Azure AD

Azure ADConnect Export Failed – Permission-issue error

During our recent setup of Azure ADConnect for one of our Clients we've been getting permission-issueInsufficient access rights to perform this operation error. While there are many articles on the Internet it's either outdated stuff for DirSync or trying to fix it by Enabling inheritance. The case we had was much simpler. During setup our administrator has chosen the AzureAD Custom Setup and when that happens no permissions are set for you on the Active Directory side. We knew where to look, we just didn't knew what permissions are missing from the setup made by one of admins.

Problem Description

If you check Synchronization Service Manager you can find recent status for all tasks.

While most tasks were ending up successfully export task completed with error: permission-issue. This can be from broken inheritance or due to synchronization of Domain Admins accounts which is not going to work. But in our case it was none of that. Any account you would create it would error out.

Solution

When you check documentation regarding permissions you need to setup the list is pretty clear.

Feature Permissions
Password sync
  • Replicate Directory Changes
  • Replicate Directory Changes All
Exchange hybrid deployment Write permissions to the attributes documented in Exchange hybrid writeback for users, groups, and contacts.
Password writeback Write permissions to the attributes documented in Getting started with password management for users.
Device writeback Permissions granted with a PowerShell script as described in device writeback.
Group writeback Read, Create, Update, and Delete group objects in the OU where the distributions groups should be located.

However when you compare it with what express setup uses when it setups account it has much wider scope of data. Following permissions are given to express account:

Replicate Directory Changes
Replicate Directory Changes All
Password sync
Read/Write all properties – User
Import and Exchange hybrid Read/Write all properties – iNetOrgPerson
Import and Exchange hybrid Read/Write all properties – Group
Import and Exchange hybrid Read/Write all properties – Contact
Import and Exchange hybrid Reset password
Preparation for enabling password write back

Having that knowledge in mind when you start comparing it with documentation data above one thing stands out – Read / Write All Properties for Users. It's nowhere on the list. And indeed if you add it to the list things start to work…

Actually after some testing just setting Write All Properties is enough.

It's interesting it's not on the list for permissions thou.

Powershell Office 365 Enable Password Writeback

Following code is an easy way to give proper permissions for Office 365 Password Write-back on the domain side. The Out-null is left commented out so you can check out the output. If you don't like it, just add it back.

$passwordOU = "DC=DOMAIN,DC=COM"
$accountName = "DOMAIN\adconnect"

$cmd = "dsacls.exe '$passwordOU' /I:S /G '`"$accountName`":CA;`"Reset Password`";user'"
Invoke-Expression $cmd #| Out-Null

$cmd = "dsacls.exe '$passwordOU' /I:S /G '`"$accountName`":CA;`"Change Password`";user'"
Invoke-Expression $cmd #| Out-Null

$cmd = "dsacls.exe '$passwordOU' /I:S /G '`"$accountName`":WP;lockoutTime;user'"
Invoke-Expression $cmd #| Out-Null

$cmd = "dsacls.exe '$passwordOU' /I:S /G '`"$accountName`":WP;pwdLastSet;user'"
Invoke-Expression $cmd #| Out-Null 

Powershell Office 365 Enable Replicating Directory Changes

Following code is an easy way to give proper permissions for Office 365 Replicating Directory Changes on the domain side. While it's possible to do this manually, this way is much faster.

###--------variables
$Account = "DOMAIN\adconnect"
$RootDSE = [ADSI]"LDAP://RootDSE"
$DefaultNamingContext = $RootDse.defaultNamingContext
$ConfigurationNamingContext = $RootDse.configurationNamingContext
 
###---Update Attributes
#Object type: user
$cmd = "dsacls '$DefaultNamingContext' /G '`"$Account`":CA;`"Replicating Directory Changes`";'"
Invoke-Expression $cmd
$cmd = "dsacls '$DefaultNamingContext' /G '`"$Account`":CA;`"Replicating Directory Changes All`";'"
Invoke-Expression $cmd

This post was last modified on %s = human-readable time difference 21:27

Przemyslaw Klys

System Architect with over 14 years of experience in the IT field. Skilled, among others, in Active Directory, Microsoft Exchange and Office 365. Profoundly interested in PowerShell. Software geek.

Share
Published by
Przemyslaw Klys

Recent Posts

Upgrade Azure Active Directory Connect fails with unexpected error

Today, I made the decision to upgrade my test environment and update the version of…

1 miesiąc ago

Mastering Active Directory Hygiene: Automating Stale Computer Cleanup with CleanupMonster

Have you ever looked at your Active Directory and wondered, "Why do I still have…

2 miesiące ago

Active Directory Replication Summary to your Email or Microsoft Teams

Active Directory replication is a critical process that ensures the consistent and up-to-date state of…

7 miesięcy ago

Syncing Global Address List (GAL) to personal contacts and between Office 365 tenants with PowerShell

Hey there! Today, I wanted to introduce you to one of the small but excellent…

11 miesięcy ago

Active Directory Health Check using Microsoft Entra Connect Health Service

Active Directory (AD) is crucial in managing identities and resources within an organization. Ensuring its…

1 rok ago

Seamless HTML Report Creation: Harness the Power of Markdown with PSWriteHTML PowerShell Module

In today's digital age, the ability to create compelling and informative HTML reports and documents…

1 rok ago