AAD Connect Advanced Permissions

Use this script to configure advanced AAD Connect permissions for the following features: Device WriteBack Exchange Hybrid WriteBack Office 365 Group WriteBack Password Hash Sync (Replicating Directory Changes / Replicating Directory Changes All) Password WriteBack ms-DS-Consis

 
 
 
 
 
4.8 Star
(9)
9,150 times
Add to favorites
Office 365
8/17/2019
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question


  • not working in this particular case (DC = 2019 ; exch2013 CU11)
    3 Posts | Last post December 13, 2019
    • Hi,
      Thanks for the script! It worked perfectly for me in the past when I got the access denied error.
      Unfortunately in this particular case it doesn't seem to fix the issue.
      DC's = Server2019
      I can see in MIISCLient that it's trying to add msDS-ExternalDirectoryObjectID, but i get a permission-issue there.
      
      If i grant full permissions on the account for the AADConnect service, the error is gone, so possibly some permission is missing from the script? Or related to the fact that we have Server 2019?
      
      PS : Exchange 2013 CU21 (msDS-ExternalDirectoryObjectID is available as attribute on the AD accounts)
    • That's interesting.  I haven't tried it against Windows Server 2019, so I'll add that test as soon as I can.  I didn't see this until just now!
    • Oh, looks like I already answered this.  Did my update fix it?
  • ADminSDHolder Permission
    1 Posts | Last post November 15, 2019
    • Hello Aaron! Would you expect the AdminSDHolder permission to not take effect until the adminsdholder background process runs again (default interval every 60 mins)? I've been getting permission errors in AADC with some protected users and am still getting them after running the script with the -UpdateAdminSDHolder paramter.
      
      I'll follow up in an hour if I see any different results, but I thought that it would interesting enough to document in your parameter help text if it turns out to be true.
  • not working in this particular case (DC = 2019 ; exch2013 CU11)
    3 Posts | Last post March 12, 2019
    • Hi,
      Thanks for the script! It worked perfectly for me in the past when I got the access denied error.
      Unfortunately in this particular case it doesn't seem to fix the issue.
      DC's = Server2019
      I can see in MIISCLient that it's trying to add msDS-ExternalDirectoryObjectID, but i get a permission-issue there.
      
      If i grant full permissions on the account for the AADConnect service, the error is gone, so possibly some permission is missing from the script? Or related to the fact that we have Server 2019?
      
      PS : Exchange 2013 CU21 (msDS-ExternalDirectoryObjectID is available as attribute on the AD accounts)
    • Interesting! I don't have any 2019 DCs, so I'm going to have to investigate this one.
    • I updated the way the script processes this.  The script now checks for the AD schema version to see if it's later than 87, which is the 2016 schema where the attribute was introduced.
  • Single Forest with Two Parent Domains
    4 Posts | Last post September 26, 2018
    • Hi Aaron, I'm having issues getting permissions to apply in the second parent domain I have tried both the -forest -domain switches without any luck. 
      
      I'm using: 
      .\AADConnectPermissions.ps1 -AllPermissions -User DomainA\sa-aadc -Domain DomainA.ads
      
      Thanks in Advance. 
      
      Best.
      J
    • Sorry that was meant to read... -Domain DomainB.ads
      
    • I reworked the script. Added a few extra foreach statements along with adding all the domains in the forest to the array was the key. 
      
      [array]$ExchangeHybridWriteBackOUs = (Get-ADForest).Domains  | %{(Get-ADDomain $_ ).DistinguishedName}
      
    • Ah, so these are separate trees in the AD forest?  Nice add!
  • msDS-ExternalDirectoryObjectID and ADSync module issues
    2 Posts | Last post September 14, 2018
    • Thanks so much for providing this script; it's been a great help. A couple of points of possible interest from my experience (using the 9/2/2018 release):
      
      The msDS-ExternalDirectoryObjectID attribute gets created when the AD schema is extended to Server 2016, not just when Exchange 2016 is installed. So, in my case, it was there though we're only on Exchange 2010 SP3. I just forced the check code to return the Exchange 2016 schema version to get around this.
      
