Insufficient access rights to perform the operation error in Azure AD Connect
are you're getting Insufficient access rights to perform the operation in your Azure AD Connect synchronization logs?
Try the following.
1)check for the latest version of Azure AD Connect
2)If you're syncing passwords, make sure that your sync service account has Replicate Directory Changes and Replicate Directory Changes All permissions in your on premises Active Directory
Make sure that your sync service account has write permissions on your sourceAnchor attribute (which is most likely set to ms-ds-consistencyGuid). You can do that either using the user interface, or PowerShell, which is easier:
$accountName = "DOMAINNAME\USERNAME" #[this is the account that will be used by Azure AD Connect Sync to manage objects in the directory.
$ForestDN = "DC=DOMAINNAME,DC=SOMETHING"
$cmd = "dsacls '$ForestDN' /I:S /G '`"$accountName`":WP;ms-ds-consistencyGuid;user'"
Invoke-Expression $cmd
3)Make sure that inheritance is turned on for the AD objects that get errors in the synchronization logs.
Let me know if this helps in comment.
are you're getting Insufficient access rights to perform the operation in your Azure AD Connect synchronization logs?
Try the following.
1)check for the latest version of Azure AD Connect
2)If you're syncing passwords, make sure that your sync service account has Replicate Directory Changes and Replicate Directory Changes All permissions in your on premises Active Directory
Make sure that your sync service account has write permissions on your sourceAnchor attribute (which is most likely set to ms-ds-consistencyGuid). You can do that either using the user interface, or PowerShell, which is easier:
$accountName = "DOMAINNAME\USERNAME" #[this is the account that will be used by Azure AD Connect Sync to manage objects in the directory.
$ForestDN = "DC=DOMAINNAME,DC=SOMETHING"
$cmd = "dsacls '$ForestDN' /I:S /G '`"$accountName`":WP;ms-ds-consistencyGuid;user'"
Invoke-Expression $cmd
3)Make sure that inheritance is turned on for the AD objects that get errors in the synchronization logs.
- Open Active directory Users and Computers
- Enable the Advanced features in the View settings and,
- Open up the user object that can't sync.
- Go to the security tab and then into advanced
- Check to make sure the box is checked to inherit permissions.
Let me know if this helps in comment.
No comments:
Post a Comment