon next to the domain for which you get the above error.
    3. Enable Authentication and enter credentials of a valid domain account.
    4. Once done, click Update.

    Questions

    Back to Modules

    Active Directory Delegation

    1. When a role is delegated, I get the error as "Permission Denied"

    One possible reason could be, the user or system as which the product is started do not have necessary privileges to perform this operation.

    Refer to here for starting ADManager Plus in User or System account.

    2. I am not able to login through my account!

    The following are the possible reasons for that:

    1. Invalid user name/ password.
    2. Log on to restriction.
    3. Account Disabled / Locked out / Expired
    4. User must change password on next logon checked.

    3. Reset second factor of authentication for the default admin account

    If you have lost your authentication device, or cannot retrieve the verification code required to complete the authentication, you can reset the secondary authentication factor using the following steps.

    1. Navigate to <Installation_Dir>\bin folder. By default, the path is C:\ManageEngine\ADManager Plus\bin.
    2. Find and run the resetAdminTFAEnrollment.bat file.
    3. You can now reenroll for the secondary authentication factor again by logging in to ADManager Plus.

    Note: Authentication factor reset can be done only for the built-in admin account

    4. Error: "Unable to connect or communicate with Duo Security. Please contact your administrator."

    Cause: Duo Security is inaccessible from ADManager Plus due to a failed health check, which can occur due to one of the following reasons:

    1. Duo Security cannot be reached.
    2. The Client ID, Client Secret, and API Hostname values configured in ADManager Plus are not valid or up to date with the values in the Duo Admin Panel.

    Solution: Please make sure that you can reach Duo Security from ADManager Plus via HTTPS port 443 and that the Client ID, Client Secret, and API Hostname values are accurate and up to date.

    5. Error: {"error : invalid grant", error description: "Invalid Redirect URI 'https://172.24.123.12:443/DuoCallback'"}

    Cause: This error is encountered on Duo's side. The URL may contain an IP address when the user is trying to connect to the product.

    Solution: Ensure that the URL used to access ADManager Plus does not contain an IP address as Duo Security recommends that the URL should be well-formed with a valid HTTPS URL, a hostname, and a port and that it should not exceed 1,024 characters in length.

    Back to Modules

    File Server Management

    1. I tried to access a folder but the folder is empty.
      • The reasons could be the folder does not contain any data or you do not have permission to list the contents of this folder.
      • In case of a Cluster Shared Volume,
        • If the failover cluster and ADManager Plus are in different domains, then ensure that the DNS conditional forwarding in DNS server is configured in the domain where ADManager Plus is installed. This can be done by updating the following fields in the DNS conditional forwarding record,
          • The DNS Domain field should be mapped to the domain in which desired failover cluster is configured.
          • The IP address of master servers field should be mapped to the IP address of the DNS server of the same failover cluster domain mentioned in the DNS domain field.

    2. When I try to set permissions on a folder, I get the following error message "Access denied; cannot set permissions for the folder";
    3. The reason could be you do not have permissions to alter permissions on that particular folder.

    4. I encountered the following error message while trying to modify permissions on a folder "Error occurred while modifying permissions for one or more folders"
    5. The reason could be you do not have permissions to alter permissions on one of the folders or subfolders.

    6. I encountered the following error message while trying to modify permissions on a folder "One or more of the permissions to be applied already exists"
    7. The reason could be one of the permissions you are trying to apply has already been applied and is currently effective.

    8. I encountered the following error message while trying to remove permissions from a folder "One or more of the permissions to be applied already exists";
    9. The reason could be one of the permissions you are trying to remove has already been denied and is currently effective.

    10. Why do deleted namespaces show up in DFS file servers?
    11. When you delete a namespace using the DFS Management snap-in, sometimes it may not be reflected in the DFS Metadata. To resolve this issue, manually delete the namespaces in DFS metadata too.

      To delete a namespace from DFS metadata:

      • Launch ADSIedit.msc.
      • Connect and expand Default naming context (the domain partition).
      • Expand and locate the following node:
        CN=Dfs-Configuration, CN=System, DC=<domain_Name>, DC=<extension>
      • Delete the namespace that you've already deleted using the DFS management snap-in.

