Overview
If Active Directory password synchronization or password rotation fails with an error similar to the following:
{
"message": "Access is denied",
"cmdlet": "Set-ADAccountPassword",
"exception": "System.UnauthorizedAccessException",
"success": false
}
the account running the Splashtop Secure Workspace (SSW) Connector service may not have sufficient permissions to reset passwords in Active Directory.
This article explains how to verify and update the Windows service account used by the Connector.
Symptoms
The Connector logs may contain errors similar to:
Set-ADAccountPassword
System.UnauthorizedAccessException
Access is denied
Active Directory password update failed
Affected features may include:
- AD password synchronization
- Service account password rotation
- Secret Manager AD account management
Cause
The SSW Connector performs Active Directory operations using the Windows account under which the Connector service is running.
If the service is running as:
Local System
or another account without sufficient Active Directory permissions, password update operations may fail.
To perform password reset operations successfully, the service should run under a domain account that has been delegated the appropriate Active Directory permissions.
How to Identify the Account Running the Connector Service
You can use PowerShell to quickly determine which Windows account is being used to run the SSW Connector service.
-
Open PowerShell as an administrator.
-
Run the following command:
Get-CimInstance Win32_Service |
Where-Object {$_.Name -like "*connector*"} |
Select-Object Name, StartName
- Review the StartName field in the output.
Example output:
Name StartName
---- ---------
SSW Connector LocalSystem
or
Name StartName
---- ---------
SSW Connector DOMAIN\svc_ssw_connector
Understanding the Results
-
LocalSystem
The Connector service is running under the built-in Windows Local System account. While this account has extensive privileges on the local machine, it typically does not have permission to perform Active Directory password reset operations.
-
DOMAIN\service_account
The Connector service is running under a domain account. This is the recommended configuration when the Connector needs to perform Active Directory operations such as password synchronization or password rotation.
If the service is running as LocalSystem and AD Sync password operations are failing with an "Access is denied" error, consider updating the service to run under a domain service account with the appropriate delegated Active Directory permissions.
Verify the Current Service Account
-
Log in to the Connector server.
-
Open the Windows Services console:
services.msc -
Locate the SSW Connector service.
-
Right-click the service and select Properties.
-
Open the Log On tab.
Review the configured account.
Example:
Local System account
or
DOMAIN\svc_ssw_connector
Update the Service Account
If the current service account does not have sufficient Active Directory permissions:
-
Open:
services.msc -
Locate the SSW Connector service.
-
Right-click the service and select:
Properties → Log On -
Change:
Local System accountto:
This account -
Enter a domain service account.
Example:
DOMAIN\svc_ssw_connector -
Enter the account password.
-
Click Apply.
-
Restart the service.
Required Active Directory Permissions
The service account should be delegated permissions to perform password reset operations on the target users.
Recommended permissions include:
- Reset Password
- Read user attributes
- Write password-related attributes (if required by your environment)
Permissions can be delegated at the Organizational Unit (OU) level using:
Active Directory Users and Computers
→ Delegate Control
For assistance with AD delegation, please contact your Active Directory administrator.
Verify the Fix
After updating the service account:
- Restart the SSW Connector service.
- Trigger an AD Sync or password rotation operation.
- Verify that the operation completes successfully.
- Confirm that the Connector logs no longer contain:
Access is denied
Set-ADAccountPassword
errors.