New Intune Connector for Active Directory Process Not Working

Question

New Intune Connector for Active Directory Process Not Working

Matt Dillon 437

I have two projects that need the Intune Connector for Active Directory installed. I went through the processes listed here: https://learn.microsoft.com/en-us/autopilot/tutorial/user-driven/hybrid-azure-ad-join-intune-connector?tabs=updated-connector

On the first project, I had an issue and ultimately it was solved by giving my Global Admin account an Intune license temporarily.

On the second project, it just refuses to work at all. Three different admins tried signing in and we all get the same results:

ODJConnector installed
Service is running
Cannot complete configuration.

The Managed Service OU was missing so we followed some directions online and fixed it.

Log file has the following entry over and over with the main issue saying "Failed to create a managed service account - Element not found"

Any help welcomed. About to open a Microsoft ticket.

ODJ Connector UI Information: 0 : User clicked on SignIn
    DateTime=2025-03-14T15:39:59.2116739Z
ODJ Connector UI Information: 0 : Navigating to URL https://portal.manage.microsoft.com/Home/ClientLogon
    DateTime=2025-03-14T15:39:59.2898053Z
ODJ Connector UI Information: 0 : Browser loaded page https://login.microsoftonline.com/common/oauth2/authorize?client_id=74bcdadc-2fdc-4bb3-8459-76d06952a0e9&redirect_uri=https%3A%2F%2Fportal.manage.microsoft.com%2Fsignin-oidc&response_type=code&prompt=select_account&scope=openid profile&response_mode=form_post&nonce=638775635996879226.MjIwYWI0ODItYTc3YS00NzY2LWEyZTEtMjYyN2Q2MTY4YTkzMTgwNDMyNzMtMmQzNC00MTY1LThhN2ItMDMxOTE2NDA4MDMx&display=host&state=CfDJ8Ji1hs71b9ZDlZfpMprk6xUmh5ZyiH2tn2o80ueQkJnLktqRnri68LHjk9smwi1SW4CxmiwntrTIiqivmIKN4GNOs17XMCIMq_gK50SStqkrPdrTYW092vUJu3uqjVqUxveNpJygWFHIkSw1CDKf-kRD3ugxbsWkKstPzUAtdK_d4vhOEk4PNCXdnL2-D0ZzgrIgMrMHZNSIbF9f0aC1Ya8xHg79E5Ev88B9t87DUeR2KFCoJBKrBcyADHWrfzJxBTQANVdVcA8DSsoczySKv6LyrVsRK0ZgllR2jh9uF4jAY91uDgX3Rby7TMbM9rDrwiDqjgKniaKt4oF1Df7lnB27gG4jSe6ZoOg52y5uxfitA5SkPWuJH-w_0FdNfeRk5g&x-client-SKU=ID_NET472&x-client-ver=8.3.0.0
    DateTime=2025-03-14T15:40:00.0710556Z
ODJ Connector UI Information: 0 : Browser loaded page https://portal.manage.microsoft.com/Home/ClientLogonSuccess
    DateTime=2025-03-14T15:41:26.9508117Z
ODJ Connector UI Information: 0 : Getting the URL for EnrollmentService from https://manage.microsoft.com/RestUserAuthLocationService/RestUserAuthLocationService/ServiceAddresses
    DateTime=2025-03-14T15:41:27.6851767Z
ODJ Connector UI Information: 0 : Received Url for EnrollmentService as https://fef.amsua0102.manage.microsoft.com/StatelessEnrollmentService from RestUserAuthLocationService.
    DateTime=2025-03-14T15:41:27.6851767Z
ODJ Connector UI Information: 0 : Getting the URL for RAODJPlusFEGatewayService_FEF from https://manage.microsoft.com/RestUserAuthLocationService/RestUserAuthLocationService/ServiceAddresses
    DateTime=2025-03-14T15:41:27.6851767Z
ODJ Connector UI Information: 0 : Received Url for RAODJPlusFEGatewayService_FEF as https://fef.amsua0102.manage.microsoft.com/TrafficGateway/TrafficRoutingService/RAODJPlus/StatelessODJService from RestUserAuthLocationService.
    DateTime=2025-03-14T15:41:27.6851767Z
ODJ Connector UI Information: 0 : Searching for any pre-existing Managed Service Accounts installed on this machine.
    DateTime=2025-03-14T15:41:27.7320578Z
ODJ Connector UI Information: 0 : MSA name : msaODJBfuWt
    DateTime=2025-03-14T15:41:27.8414250Z
ODJ Connector UI Error: 2 : ERROR: Enrollment failed. Detailed message is: Microsoft.Management.Services.ConnectorCommon.Exceptions.ConnectorConfigurationException: Failed to create a managed service account - Element not found
   at Microsoft.Management.Services.ConnectorCommon.ManagedServiceAccountUtilities.NativeMethods.NetAddServiceAccountWrapper(String accountName)
   at Microsoft.Management.Services.ConnectorCommon.ManagedServiceAccountUtilities.ManagedServiceAccountUtilities.CreateManagedServiceAccount(String domainName, String precreatedMsaAccount)
   at ODJConnectorUI.EnrollmentTab.CreateMsa(String domainName, StepsStarted& stepsStartedFlag)
   at ODJConnectorUI.EnrollmentTab.webBrowser_LoadCompleted(Object sender, NavigationEventArgs e)
    DateTime=2025-03-14T15:41:27.8883066Z
ODJ Connector UI Information: 0 : Storing telemetry: CreateMsaAccount, hasException: True
    DateTime=2025-03-14T15:41:27.8883066Z
ODJ Connector UI Information: 0 : Sending telemetry: CreateMsaAccount, hasException: True
    DateTime=2025-03-14T15:41:27.8883066Z
ODJ Connector UI Information: 0 : Sending telemetry to ODJService
    DateTime=2025-03-14T15:41:27.9039290Z
ODJ Connector UI Information: 0 : RAODJPlus Service URL: https://fef.amsua0102.manage.microsoft.com/TrafficGateway/TrafficRoutingService/RAODJPlus/StatelessODJService/odjConnectorTelemetry/uploadTelemetry
    DateTime=2025-03-14T15:41:27.9039290Z
ODJ Connector UI Information: 0 : Successfully sent request to RAODJPlusFEGatewayService_FEF
    DateTime=2025-03-14T15:41:28.2320528Z
ODJ Connector UI Information: 0 : Response from ODJService: OK
    DateTime=2025-03-14T15:41:28.2320528Z
ODJ Connector UI Error: 8 : Removing Managed Service Account ...
    DateTime=2025-03-14T15:41:28.2320528Z
ODJ Connector UI Error: 8 : Successfully removed Managed Service Account
    DateTime=2025-03-14T15:41:28.2476749Z
ODJ Connector UI Error: 8 : Returning to the home page
    DateTime=2025-03-14T15:41:28.2476749Z

