![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 83%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,768 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 57.00000000000001%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Hello @DJX995 ,
The user account "RDV GRAPHICS SERVICE" is a local system account which is created when the RemoteFX feature was enabled on a Remote desktop Virtualization Host and it is made a member of the Users group on a normal server. You will get into this situation where AD connect is trying to sync this system account only when the Domain controller in your on-premise environment have Remote desktop virtualization host enabled and hence this account has moved to Active directory now. It is a system account and if you are not using any application which leverage RemoteFX hosted on this server 2019 , I don't think you need this. Generally it is recommended to enable the RD Virtualization host feature on a server which is not a domain controller. However it seems the server had this enabled and then it was promoted to a domain controller due to which this scenario could occur.
I don't think it matters if you are running server 2019 because the important thing to check will be if you have any apps hosted on the Remote Desktop Virtualization leveraging RemoteFX on this server . If you have such apps then I would suggest to check with the maintainer of the applications and move it to a separate domain server rather than have this on a domain controller. Also if you are looking for an exact reason then more troubleshooting would need to be done and the ACLs on this object within the Active directory database will need to be checked to find out if the sync engine service account have read permissions on it or not .
There is no reason for this account to be used in the Azure Active directory for any purpose as far as I know hence syncing this to the cloud is not needed unless there is any extreme corner case scenario for this. I would suggest you to go with container filtering in the AD connect setup to exclude this account as this would generally be in the Built-in or Users container. It can be at other places as well if it has been manually moved . I do not have this setup in my lab so I cannot test this exactly and confirm the location but you should be able to check .
Hope this clarifies the query and provides a valid solution. If the information in this post is helpful , please do accept the post as answer so that its helpful for other members of the community searching for similar issues. In case you have any further query on this, please feel free to let us know and we will be happy to help .
Thank you.
