AD Connect Export Permission Errors

rr-4098 1,641 Reputation points
2023-04-05T20:03:50.85+00:00

We have setup AD Connect with Password Hash to o365 and see our accounts listed in the o365 Admin portal. When I look at the logs for AD Connect, the Exports are failing because of permissions issues. Originally the onprem account we used was not a domain admin but it did have the Replicate Directory Changes All” and “Replicate Directory Change permissions setup and made sure it applied to all sub objects. This is not work. Even adding the account to the Domain Admin's group did not work. I do see all of the correct permissions on the OU we are trying to sync. Finally, have have made sure replication is working between all DC's. Thoughts...

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,540 questions
0 comments No comments
{count} votes

Accepted answer
  1. Sandeep G-MSFT 20,241 Reputation points Microsoft Employee
    2023-04-07T03:43:49.1733333+00:00

    @rr-4098 Thank you for posting your question in Microsoft Q&A platform.

    Permission issue can be seen for any writeback attributes in AD connect. If AD connect service account doesn't have writeback permission for any particular attribute, then it will throw permission error on AD connect export for on-premises AD connector. In the error you can click on permission error and you will be able to see different attributes and there changed value if there is any. You will have to find which is the attribute value which is trying to written back to on-premises AD. Depending on the writeback attribute you will have to set the writeback permissions to that particular attribute. You can follow below article to fix the issue that you are facing.

    https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/password-writeback-access-rights-permissions

    Do let me know if you have any further questions.Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. rr-4098 1,641 Reputation points
    2023-04-06T12:58:42.33+00:00

    I was able to resolve this issue but following the following article.. https://community.spiceworks.com/topic/2278273-azure-ad-writeback-fails-to-change-ms-ds-consistencyguid

    0 comments No comments

  2. Md Abdul Razzak Bepary 5 Reputation points
    2024-11-20T11:53:15.3266667+00:00

    @rr-4098 Thank you for posting your question in Microsoft Q&A platform.

    Screenshot_2 I was able to resolve the issue by following these steps:

    1. Locate the user in respective OU
    2. Right-click on the user
    3. Go to propertise
    4. Security
    5. Advanced
    6. Enable inheritance permission
    7. Apply Ok

    After doing that, go to the AD connect server and run the below command in PowerShell.

    Start-ADSyncSyncCycle -PolicyType Delta

    After that, you cannot see the error in the AD Connect tool. Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.