DirSync Accounts
During our recent experience with DirSync (with Hybrid mode unchecked), we came across three accounts.
This article is intended to discuss different permissions these accounts operate with and how to restore them if they go missing or corrupt for some reason.
Please feel free to add/correct as you feel appropriate.
A) DirSync Admin
This account was created as Office 365 global administrator and was then used during DirSync configuration.
The account provides DirSync permissions to connect to Azure AD and synchronize on-premises AD objects to the Azure AD.
'What-if' Deleted -
- Stop the synchronization services.
- Recreate this account in Office 365.
- Open the DirSync configuration wizard and set the new account name and password.
- Restart the synchronization services.
'What-if' Password gets messed up-
- Stop the synchronization services.
- Change the account password in Office 365.
- Open the DirSync configuration wizard and set the new password.
- Restart the synchronization services.
B) AAD_XXXXXXXXXXXX
This account exists as a local user on the DirSync server.
It has Logon As rights to the two windows services on DirSync server - Forefront Identity Manager Synchronization Service and Windows Azure Active Directory Sync Service.
It is also a member of local group on the DirSync server named as FIMSyncAdmins.
'What-if' Deleted -
- Stop the synchronization services.
- Recreate this account locally on the DirSync server.
- Change the Logon As password for the two services with the newly created account's password.
- Make it member of local FIMSyncAdmins group.
- Restart the synchronization services.
'What-if' Password gets messed up-
- Stop the synchronization services.
- Change the account password locally on the DirSync server..
- Change the Logon As password for the two services
- Restart the synchronization services.
**C) MSOL_XXXXXXXXXXXX
**An Active Directory account created during DIrSync installation and is member of Domain Users group.
'What-if' Deleted -
- Stop the synchronization services.
- Recreate this account on the active directory as a domain user.
- Change the account password in FIM Synchronization Service Management --> Management Agent --> Active Directory Connector
- Give directory replication rights on all domains.
- Restart the synchronization services.
'What-if' Password gets messed up-
- Stop the synchronization services.
- Change the account password in FIM Synchronization Service Management --> Management Agent --> Active Directory Connector
- Restart the synchronization services.
Are there any alternative ways to recreate and reconfigure AD_ and MSOL_ accounts as fresh accounts?