    Back to Modules

    Microsoft 365 Management

    1. While managing Microsoft 365 licenses or creating Microsoft 365 users, I get the following error "Unable to update license for this user. The set of licenses includes two or more service plans which cannot be assigned at the same time."
    2. Reason: This error occurs due to an invalid combination of licenses assigned to a Microsoft 365 user. If you try to assign the same license which is part of two or more service plans to a Microsoft 365 user, you will get this error.

      Solution: Ensure that the licenses assigned to Microsoft 365 users do not have overlapped service plans.

    3. While creating a Microsoft 365 user, I get the following error "Invalid syntax Parameter Name."
    4. Reason: This message is shown when there is an error in the value being assigned to the parameter. There might be spaces or special characters in the parameter values.

      Solution: Ensure that the parameter value is not empty and does not contain any spaces or special characters.

    5. While creating a Microsoft 365 user, I get the following error "You must provide a required property: Parameter Name: FederatedUser.SourceAnchor."
    6. Reason: This error occurs when you try to create a Microsoft 365 user directly in a federated domain.

      Solution: To create a Microsoft 365 user in a federated domain, create the Active Directory user account first, and then synchronize the user with Microsoft 365 using Azure AD connect tool.

    7. While creating a Microsoft 365 user, I get the following error "Must provide required parameter displayName/ userPrincipalName."
    8. Reason: If the displayName and userPrincipalName values are empty, then you will get this error message.

      Solution: Both of the above attributes are mandatory. Ensure that you provide valid values to both the attributes.

    9. While creating a Microsoft 365 user, I get the following error "Unable to add this user because a user with this user principal name already exists."
    10. Reason: This error occurs when a user account with the same userPrincipalName already exists in Microsoft 365.

      Solution: Enter a different user principal name and try again.

    11. While creating a Microsoft 365 user, I get the following error "You must choose a strong password."
    12. Reason: This error could occur if the specified password does not meet the password policy requirements.

      Solution: Ensure that the password you provide meets the required password policy settings, such as minimum password length, password complexity, and password history requirements.

    Back to Modules

    Active Directory Migration

    1. The following error was displayed while migrating AD objects using ADMT in ADManager Plus: "The following configuration required for SID history has not been performed. Auditing has not been enabled in the target domain. Unspecified error (0x80004005)."

      Solution: Create an empty group called <DomainDNS>$$$ in both the source and target domains, respectively.

    Back to Modules

    Email Server settings

    1. I encountered the Invalid username or password error even after providing the correct username and password for email server configuration.
      1. Log in to https://admin.microsoft.com using your administrator credentials.
      2. Perform a search within the admin portal for the account that you intend to utilize for the OAuth setting.
      3. Choose the account, go to the Mail tab, and click Manage email apps.
      4. Check the Authenticated SMTP box.
      5. Click Save changes and wait a few minutes for the synchronization process to complete.
      Note: If the option has already been selected, you can re-enable it by unchecking and rechecking the Authenticated SMTP box, making sure to save the changes after each step.
    2. When I try to set up the email server configuration and log in to Microsoft 365, I get the Need admin approval error message.
      1. Log in to portal.azure.com using your administrator credentials.
      2. Navigate to Enterprise applications under Azure services.
      3. Choose Consent and permission under Security in the left pane.
      4. Select the Allow user consent for apps option in the User consent settings.
      5. Click Save and wait a few minutes for the synchronization process to complete.
      6. Proceed with the email server settings and try to log in using the account intended for OAuth configuration.
      Note: Providing a global admin role to the account you intend to use is an alternative option if you are not prepared to grant Allow user consent for apps.
      • Log in to admin.microsoft.com using a global admin account.
      • Perform a search within the admin portal for the account that you intend to utilize for the OAuth setting.
      • Select the user account, go to the Account tab, and click Manage roles.
      • Choose the Admin center access option and check the Global administrator box.
      • Click Save changes and configure the email server settings.
    3. I encountered the following error message while trying to send a mail on behalf of another user: Failed to send your mail. A Send as denied exception occurred. Please verify if the user account used for authentication has permission to send emails.
      1. Log in to admin.microsoft.com using a global admin account.
      2. Perform a search in the admin portal and select the account that you will be using as the Username during OAuth configuration.
      3. Navigate to the Mail tab and click Send as permissions under Mailbox permissions.
      4. Select Add permissions and choose the account you intend to use as the From address in the Email Server settings.
      5. Click Save and proceed with configuring the email server settings.
    4. I encountered a Unable to find valid certificate path to requested target error while using TLS or SSL.

