Insufficient access rights to perform the operation error while Syncing users in Forefront Identity Manager RRS feed

  • Question

  • Hi All

    I am new to FIM and I have few users which I am not able to Sync in FIM and getting the error "Insufficient access rights to perform the operation error"

    Details of my setup

    I have a forest AAA.local as forest

    Domain  and Domain 2: and email is associated to only one domain controller. I have few users who's have accounts in both domains and their logon ID is same in both domain controller


    First Name :- Test User 5
    Last Name :- FIM
    Display name :- FIM, Test User 5
    Logon name :-fimpasmx5
    E-mail :- none


    First Name :- Test User
    Last Name :- FIM
    Display name :- FIM, Test User
    Logon name :-fimpasmx5
    E-mail :- fimpasmx5@p*****.com

    When the account is Synced in FIM e-mail is taken from domain 2 and first name & last name is taken from domain-1.

    Can you please help me when user have same logon name in both domain how to sync both domain ID in FIM

    Permissions on OU are fine as other accounts which exists only in one domain (abc or xyz) are able to sync.

    Appreciate your help


    Thursday, January 7, 2016 10:52 PM

All replies

  • Hi Praveen,

    The service account being used by the Management Agent during Export does not have enough permissions to perform the operation it is being asked to perform. Look in the Export in Progress tab for non-none Changed attributes.  The service account does not have access to modify one or more of those attributes.


    Jeff Ingalls

    Friday, January 8, 2016 1:29 AM
  • Thanks for the reply Jeff

    The service accounts has required permission on both domains. We are able to Sync users only present in abc or xyz domains

    The issue is observed for accounts exists in both domains which have same user logon name

    Best Regards


    Friday, January 8, 2016 3:27 PM
  • Hmm, insufficient access rights means just that.  :-)

    1. Are the domains in the same forest?

    2. In the case of insufficient access rights, do you have a single MV object that has connections to domain A and domain B or do you have multiple MV objects?

    3. Is the error happening upon a new creation of an object or for an update of an existing object?

    4. Does the management agents for domain A or domain B provision to the MV or is the MV provisioning happening by some other system/management agent.

    5. What attribute are you using for your join rules on domain A and domain B, if any?


    Jeff Ingalls

    Friday, January 8, 2016 8:20 PM