Azure AD Connect installation wizard permission that are required to write to the event log is missing

Andre van der Westhuizen 21 Reputation points
2022-11-17T00:56:01.573+00:00

We have installed Azure AD Connect with and account which is granted the following rights:

  • local administrator to the server
  • Enterprise Administrator
  • Domain Administrator

After the installation the Wizard opens we receive the following message
261098-picture1.jpg

We have check the permissions on the %systemroot%\Sytem32\Winevt and sub folders and have also grant the Service account write permissions to the folder but still the same issue.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,499 questions
0 comments No comments
{count} votes

Accepted answer
  1. Givary-MSFT 30,521 Reputation points Microsoft Employee
    2022-11-18T17:30:03.253+00:00

    @Andre van der Westhuizen From the above screenshot, clearly states there is a permission issue that Event Viewer log's permissions have been customized and most likely is causing the installation wizard to fail due to insufficient permissions for the ADSync service account to record new event logs.

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application' for the value CustomSD is where custom permissions gets stored, try to compare this value with a server which doesnt have any GPO restrictions.

    Since AAD Connect is using a VSA (NT SERVICE\ADSync) as the service account, then NT AUTHORITY\SERVICE must have WriteData permissions, e.g.:

    NT AUTHORITY\SERVICE: AccessAllowed (ListDirectory, WriteData)

    Usually Domain GPO enforcing Event Viewer log permissions under "Computer Configuration/Policies/Administrative Templates/Windows Components/Event Log Service/Application - is where the policy is configured and getting applied to the ad connect server.

    Try to exclude the AAD Connect server from the Domain GPO from where these permissions are getting applied and delete the CustomSD value from the registry, which will restore the Security Descriptor to the default permissions.

    Then try to run Azure AD Connect wizard again and the installation and verify the issue.

    Let me know if you have any further questions, please feel free to post back.

    Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Andy David - MVP 145K Reputation points MVP
    2022-11-17T12:19:02.477+00:00

    Did you follow the suggestion to grant write permissions to the NT AUTHORITY\SERVICE account for the event logs?

    https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/error-unable-access-security-log

    Checked HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Security - Eventlog has no permissions there.

    HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > EventLog

    0 comments No comments