Azure AD Connect Provisioning Agent cannot move user between OU in AD - INSUFF_ACCESS_RIGHTS

Michal Ziemba 256 Reputation points
2022-01-11T19:45:54.73+00:00

Hi
Based on the article https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/plan-cloud-hr-provision#configure-active-directory-ou-container-assignment
I tried to manipulate the parentDistinguishedName based on the country. Apparently when trying to provision the existing user it cannot update the parentDistinguishedName and throws an error:

Error code
SystemForCrossDomainIdentityManagementBulkOperationResponseError

Error message
{"Exceptions":[{"SerializedExceptionString":"{\"ClassName\":\"Microsoft.ActiveDirectory.SynchronizationAgent.Contract.SerializableDirectoryOperationException\",\"Message\":\"The user has insufficient access rights.\",\"Data\":null,\"InnerException\":null,\"HelpURL\":null,\"StackTraceString\":null,\"RemoteStackTraceString\":null,\"RemoteStackIndex\":0,\"ExceptionMethod\":null,\"HResult\":-2146233088,\"Source\":null,\"WatsonBuckets\":null,\"ResponseResultCode\":\"InsufficientAccessRights\",\"ResponseErrorMessage\":\"00000005: SecErr: DSID-0315274B, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0\",\"SerializedException\":\"Details:\r\nType: System.DirectoryServices.Protocols.DirectoryOperationException\r\nThe user has insufficient access rights.\r\nStack trace:\r\n\r\nServer stack trace: [...]

I have checked Event logs on the local AD DC server where I have Azure AD Connect Provisioning Agent installed and there are no errors.
I noticed that the Azure AD Connect Provisioning Agent runs under provAgentgMSA$ service account. So I granted this account full access to the Organization Unit (OU) I operate within, but this didn't help.

Can you tell what user and what rights I need to adjust to get it to work?
/Michal

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,405 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,272 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Marilee Turscak-MSFT 36,811 Reputation points Microsoft Employee
    2022-01-11T21:56:45.767+00:00

    Hi anonymous userIt,

    It should work if you add the account to the Domain Admins group, but if you don't want to apply permission that high, I would also check the following:

    Make sure that the user has inheritance enabled

    Ensure that the service account is added into the Administrators Group in Active Directory

    Make sure that the AD DS account used to synchronize is granted write permission to the ms-DS-ConsistencyGuid attribute

    Confirm that you have met the prerequisites in this thread.

    Let me know if any of these steps resolve the issue.


  2. Limitless Technology 39,586 Reputation points
    2022-01-12T20:03:09.09+00:00

    Hello anonymous user

    Please check the next forum post regarding the inheritance of permissions: https://learn.microsoft.com/en-us/answers/questions/658246/successfactor-to-ad-provisionig-not-working-for-so.html

    Hope this helps with your query,

    -------
    --If the reply is helpful, please Upvote and Accept as answer--


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.