Anonymous

2025-03-17T02:20:48.6566667+00:00

@Matt Dillon Thanks for posting in our Q&A.

For this issue, please check if the updated Intune Connector for Active Directory requirements are met.

https://learn.microsoft.com/en-us/autopilot/windows-autopilot-hybrid?tabs=intune-connector-requirements%2Cupdated-connector#requirements

Please make sure that you use the local administrator install the Intune Connector for Active Directory. In addition, I find that it needs Managed Service Accounts. Just a thinking, is there a Managed Service Account?
Anonymous

2025-03-19T05:17:59.38+00:00

Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.
Eric Johnson 0 Reputation points

2025-03-19T20:09:48.7366667+00:00

I have this exact same issue. My account is a Domain Admin and Enterprise Admin for Active Directory and the M365 account I use when I click on the Sign In button is a Global Administrator with an Intune licensed assigned.
Eric Johnson 0 Reputation points

2025-03-25T20:17:20.97+00:00

@Matt Dillon have you found a fix to this issue?
Matt Dillon 437 Reputation points

2025-03-25T21:32:03.2733333+00:00

I will check in with my client next week. I don’t like this new process. The old process took like 5 min and always worked. The one time I set this up, it took like 8 tries.

no solution that I have found.
Bamber 0 Reputation points

2025-03-31T12:50:24.2933333+00:00

I can see this isn't just me...................

