Accelerated Policy Installs and my R81.10 training lab have not been getting along very well these last two weeks. 

https://community.checkpoint.com/t5/Security-Gateways/Accelerated-Policy-Install-amp-SecureXL-Templa...

R81.10 Jumbo Take 30 on Gateway and SMS, Take 402 of R81.10 SmartConsole.

In the CCSA class Lab 8.1 students enable Identity Awareness on the gateway for the first time which launches the IA wizard, and they configure the alpha.cp domain to an Active Directory domain controller and click Connect.  This has been a staple of the CCSA labs for many years and always worked reliably for me, but I was getting flaky behavior out of this procedure from the get-go in R81.10.  Sometimes it would work and say "Connected!".  But other times it would always fail with a "Account is not a domain administrator" error which is patently untrue and frankly makes no sense.  An account is a Domain Admin or it isn't and that doesn't change randomly.

So in my CCSA class today two of the students had it work the first time, and all the others got this error and could not proceed.  No combination of Install Database, Firewall Policy reinstalls, or SmartConsole GUI restarts could seem to shake it.  After racking my brain I finally figured it out: on the AD wizard page where entering the credentials if it said "connection will be from SmartConsole due to no policy installed" it would fail, but if it happened to say "connection will be made from gateway" it would succeed.

Students whose last policy install was accelerated had the AD wizard fail with the nonsensical permissions error.  But students who had made certain changes that forced a full policy installation to the gateways just before running the wizard worked fine.  So the fix was to force a nonaccelerated policy install from the Install Policy screen, and then all the stuck students had the AD wizard succeed and could move on.  Guess my students got a little extra troubleshooting instruction today...