I am currently designing an onboarding workflow. When an identity is created, a new AD account will be provisioned. However, when ISC attempts to create the AD account on-premises, the following error occurs
In IQService log.the error message is
06/24/2025 10:05:54 : ADConnectorServices [ Thread-5 ] ERROR : “Error occurred while setting password for the account. The target of the invocation has thrown an exception. Some input parameters are incorrect. HRESULT:[0x80070005]”
I have referred to several articles, and the issue usually falls into two main categories:
The first category is account-related issues, such as the account used to log into IQService having an expired password, being locked out, or lacking sufficient permissions.
The second category is password-related issues, where the password being set does not meet the domain’s password policy.
my password policy is here: Enforce logoff when logon time expires?: Never Minimum password age (days): 1 Maximum password age (days): 42 Minimum password length: 7 Password history length: 24 Account lockout threshold: Never Account lockout duration (minutes): 30 Account lockout observation window (minutes): 30 Computer role: PRIMARY
However, I have checked both areas and confirmed that there are no problems.
Check if the service account that you are using has permission to create and set password in the OU you are trying to create account. 0x80070005 error occurs when the user does not have permission to execute.
The error 0x80070005 (Access is denied) usually means that the account running IQService doesn’t have enough permission to set the password in Active Directory.
Here’s what to check:
Make sure IQService is running as a domain account with permission to create users and set passwords.
Check that the OU (folder in AD) where the user is being created allows changes by that account.
Ensure the password meets your domain’s policy and doesn’t have any invalid characters.
Also, check if antivirus or security settings are blocking the action.
Even if everything looks fine, it’s usually a permissions issue or a password format problem.
3.password policy is here: Enforce logoff when logon time expires? : Never Minimum password age (days) : 1 Maximum password age (days) : 42 Minimum password length : 7 Password history length : 24 Account lockout threshold : Never Account lockout duration (minutes) : 30 Account lockout observation window (minutes) : 30 Computer role : PRIMARY
4.what securit setting will affect AD account create.I have not set GPO.
Hi @TOPTYU From what I know, Full Control doesn’t necessarily include the permission to reset passwords. Check Effective Permissions for the service account on the User object for Reset Password.
Hi @TOPTYU - Please check on permissions of service account also if AD has
replicating directory changes permission to the service account.
Password which you are creating should match with the AD password policy.
AD host password policy is here: Enforce logoff when logon time expires? : Never Minimum password age (days) : 1 Maximum password age (days) : 42 Minimum password length : 7 Password history length : 24 Account lockout threshold : Never Account lockout duration (minutes) : 30 Account lockout observation window (minutes) : 30 Computer role : PRIMARY
I set the password is P@ssw0rd