Any word from Microsoft. Followed the docs to the letter and this is still coming up.........
Bamber 0 Reputation points

2025-03-31T13:09:57.0633333+00:00

Also try Enterprise admin permission as I have more success configuring mine even though it's not documented.
Ryan Hicks 0 Reputation points

2025-04-01T13:25:33.05+00:00

I also have this issue. Did you get anywhere?
Nirmal Makadia 15 Reputation points

2025-04-02T23:17:44.7066667+00:00

We're facing exact same issue. We also had to recreate "Managed Service Accounts" container. Wonder if recreating has to do something with it.
Oz 5 Reputation points

2025-04-08T13:43:23.4966667+00:00

Same issue. Very frustrating. IMO, Microsoft needs to abandon this effort. In our test environment it doesn't work. In production I don't know how we are going to do it as we don't have an account with that level of on prem access + Intune admin. Goes against all MS security best practice :/
Matt Dillon 437 Reputation points

2025-04-09T16:19:00.83+00:00

Met with client today - they opened a ticket with MSFT - no response or answer yet. Today we validated internet access and all the other pre-req's.

We uninstalled a number of times and reinstalled with no change. I am feeling like the recreation of that managed service folder has something to do with it. The other thing we noticed is if we go on a browser on the server to https://manage.microsoft.com we get prompted for 2FA but we do not get prompted when trying to log in on the server.

Very frustrating.
Matt Dillon 437 Reputation points

2025-04-09T16:26:26.6433333+00:00

https://learn.microsoft.com/en-us/autopilot/known-issues

Known issues with the Intune Connector for AD version 6.2501.2000.5

Date added: April 8, 2025

The following issues are under active investigation:

Error MSA account <accountName> is not valid when signing in.

This error occurs when the connector successfully creates the MSA but fails to retrieve the data from the domain controller. Various issues can cause the error, including replication delays between domain controllers in single domain, or when the user account exists in a different domain to the connector machine.

Error Failed to create a managed service account - Element not found.

Error Cannot start service ODJConnectorSvc on computer '.'. ---> System.ComponentModel.Win32Exception: The service did not start due to a logon failure after the MSA is created.

This error occurs when the service can't run as the MSA. The service not being able to run as the MSA can be caused by various issues, including group or local policy restricting Log on as a service privileges.

Error System.DirectoryServices.DirectoryServicesCOMException (0x8007202F): A constraint violation occurred.
Matt Dillon 437 Reputation points

2025-04-09T16:29:16.12+00:00

Known issues with the Intune Connector for AD version 6.2501.2000.5

Date added: April 8, 2025

The following issues are under active investigation:

Error MSA account <accountName> is not valid when signing in.

This error occurs when the connector successfully creates the MSA but fails to retrieve the data from the domain controller. Various issues can cause the error, including replication delays between domain controllers in single domain, or when the user account exists in a different domain to the connector machine.

Error Failed to create a managed service account - Element not found.

Error Cannot start service ODJConnectorSvc on computer '.'. ---> System.ComponentModel.Win32Exception: The service did not start due to a logon failure after the MSA is created.

This error occurs when the service can't run as the MSA. The service not being able to run as the MSA can be caused by various issues, including group or local policy restricting Log on as a service privileges.

Error System.DirectoryServices.DirectoryServicesCOMException (0x8007202F): A constraint violation occurred.
Matt Dillon 437 Reputation points

2025-04-09T16:30:15.4933333+00:00

There is a known issue reported https://learn.microsoft.com/en-us/autopilot/known-issues
Oz 5 Reputation points

2025-04-09T16:51:51.4933333+00:00

Yea, I opened a case yesterday. The engineer mentioned that there were known issues and collected the log. This is in a test environment. Not sure what we're going to do in production where no accounts have on prem access to create MSA's and cloud Intune Admin....and our Identity team says 'that goes against our security processes and procedures'... I wish they would just keep the old tool until they simply dump hybrid join Autopilot support - it can't be very long since Microsoft stopped investing in it over a year ago..........
Nirmal Makadia 15 Reputation points

2025-04-10T00:48:11.9033333+00:00

Its something to do with "OtherWellKnownObjects" GUID mismatch. When you re-create the MSA container the "OtherWellKnownObjects" GUID is still pointing to the previously deleted MSA container.
Matt Dillon 437 Reputation points

2025-04-11T15:49:56.9666667+00:00
@Nirmal Makadia Good call. Did a quick Google Search and found this: https://learn.microsoft.com/en-us/exchange/troubleshoot/client-connectivity/exchange-security-update-issues#exchange-setup-or-preparead-error

Will have client try the recommended PowerShell script and try again.