      While using TLS or SSL, Java might not recognize the email server certificates. In this case, you must manually import the email server certificates into ADManager Plus.

      Steps to retrieve the email server, issuer, and root certificates and import them in ADManager Plus

      If you do not have the email server certificates, use the OpenSSL tool to retrieve them from the email server and import them into ADManager Plus by following these steps:

      Steps to retrieve the certificates using OpenSSL

      1. Download and install the OpenSSL tool.
      2. Open Command Prompt and navigate to <OpenSSL_Installation directory>\bin.
      3. Run the s_client command, specifying the email server which has the certificates and port you want to connect to.
        • If the server you are using requires an SSL connection, execute the following command:

          Openssl s_client -connect <mail server name>:<sslport>

        • If the server you are using requires a TLS connection, execute the following command:

          Openssl s_client -connect <mail server name>:<tlsport> -starttls smtp

      4. When this command is executed, the Command Prompt screen will display information related to the certificates. From the information, identify tags that say BEGIN CERTIFICATE and END CERTIFICATE.
      5. Copy and paste the information contained in the aforementioned tags into a text file and save the file with a .cer extension.

      Steps to import the email server certificates into ADManager Plus

      To import the certificates into ADManager Plus:

      1. Copy the downloaded email server certificates and paste them in the <ADManager Plus_Installation directory>\jre\bin folder.
      2. Open Command Prompt, navigate to <ADManager Plus_Installation directory>\jre\bin, and execute the following command:

        keytool -import -v -alias admp -file "certificateName" -keystore "<ADManager Plus_Installation directory>\jre\lib\security\cacerts" -keypass changeit

      3. After this command execution, if prompted for a password, use "changeit" as the password

        Note: To check if the certificates have been imported, open Command Prompt, navigate to <ADManager Plus_Installation directory>\jre\bin, and execute the following command:

        keytool -v -list -keystore ..\lib\security\cacerts>Certificate.txt

      4. When this command is executed, you will find a text file named Certificate in the <ADManager Plus_Installation directory>\jre\bin folder. Open the file and verify if the required certificates and their details are in the file.

    Back to Modules

    GPO Management

    1. If 'Access Denied - 80070005' error occurs while creating a new GPO , ensure that the user account configured in the domain settings has the necessary rights to create GPO in the desired domain.

      Recommendation: As a best practice, ensure that the account with which the ADManager Plus runs has the necessary rights to create GPO in the desired domain.

    2. In case of a 'Network access is denied - 80070041' error, perform the following actions in the machine where ADManager Plus is installed:
      • Run gpedit.msc.
      • Go to Computer → Administrative Templates → Network → Network Provider → Hardened UNC Paths.
      • Choose'Enabled'.
      • Under 'Options', click 'Show'.
      • Under 'Value name', enter "\\*\SYSVOL" (without quotes).
      • Under 'Value', enter "RequireMutualAuthentication=0, RequireIntegrity=0, RequirePrivacy=0" (without quotes).
      • Click OK to apply the changes.
      • Open command prompt and run gpupdate /force to apply the changes made.
    3. If "Unable to retrieve the registry setting" error occurs, change that registry setting to "Not configured" using GPMC. You will then be able to display or modify the registry setting using AD Manager Plus. (This error occurs because of the difference in admx files available in GPMC and AD Manager Plus for that particular registry setting.)

    Back to Modules

    Don't see what you're looking for?

    •  

      Visit our community

      Post your questions in the forum.

       
    •  

      Request additional resources

      Send us your requirements.

       
    •  

      Need implementation assistance?

      Try onboarding