Azure AD DS access rights

Nikolas Stylianides 1 Reputation point
2019-11-30T11:17:05.407+00:00

I cannot modify entries using the Apache Directory Studio.
I am owner and Global Administrator in my Tenant.
I can read but I cannot write.
Error: LDAP: error code 50 - 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

Microsoft Entra
0 comments

6 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sam Cogan 10,157 Reputation points MVP
    2019-12-02T11:17:42.563+00:00

    The rights you are granted on the domain in AAD DS are limited, you are not a Domain Admin, which I would imagine this tool believes you are. You are granted only specific rights to undertake operations that are allowed in AAD DS. This includes managing users and groups, GPO's, OU's, DNS and a few other things.

    You have no rights to access or modify the schema.

    If you need more rights than this then you would need to look at using IaaS domain controllers and not AAD DS.

    1 person found this answer helpful.
  2. Gurmukh Singh 1 Reputation point
    2019-11-30T14:01:47.017+00:00

    Right-click on the application and select Run as Administrator.

    When you are a member of one of the special restricted groups such as Domain Admins, Enterprise Admins, or Administrators, those group memberships are blocked from your normal process token. To use these group memberships, you need to elevate by using Run as Administrator.

    You can verify that the groups are blocked by running SysInternals' Process Explorer, right-click on the application, select Properties, and on the Security tab, the groups will have a Deny in the Flags column.

    0 comments
  3. Nikolas Stylianides 1 Reputation point
    2019-12-01T06:53:43.237+00:00

    Thank you for your answer. I tried the solution, Run as Administrator the application Apache Directory Studio but the experience is the same.
    I have also noticed that I get no information about the Schema also.alt text

    0 comments
  4. KAREDD-MSFT 406 Reputation points Microsoft Employee
    2019-12-03T08:34:30.493+00:00

    Hi @Nikolas Stylianides ,

    You cannot add/delete/modify any user or group that is being synchronized from Azure AD to a managed domain (Azure AD DS).

    You can create OU's which are local to Azure ADDS and in those OU's you can modify the properties as needed.

    This is documented in the FAQ: https://learn.microsoft.com/en-us/azure/active-directory-domain-services/faqs#can-i-modify-group-memberships-using-ldap-or-other-ad-administrative-tools-on-managed-domains

    This is by design and if you need to perform these actions, then you should look at using IAAS domain controllers as suggested by @Anonymous

    This article does a great job of comparing on-premise AD. Azure AD and Azure AD DS.

    0 comments
  5. Nikolas Stylianides 1 Reputation point
    2019-12-03T10:26:04.013+00:00

    Dear @KAREDD-MSFT ,
    thank you for the input.

    So, based on what you said and what I read Azure AD DS is only for reading.
    I cannot even create an OU under OU=AADDC User. To achieve that I have to connect my on-premise AD with AD Connect with Azure AD DS and then work on my on-premise AD.

    If that is the case I am wondering what is Azure AD DS good for since I can also connect my on-premise AD to Azure AD and be done for it.
    Then only benefit I see is redundancy.

    Except if I am wrong.