Robert Pietrobono 10

I've been hitting my head against the wall with this exact error message for the past month now and reading Nirmal's comment last week has helped out tremendously. I too have an environment where I needed to recreate the MSA CN and I was getting the same error, "element not found", when trying to run the installer. After reading Nirmal's comments I looked into it and found exactly that, the GUID was set to the old deleted container and not the new one.

Here is what I did to solve that (for others in the future):

#This will give you what the current GUID is of the new MSA CN you created 
$DomainDN = "DC=your,DC=domain" 
$MSAContainer = Get-ADObject -Filter {Name -eq "Managed Service Accounts"} -SearchBase $DomainDN 
$MSAContainer.ObjectGUID  

#This will give you a list of all "OtherWellKnownObjects" so that you can see whats been deleted. In my case I was able to see "B:32:1EB93889E40C45DF9F0C64D23BBB6237:CN=Managed Service Accounts\0ADEL:67756e44-b23d-4c77-a0cd-4d36346349fc,CN=Deleted Objects,DC=my,DC=domain" 
$DomainRoot = Get-ADObject -Identity $DomainDN -Properties OtherWellKnownObjects
$DomainRoot.OtherWellKnownObjects | FL  

# Get the GUID of the NEW MSA container and change it to all uppercase (to match the formatting it should be) 
$NewMSAGuid = $MSAContainer.ObjectGUID.Guid.ToUpper()

# Remove hyphens from the GUID (AD format) 
$NewMSAGuidADFormat = $NewMSAGuid.Replace("-", "")

# Update the OtherWellKnownObjects attribute. You can call the variables but I chose to enter in the values myself just to be extra sure. You will also need to run this portion as Administrator on the DC so make sure you launch powershell as admin. 
Set-ADObject -Identity "DC=your,DC=domain" -Replace @{
    OtherWellKnownObjects = "PUT_THE_GUID_HERE:CN=Managed Service Accounts,DC=your,DC=domain"
}

This solved my error and now I've got a new one to tackle (yay! .. sigh):

"Failed to create a managed service account - The filename, directory name, or volume label syntax is incorrect"

If you find anything about this do let me know :)

Matt Dillon 437

Entered your error in Copilot and got this:
This error typically occurs when setting up the Intune Connector for Active Directory, often due to issues with the Managed Service Account (MSA) or incorrect directory paths. Here are a few troubleshooting steps:

Possible Causes & Fixes

Verify the Managed Service Account (MSA) OU

Ensure the MSA Organizational Unit (OU) exists in Active Directory.

Check that the connector has the correct permissions to create accounts in this OU.

Check Directory & Volume Label Syntax

- Confirm that no invalid characters are present in the directory path.

   - Ensure the system drive and volume labels are correctly formatted.

   **Review Event Logs & Connector Logs**

      - Open **Event Viewer** and check logs under **Applications and Services Logs > Microsoft > Windows > IntuneODJConnector**.

         - Look for specific errors related to account creation.

         **Validate Service Account Permissions**

            - Ensure the account running the connector has **Create/Delete Managed Service Account** permissions in Active Directory.

               - If necessary, temporarily assign **Domain Admin** rights to test.

               **Reinstall the Intune Connector**

                  - Uninstall and reinstall the **Intune Connector for Active Directory** to reset configurations.

If the issue persists, you might find additional insights in this Microsoft Q&A thread discussing similar problems. Let me know if you need help troubleshooting further!

Aaren Kanther 5 Reputation points

2025-04-16T05:50:00.96+00:00

Also have issues with installing the connector for a Client.

The client has decided to move the Managed Service Account OU - from the default location in the root of the tree.

Can this please be affirmed as a hard requirement.

The documentation around this new connector is absolute rubbish, compared to what Microsoft normally produce which is decent...

All items (including the Webview2 add-in I was prompted for today) and all pre-requisites need to be a lot more clearly defined, and how to check verify each one, accounted for.

Considering organisations are being asked to move off this in May -- this connector hardly seems ready to do that without disruptions immenient.

Will be raising a support ticket as well.

Accepted answer

1 additional answer

Your answer

Anonymous

2025-03-17T02:20:48.6566667+00:00

@Matt Dillon Thanks for posting in our Q&A.

