This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 86%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENS%3C/text%3E%3C/svg%3E)
I cannot modify entries using the Apache Directory Studio.
I am owner and Global Administrator in my Tenant.
I can read but I cannot write.
Error: LDAP: error code 50 - 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
Great answers @Anonymous
Super clear.
And my last question. Is sync from Azure AD to my on premise AD possible?
I know that if I use Azure AD Connect on premise AD will sync to Azure AD.
But does it work the other way around? For example add a user in Azure AD and this user get synced in my on premise AD?
Thank you in advance.
No, it's not currently possible to sync the other way, sync always goes from AD to AAD. The request to go the other way has been a round for a long time, but has not been implemented so far.
Dear @KAREDD-MSFT ,
thank you for the input.
So, based on what you said and what I read Azure AD DS is only for reading.
I cannot even create an OU under OU=AADDC User. To achieve that I have to connect my on-premise AD with AD Connect with Azure AD DS and then work on my on-premise AD.
If that is the case I am wondering what is Azure AD DS good for since I can also connect my on-premise AD to Azure AD and be done for it.
Then only benefit I see is redundancy.
Except if I am wrong.
You cannot edit anything in the AADDC OU, including adding new OU's under it.
You can create new OU's under the root of the domain, and create users and groups that are local to AAD DS only, which you can manage. You can also edit the GPO applied to the AADDC OU.
For users created in AAD, AAD must remain the source of truth. These are the limitations of AAD DS. It was designed as a tool to assist with the lift and shift of applications that require LDAP, into Azure, providing a local LDAP source for these applications. It is not intended to be a replacement for you on-premises AD.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 80%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKM%3C/text%3E%3C/svg%3E)
Hi @Nikolas Stylianides ,
You cannot add/delete/modify any user or group that is being synchronized from Azure AD to a managed domain (Azure AD DS).
You can create OU's which are local to Azure ADDS and in those OU's you can modify the properties as needed.
This is documented in the FAQ: https://learn.microsoft.com/en-us/azure/active-directory-domain-services/faqs#can-i-modify-group-memberships-using-ldap-or-other-ad-administrative-tools-on-managed-domains
This is by design and if you need to perform these actions, then you should look at using IAAS domain controllers as suggested by @Anonymous
This article does a great job of comparing on-premise AD. Azure AD and Azure AD DS.
The rights you are granted on the domain in AAD DS are limited, you are not a Domain Admin, which I would imagine this tool believes you are. You are granted only specific rights to undertake operations that are allowed in AAD DS. This includes managing users and groups, GPO's, OU's, DNS and a few other things.
You have no rights to access or modify the schema.
If you need more rights than this then you would need to look at using IaaS domain controllers and not AAD DS.
Thank you @SamCogan. But even modifying user, groups are restricted with my current configuration. I can read the directory but I cannot add/delete/modify any user or group. I have tried with Apache Directory Studio and even PHP ldap library. Is there a "trick" I am missing?
Hi @SamCogan again. Is there a possibility that the issue is with my Certificate which is self signed? Is there a policy with Azure AD DS to restrict only reading in case of self signed certificates?
Which OU are the users/groups you are trying to edit located in? As @KAREDD-MSFT mentioned, the users created in your Azure AD tenant directly are not available for editing in AAD DS, you can only edit users and groups you created directly in AAD DS.
Thank you for your answer. I tried the solution, Run as Administrator the application Apache Directory Studio but the experience is the same.
I have also noticed that I get no information about the Schema also.