During synchronization of Active Directory with Office 365 via Azure AD Connect I was greeted with a list of accounts that have permission-issue. Error message by itself gives you a slight hint, but it doesn't tell you exactly where to look.
During synchronization of Active Directory with Office 365 via Azure AD Connect I was greeted with a list of accounts that have permission-issue. Error message by itself gives you a slight hint, but it doesn't tell you exactly where to look.
Reason for this error is usually lack of permissions for an account that is responsible for synchronization. During setup of Azure AD Connect you either configure account name yourself, or you let setup do it for you. Regardless of which route you choose the most likely reason for your problem is broken inheritance at some point where your synchronization account has access to the top level but the lower it goes, the harder it gets. Therefore, to fix my problem, I had to start with one of the accounts and see if an account in question has a synchronization account in its Security properties.
If you don't see your account on this list, click Advanced and verify that Inheritance is Enabled. If it is you need to go up and check every Organizational Unit above to see which of the above OU's have Inheritance disabled. It's also possible there are legitimate reasons for this, so an alternative way to fix this is adding your Azure Sync Account (MSOL_*) with proper permissions to OU with problems. However, keep in mind that giving correct permissions is key to this and is not as easy as fixing inheritance.
If you're not sure, your safest bet will be to Enable inheritance. My second choice would be assigning permissions by hand unless you know what you are doing.
This post was last modified on 17 maja, 2022 15:16
Active Directory replication is a critical process that ensures the consistent and up-to-date state of…
Hey there! Today, I wanted to introduce you to one of the small but excellent…
Active Directory (AD) is crucial in managing identities and resources within an organization. Ensuring its…
In today's digital age, the ability to create compelling and informative HTML reports and documents…
As part of my daily development, I create lots of code that I subsequently comment…
Today I saw an article from Christian Ritter, "PowerShell: Creating an "empty" PSCustomObject" on X…