For this issue, please check if the updated Intune Connector for Active Directory requirements are met.

https://learn.microsoft.com/en-us/autopilot/windows-autopilot-hybrid?tabs=intune-connector-requirements%2Cupdated-connector#requirements

Please make sure that you use the local administrator install the Intune Connector for Active Directory. In addition, I find that it needs Managed Service Accounts. Just a thinking, is there a Managed Service Account?
Anonymous

2025-03-19T05:17:59.38+00:00

Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.
Eric Johnson 0 Reputation points

2025-03-19T20:09:48.7366667+00:00

I have this exact same issue. My account is a Domain Admin and Enterprise Admin for Active Directory and the M365 account I use when I click on the Sign In button is a Global Administrator with an Intune licensed assigned.
Eric Johnson 0 Reputation points

2025-03-25T20:17:20.97+00:00

@Matt Dillon have you found a fix to this issue?
Matt Dillon 437 Reputation points

2025-03-25T21:32:03.2733333+00:00

I will check in with my client next week. I don’t like this new process. The old process took like 5 min and always worked. The one time I set this up, it took like 8 tries.

no solution that I have found.
Bamber 0 Reputation points

2025-03-31T12:50:24.2933333+00:00

I can see this isn't just me...................

Any word from Microsoft. Followed the docs to the letter and this is still coming up.........
Bamber 0 Reputation points

2025-03-31T13:09:57.0633333+00:00

Also try Enterprise admin permission as I have more success configuring mine even though it's not documented.
Ryan Hicks 0 Reputation points

2025-04-01T13:25:33.05+00:00

I also have this issue. Did you get anywhere?
Nirmal Makadia 15 Reputation points

2025-04-02T23:17:44.7066667+00:00

We're facing exact same issue. We also had to recreate "Managed Service Accounts" container. Wonder if recreating has to do something with it.
Oz 5 Reputation points

2025-04-08T13:43:23.4966667+00:00

Same issue. Very frustrating. IMO, Microsoft needs to abandon this effort. In our test environment it doesn't work. In production I don't know how we are going to do it as we don't have an account with that level of on prem access + Intune admin. Goes against all MS security best practice :/
Matt Dillon 437 Reputation points

2025-04-09T16:19:00.83+00:00

Met with client today - they opened a ticket with MSFT - no response or answer yet. Today we validated internet access and all the other pre-req's.

We uninstalled a number of times and reinstalled with no change. I am feeling like the recreation of that managed service folder has something to do with it. The other thing we noticed is if we go on a browser on the server to https://manage.microsoft.com we get prompted for 2FA but we do not get prompted when trying to log in on the server.

Very frustrating.
Matt Dillon 437 Reputation points

2025-04-09T16:26:26.6433333+00:00

https://learn.microsoft.com/en-us/autopilot/known-issues

Known issues with the Intune Connector for AD version 6.2501.2000.5

Date added: April 8, 2025

The following issues are under active investigation:

Error MSA account <accountName> is not valid when signing in.

This error occurs when the connector successfully creates the MSA but fails to retrieve the data from the domain controller. Various issues can cause the error, including replication delays between domain controllers in single domain, or when the user account exists in a different domain to the connector machine.

Error Failed to create a managed service account - Element not found.

Error Cannot start service ODJConnectorSvc on computer '.'. ---> System.ComponentModel.Win32Exception: The service did not start due to a logon failure after the MSA is created.

This error occurs when the service can't run as the MSA. The service not being able to run as the MSA can be caused by various issues, including group or local policy restricting Log on as a service privileges.

Error System.DirectoryServices.DirectoryServicesCOMException (0x8007202F): A constraint violation occurred.
Matt Dillon 437 Reputation points

2025-04-09T16:29:16.12+00:00

Known issues with the Intune Connector for AD version 6.2501.2000.5

Date added: April 8, 2025

The following issues are under active investigation:

Error MSA account <accountName> is not valid when signing in.

This error occurs when the connector successfully creates the MSA but fails to retrieve the data from the domain controller. Various issues can cause the error, including replication delays between domain controllers in single domain, or when the user account exists in a different domain to the connector machine.

Error Failed to create a managed service account - Element not found.

Error Cannot start service ODJConnectorSvc on computer '.'. ---> System.ComponentModel.Win32Exception: The service did not start due to a logon failure after the MSA is created.

