Step #3: Check your AD users' permissions
Confirm that two users in your Active Directory environment have the appropriate permissions for the custom attribute.
- The AD user that runs the LastPass AD Connector (which populates the custom attribute at the time of provisioning)
- The AD user that runs the AD FS service (AD FS calls into the Custom Attribute Store, which reads the custom attribute at the time of the login)
Both users must have the CONTROL ACCESS permission in order to access the custom attribute marked as CONFIDENTIAL. If the users don't have this permission, it must be set. You can check your users' permissions in either of the following ways:
Using the LDP tool
The Windows Server operating systems have a built-in tool that allows you to check the permissions of your AD users based on their group membership.
- On your Active Directory server, run ldp.exe and confirm that the assigned group of the AD user has CONTROL ACCESS enabled.
Using the dsacls command
You can run the "distinguishedName of the custom attribute" command to check the permissions of your AD users:
- On your Active Directory server, run the Command Prompt as an administrator.
- Enter the following command: dsacls.
- Confirm that the CONTROL ACCESS permission is assigned.