Error 5 typically has to do with your access. Run as administrator. That should help.
See:
You can mark it 'Accept Answer' and 'Upvote' if this helped you
Regards,
Abiola
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
I recently reinstalled Azure AD connect. The install created a new managed service account (ADSyncMSAxxxxx) that is used to start the Microsoft Azure AD Sync service. That service was running correctly for several days and the sync between our on-prem server and our Azure instance was running and working successfully. A couple days ago I applied some Windows updates to the server running the Azure AD Connect, restarted the server and ever since I have not been able to start the Microsoft Azure AD Sync service, getting an "Error 5: Access is denied" error message. I have made sure the managed service account was added to our GPO and assigned "Allow log on locally", "Log on as a batch job" and "Log on as a service". Not sure what I am missing but any help would be appreciated.
Error 5 typically has to do with your access. Run as administrator. That should help.
See:
You can mark it 'Accept Answer' and 'Upvote' if this helped you
Regards,
Abiola
Hello @James Carrera,
Thank you for posting your query on Microsoft Q&A.
The "Error 5: Access is denied" error message will typically occur when AD DS Connector account does not have the permissions that it needs.
How to configure AD DS Connector Account Permissions
To configure permissions and tighten the AD DS Connector service account, follow the steps below.
Navigate to existing AD DS Connector service account and check the permissions were assigned to that account or not.
If the permission was not assigned, you can follow the below steps to configure and tighten the AD DS Connector service account, you need to install Remote Server Administration Tools.
Run PowerShell as administrator on the Microsoft Entra Connect Server and run the cmdlet below.
Install-WindowsFeature RSAT-AD-Tools
Load PowerShell module AdSyncConfig.psm1
Run Windows PowerShell as administrator. Run the Import-Module and specify the path to load the module.
Import-Module "C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1"
Run the Get-Command and specify the module AdSyncConfig. Check that all the cmdlets are included in this module.
Get-Command -Module AdSyncConfig
Find AD DS Connector service account distinguishedName
Right-click on the AD DS Connector service account and click Properties. Go to the Attribute Editor tab. Find the attribute distuingedName in the attributes list. Double-click to open the string and copy the value. You will need it in the next part.
Now follow the below document and run the commands MS-DS-Consistency-Guid Permissions, Permissions for Password Hash Synchronization, Permissions for Password Writeback and so on.
Instead of assigning individual permissions, you can temporarily add the AD DS Connector service account to the Domain Admins and Enterprise Admins groups to verify if permissions are the root cause.
I hope this information is helpful. Please feel free to reach out if you have any further questions.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Thanks,
Raja Pothuraju.