This error occurs when the service can't run as the MSA. The service not being able to run as the MSA can be caused by various issues, including group or local policy restricting Log on as a service privileges.

Error System.DirectoryServices.DirectoryServicesCOMException (0x8007202F): A constraint violation occurred.
Matt Dillon 437 Reputation points

2025-04-09T16:30:15.4933333+00:00

There is a known issue reported https://learn.microsoft.com/en-us/autopilot/known-issues
Oz 5 Reputation points

2025-04-09T16:51:51.4933333+00:00

Yea, I opened a case yesterday. The engineer mentioned that there were known issues and collected the log. This is in a test environment. Not sure what we're going to do in production where no accounts have on prem access to create MSA's and cloud Intune Admin....and our Identity team says 'that goes against our security processes and procedures'... I wish they would just keep the old tool until they simply dump hybrid join Autopilot support - it can't be very long since Microsoft stopped investing in it over a year ago..........
Nirmal Makadia 15 Reputation points

2025-04-10T00:48:11.9033333+00:00

Its something to do with "OtherWellKnownObjects" GUID mismatch. When you re-create the MSA container the "OtherWellKnownObjects" GUID is still pointing to the previously deleted MSA container.
Matt Dillon 437 Reputation points

2025-04-11T15:49:56.9666667+00:00

@Nirmal Makadia Good call. Did a quick Google Search and found this: https://learn.microsoft.com/en-us/exchange/troubleshoot/client-connectivity/exchange-security-update-issues#exchange-setup-or-preparead-error

Will have client try the recommended PowerShell script and try again.
Matt Dillon 437 Reputation points

2025-04-15T14:54:55.2566667+00:00

Entered your error in Copilot and got this:
This error typically occurs when setting up the Intune Connector for Active Directory, often due to issues with the Managed Service Account (MSA) or incorrect directory paths. Here are a few troubleshooting steps:

Possible Causes & Fixes

Verify the Managed Service Account (MSA) OU

Ensure the MSA Organizational Unit (OU) exists in Active Directory.

Check that the connector has the correct permissions to create accounts in this OU.

Check Directory & Volume Label Syntax
- Confirm that no invalid characters are present in the directory path. - Ensure the system drive and volume labels are correctly formatted. **Review Event Logs & Connector Logs** - Open **Event Viewer** and check logs under **Applications and Services Logs > Microsoft > Windows > IntuneODJConnector**. - Look for specific errors related to account creation. **Validate Service Account Permissions** - Ensure the account running the connector has **Create/Delete Managed Service Account** permissions in Active Directory. - If necessary, temporarily assign **Domain Admin** rights to test. **Reinstall the Intune Connector** - Uninstall and reinstall the **Intune Connector for Active Directory** to reset configurations.

If the issue persists, you might find additional insights in this Microsoft Q&A thread discussing similar problems. Let me know if you need help troubleshooting further!
Aaren Kanther 5 Reputation points

2025-04-16T05:50:00.96+00:00

Also have issues with installing the connector for a Client.

The client has decided to move the Managed Service Account OU - from the default location in the root of the tree.

Can this please be affirmed as a hard requirement.

The documentation around this new connector is absolute rubbish, compared to what Microsoft normally produce which is decent...

All items (including the Webview2 add-in I was prompted for today) and all pre-requisites need to be a lot more clearly defined, and how to check verify each one, accounted for.

Considering organisations are being asked to move off this in May -- this connector hardly seems ready to do that without disruptions immenient.

Will be raising a support ticket as well.

Answer 1

Hello together, I've had a customer with the same problem:

they deleted the "Managed Service Accounts" container from the ad and therefore were not able to install the intune connector.