      For some reason, the final call to Get-Module ADSync keeps returning null on my AD Connect-installed systems. This gave me the warning to manually run the password reset configuration command. I added an Import-Module ADSync -Force right before the If (Get-Module ADSync) to return a proper result and run password reset command.
      
      Here's the command line I was using:
      AADConnectPermissions.ps1 -ExchangeHybridWriteBack -PasswordHashSync -PasswordWriteBack -msDS-ConsistencyGUID -domain domainname -user serviceaccount
    • Thanks! I've updated the script for the schema version and also modified it to import the ADSync module if necessary.  Depending on the order of operations and options chosen, sometimes having the module imported will cause issues with other parts of the script.  I added the -ListAvailable switch to the If (Get-Module ADSync) statement, and force it load at that time.
  • Possible bug with ExchangeHybridWriteBack and AdminSDHolder container
    2 Posts | Last post August 13, 2018
    • Running the script with -ExchangeHybridWriteBack and -UpdateAdminSDHolder parameters (I am not specifying the -ExchangeHybridWriteBackOUs parameter).
      
      I see the permissions are delegated at the root of the domain, but I do not see them applied to the AdminSDHolder container. Upon adding some custom debugging to see the contents of the $cmd variable, the DSACLS commands are only constructed for the domain root and do not include the AdminSDHolder container.
      
      Presumably, line 550 in the current script should be adding the DN for AdminSDHolder to the $ExchangeHybridWriteBackOUs variable, not the $WriteBackOUs variable. I may be wrong, but can anyone else confirm?
    • I found the error.  I have updated the script.
  • msDS-ExternalDirectoryObjectId
    2 Posts | Last post July 25, 2018
    • Does the current (as of 07/23/2018) version support the msDS-ExternalDirectoryObjectId attribute?
    • Yes, if you have extended the Schema to 15317 or later (which is where msDS-ExternalDirectoryObjectId was introduced), write-back permissions are configured for it.
  • write-log error
    8 Posts | Last post April 16, 2018
    • I seem to get a write-log error using this.
    • What options did you use?  I want to repro it in my lab.
    • Nevermind, I found it.
    • write-log function can be found in the code of AADConnectPermissions.ps1, select this function in PowerShell ISE and execute block to define it.
      
      after that we got it working, except with had issues with the ExchangeHybridWriteBackOU, the distinguishedName, each part was separated with comma and space character- thats not allowed.  We did copy-paste this distinguished name from ActiveRoles console with spaces..
      
    • The Write-Log error should be resolved.  
      
      The DN needs to be encapsulated in quotes.  For example:
      
      -ExchangeHybridWriteBackOUs "OU=Child OU1,OU=Parent OU1,DC=domain,DC=com","OU=Child OU2,OU=Parent OU2,DC=domain,DC=com"
    • yes encapsulated distinguishedName with quotes, inside this string contained spaces after each comma- copy pasted from ActiveRoles, removed spaces and solved the issue
      
      the 'user' parameter to specifiy rights, is it possible to set a group as wel? we prefer to set security via AD group and make service account member of this group 
      
      
    • the 'user' parameter can also contain an AD Security Group(Domain Local), tested
      
      Thank you!
    • Looks like you figured it out before I could respond. :-)  Yes, you can use it to delegate permissions to a group as well (so not just restricted to AAD Connect functionality, if you wanted to use it for other purposes).
  • Write-Log error 4/2/2018
    2 Posts | Last post April 04, 2018
    • I am also getting the write-log error when using this, for the PasswordWriteBack portion. Since the post on 3/15/2018, the latest version to download is 2/15/2018. When running, it errors out for the write-log, but adds the BUILTIN (BUILTIN) principal instead of the user specified to the root domain.
    • I've updated it. I located the error which was introduced after the last update.
  • BUG
    2 Posts | Last post January 10, 2018
    • Assume you run msDSConsistencyGuid
      $DN is never set to anything
    • I've updated it.  It will now use the ExchangeHybridWriteBackOUs if specified; if not, the AD Domain root.
      
      Thanks!