Prepare Active Directory Forest and Domains for Azure AD Connect Sync

This PowerShell script will tighten permissions for the AAD Connect account provided as a parameter.

5 Star
7,179 times
Add to favorites
Active Directory
E-mail Twitter Digg Facebook
  • Exchange OnPrem
    1 Posts | Last post May 01, 2018
    • careful with turning off inheritance, it can break exchange's access to your users mailboxes.
  • Would like to add
    2 Posts | Last post February 06, 2018
    • Script would not work unless I replaced the double quotes around the ObejectDN with single quotes.
      -objectDN 'CN=name,OU=OU,DC=domain,DC=com"
    • Thanks, good catch, I've updated the Description.
  • Different Source Anchro
    2 Posts | Last post January 06, 2018
    • Hi, we use a custom attribute for our source anchor, and after making all of these changes, AAD Connect Sync Service Manager is showing export-errors for accounts, however, it does not show me which attribute the errors are on (i just assume the source anchor attribute).  How can I check which attribute it errors on, and what type of permissions does this account need on the custom attribute?
    • Sorry to hear that, would you mind to please raise a support case and refer to this script page? Thanks. /Nuno Alexandre
  • Multiple Forests?
    2 Posts | Last post December 21, 2017
    • If you are sync'ing multiple forests, does this needs to be run against each sync account per forest or just the root where the tool is installed?
    • You need to run the script against each AD Connector account in your multiple forests.
  • Error
    2 Posts | Last post December 21, 2017
    • When I run the script i get the following error.
      Set-ADSyncRestrictedPermissions : The term 'Set-ADSyncRestrictedPermissions' is not recognized as the name of a
      cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify
      that the path is correct and try again.
    • You need to Import-Module .\AdSyncConfig.psm1 first. Thanks.
  • I'm with sbenahmed
    2 Posts | Last post December 21, 2017
    • It looks to me like the account being used for Azure AD Connect is a local machine account "./AAD_XXXXX".  
      However any attempt to run the script against this user fails with the "You cannot call a method on a null-valued expression."  Presumably, because it's not a domain account.
    • You need to use the script against the account that is configured in the AD DS connector, typically the MSOL_nnnnnnnnnnnn domain account.
  • Do we run this for the AAD_ or MSOL_ account?
    5 Posts | Last post December 21, 2017
    • Do we run this for the AAD_ or MSOL_ account?
    • Which account you run it against will depend on how your environment was set up. You want the account that is in the On Premise Active Directory and used by the service.  Identify that account.  It's the target of the work you're trying to do.
    • We have both accounts in our AD. The Microsoft Azure AD Sync service on our DC logs on as the AAD_ account.
    • @stefmahoney: I am still not sure whether this script needs to be run against both accounts - the "MSOL_" account is the one used by the Synchronization Service Manager (as that is the one that is used to connect to the forest) but there is also an "AAD_" one that got created in my AD (in the same container) at the same time the other one was automatically created.
    • This is typically the MSOL_nnnnnnnnnnnn domain account.
  • GOt a error on the script execution
    3 Posts | Last post December 21, 2017
    • I'm having this error during the command execution:
      Set-ADSyncRestrictedPermissions : Setting Restricted permissions on
      CN=MSOL_7e9d32217682,CN=Users,DC=Focalab,DC=com,DC=br failed. Exception Details: You cannot call a method on a
      null-valued expression.
      At line:1 char:1
      + Set-ADSyncRestrictedPermissions -ObjectDN "CN=MSOL_7e9d32217682,CN=Us ...
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
          + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Set-ADSyncRestrictedPermissions
      Running the command as Admin
    • I may be wrong here but for ours, I had to change "CN=Users" to "OU=ServiceAccounts".  But then this MSOL object was in a "true" container (ServiceAccounts) whereas the default AD "Users" folder is not really a container.  Anyhow, you might try that.
    • Please try the new script version that has some user account validation code. Thanks.
  • Has this script broken any Azure Sync functions with anyone?
    2 Posts | Last post December 19, 2017
    • Does running the Power Shell Script affect any sync functionality of the AD DS Account, or does the script give enough permissions to run all required AD Connect Functions? Anyone have any Sync issues to Azure? Wouldn't want to mess anything currently set to sync to the cloud.
      I'm also interested if this is even necessary in environments with only a few Admins who have access to resetting passwords? In my case there is only 3 trusted Domain Admins who can modify AD and only 2 of us are involved with daily AD operations and 1 as a backup. We have the AD DS account setup with Domain Admin rights and in its own OU grouped with the only other Domain Admins/Admins in our AD environment. We do so to not worry about giving to little access to the AS DS account and avoid troubleshooting steps. Anyone have any input?
    • I've run the script on a couple of dev environments for the last 5 days, I've not noticed any errors relating to AAD Connect, sync's are running properly.  I am going to monitor for another week before running these scripts in production.
  • Crendentials
    6 Posts | Last post December 16, 2017
    • Do we required Enterprise admin only or can we use domain as well?
    • The account used for $credential must be an enterprise admin to make the changes.
    • I am using an Enterprise Admin account and still getting "Exception Details: You cannot call a method on a null-valued expression" idea what's going on??
    • Finally resolved this.  Seems as if the ObjectDNs are case sensitive.  Had no idea...
    • I was mistaken...not case sensitive.  My ObjectDN syntax was incorrect for the OU that contained the user.   
    • Yes, Domain Admin is not sufficient-will get error "You cannot call a method on a null-valued expression". Account must be Enterpise Admin. 
1 - 10 of 16 Items