Here's the way i got it working again:

(opt) Delete manually created "Managed Service Accounts"-Container (I've had a similar container created with powershell, in this case, delete it)
Connect to ADSI (Default Naming Context)
Under "Default naming context -> DC=<DomainName>,DC=<TLD> -> CN=System -> CN=DomainUpdates -> CN=Operations" Delete Container called "CN=5e1574f6-55df-493e-a671-aaeffca6a100"
Under "DC=<DomainName>,DC=<TLD> -> CN=System -> CN=DomainUpdates -> CN=ActiveDirectoryUpdate" edit Properties: revisions (set to 15/16), set to undefined / remove value
Mount Server OS ISO
Run ADprep.exe /domainprep (in my case: D:\support\adprep\adprep.exe /domainprep)

run the following PowerShell Script:

$DomainDN = (Get-ADDomain).distinguishedName
$TargetOWKOIDString = "1EB93889E40C45DF9F0C64D23BBB6237" # Identifier for wellknown SID. 
$TargetOWKOTemplate = "B:32:$TargetOWKOIDString`:{0}" # String.Format replacable string.
$TargetDN = "CN=Managed Service Accounts,$DomainDN"

$OtherWellKnownObjectsOG = (Get-ADObject -filter "objectClass -eq 'domainDns'" -Properties otherwellknownobjects).otherwellknownobjects
$TargetOWKOIndex = $OtherWellKnownObjectsOG.IndexOf( $OtherWellKnownObjectsOG.where({ $PSItem -like "*$TargetOWKOIDString*"})[0])

Set-ADObject -Identity $DomainDN -Add @{ 'otherwellknownobjects' = ($TargetOWKOTemplate -f "$TargetDN") } -Remove @{ 'otherwellknownobjects' = $OtherWellKnownObjectsOG[$TargetOWKOIndex] }

(Get-ADObject -filter "objectClass -eq 'domainDns'" -Properties otherwellknownobjects).otherwellknownobjects

creds for script: Vin

What does it all do:

Recreates the Managed Service Accounts Container, so that you can add the default guid to the otherwellknownobjects.

This way the default state for the Managed Service Accounts Container is recreated and you can successfully install the intune connector.

Answer 2

Vin 20

For anyone experiencing Error "Element not found" or

User's image

You will need to run the below in Powershell. This will update the Managed Services Account CN with the default GUID.

$DomainDN = (Get-ADDomain).distinguishedName
$TargetOWKOIDString = "1EB93889E40C45DF9F0C64D23BBB6237" # Identifier for wellknown SID. 
$TargetOWKOTemplate = "B:32:$TargetOWKOIDString`:{0}" # String.Format replacable string.
$TargetDN = "CN=Managed Service Accounts,$DomainDN"

$OtherWellKnownObjectsOG = (Get-ADObject -filter "objectClass -eq 'domainDns'" -Properties otherwellknownobjects).otherwellknownobjects
$TargetOWKOIndex = $OtherWellKnownObjectsOG.IndexOf( $OtherWellKnownObjectsOG.where({ $PSItem -like "*$TargetOWKOIDString*"})[0])

Set-ADObject -Identity $DomainDN -Add @{ 'otherwellknownobjects' = ($TargetOWKOTemplate -f "$TargetDN") } -Remove @{ 'otherwellknownobjects' = $OtherWellKnownObjectsOG[$TargetOWKOIndex] }

(Get-ADObject -filter "objectClass -eq 'domainDns'" -Properties otherwellknownobjects).otherwellknownobjects

After running the above:

Untitled

DePalma, Mark 1 Reputation point

2025-05-14T22:28:04.71+00:00

As soon as I read this I realized someone deleted the original container and recreated it as an OU. Upset I didn't realize this sooner, it was right in front of my face.
Matt Dillon 437 Reputation points

2025-06-09T15:55:28.61+00:00

Well on a new client, this worked 100% the first time. Web2View was missing so I installed the Evergreen Standalone Installer. After that the configuration worked fine. Note - if you have a custom OU that you want the hybrid Autopilot devices to go to, be sure to configure that XML in the directions BEFORE you run Configure Managed Service Account. If not, it will default to the Computers OU and not the custom OU. Simply rerun and it should add the correct permission.

My other client is having issues even getting Web2View configured. My issue is most likely an issue in the client's environment at this point.
DePalma, Mark 1 Reputation point

2025-06-09T15:58:15.68+00:00

Personally, I don't even bother using the XML. Was already doing perms manually before the new version. Just continued doing it with the MSA.
Matt Dillon 437 Reputation points

2025-06-19T13:22:44.3866667+00:00

Finally started working in the environment that had deleted the Managed Service Accounts container. Between installing the missing Web2View and then adding a missing folder and then running the above PS script to fix, it finally started working.

Share via

New Intune Connector for Active Directory Process Not Working

1 additional answer

Your answer