Domain Admin account weirdness after selecting groups to sync in ADConnect

Question

Hello,

I have a very weird issue. My DC is a Win2012R2 server and I have ADConnect installed on a Win2019. We are running a Hybrid Exchange setup at present with most mailboxes migrated to M365. When we started with ADConnect, we had a subset of groups in the OU selected to be synched. This helped with the migration and email and all was fine. As we moved to more services being migrated such as for EndPoint/Defender etc. it required us to select the some more groups (Resource groups, service accounts) in the OU to be selected to be synched. We did that and the sync was successful. Soon after that I logged on to a Win2016 server using my DA credentials and I started getting pop-ups that I had to log out and re-login. I tried that but the messages still continued. I then tried to make changes to a file share/permissions etc., and I would get the UAC prompt. Even after disabling the UAC, and me typing my DA creds, it would fail and said I had no access. We had another DA try this and he had the same issue. We had the DA who built the server login and it worked fine for him. So we created a new DA account using a copy of mine and that seems to have worked.

In addition, we're noticing that if we create Security Groups, add members and assign it to folders, those folders aren't visible for the members. However older groups (pre ADConnect) seem to work just fine. After a bunch of tests, we have come to a conclusion that any user account that is created can see existing groups at the time of account creation. However, if a security group is created and assigned to folders, after an account is created, that member does not have access to the folders.

So, in all a very weird situation and no idea what is causing it to act in this manner. If anyone has any idea, suggestions to try that would be very much appreciated.

Thank you
Sau