Atria Security Enhancement – User Provisioning Error
Overview
The Atria Security Enhancement – User Provisioning Error affects environments running Atria v15.29.x. After Atria security hardening changes, Atria accounts no longer operate with elevated rights, which prevents Atria from provisioning users who are classified as Active Directory Protected Accounts.
Protected Accounts are users who are, or were, members of protected AD groups. These accounts automatically receive the attribute: adminCount = 1
Affected Version
- Atria v15.29.x
Root Cause
Active Directory protects privileged accounts by:
- disabling ACL inheritance
- applying non-inheritable, hardened permissions
- setting
adminCount=1
With Atria’s least-privileged design, it can no longer update these accounts, causing provisioning attempts to fail.
Workaround
If the user must be provisioned immediately, you can temporarily re-enable inheritance:
- Open the user in Active Directory Users and Computers.
- Go to Security → Advanced.
- Enable Inheritance.
- Click Apply and OK.
- Re-run provisioning in Atria.
Important:
Active Directory runs SDProp every 60 minutes, which reverts this. This method does not permanently fix the protected state.
Permanent Fix (if applicable)
Follow these steps to permanently resolve the issue:
- Identify whether the user is still a member of any protected AD group. This includes nested membership.
- Remove the user from the protected AD group(s).
- Remove the
adminCount=1attribute from the user. - Re-enable security inheritance.
- Re-run provisioning in Atria.
After these steps, the user account will no longer be treated as a protected account, and Atria should provision it successfully.
If the user legitimately requires to be part of a protected AD group:
Only the temporary workaround can be applied. Atria cannot manage users who must remain protected due to the security model.
Atria Portal Fix (TBD)
Atria is looking into adding a feature to identify these accounts within the Atria Portal and have the ability to temporarily reset the SDProp status so the user can be provisioned as needed.
Requirements and Dependencies
Active Directory
- Understanding of protected accounts
- Ability to inspect
adminCount - Ability to re-enable inheritance
- Review of group memberships (direct and nested)
Reference Documentation
Microsoft: Protected Accounts and Groups
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory
Example Checks
Detect if the account is protected:
- adminCount = 1
Check Protected AD group membership:
The following security accounts and groups are protected in Active Directory Domain Services:
- Account Operators
- Administrator
- Administrators
- Backup Operators
- Domain Admins
- Domain Controllers
- Enterprise Admins
- Enterprise Key Admins
- Key Admins
- Krbtgt
- Print Operators
- Read-only Domain Controllers
- Replicator
- Schema Admins
- Server Operators
Summary
| Status | Meaning |
|---|---|
| Protected (adminCount=1) | Atria cannot manage the user |
| Inheritance Disabled | Hardened security ACL applied |
| Temporary Fix Works | Provisioning succeeds until AD auto-resets |
| Permanent Fix Requires Removing Admin Membership | Restores successful provisioning |
| Long Term Fix in Atria Portal (TBD) | Able to identify users that are affected and have a feature to reset SDProp status of the user |
Support
If you encounter any issues or require assistance, contact:
📧 support@getatria.com