Support-Info: (AADCONNECT): Azure AD Connect Sync Security Groups

FOCUSED PRODUCT

• Azure AD Connect 1.1.443.0

 

Hello. The purpose of this blog, is to discuss the Security Groups that are installed when installing Azure AD Connect.  If you have been using versions of the Synchronization Service engine for a while, you may already be familiar with these Security Groups.

These four(4) Security Groups are installed by default when executing the installation of Azure AD Connect. If you utilize the Express Settings, these will be installed locally on the Azure AD Connect Server. You will find them in Local Users and Groups.

 

Group Name	Description
ADSyncAdmins	Members of this group have Full Access to do anything in the Azure AD Connect Sync Service Manager. User running the Installation Wizard is normally added to this group
ADSyncBrowse	Members of this group have permission to gather information about a user's lineage when resetting passwords by using WMI
ADSyncOperators	Members of this group have access to the operations of the Azure AD Connect Sync Service Manager. Things like: Execution of Management Agents View of Synchronization Statistics for each run Ability to save the Run History (Operations Tab) to a file Members of this group, must be a member of the ADSyncBrowse Group.
ADSyncPasswordSet	Must be a member of ADSyncBrowse Members of this group have permission to perform all operations by using the password management interface with WMI

 

It is possible to make these Domain groups. A custom install will need to occur, and then select "Specify Custom Sync Groups". The Security Groups must be created in the directory prior to executing the installation.  In the "Specify Custom Sync Groups" section, specify the groups by Domain\Group Name.

If the Security Groups are not specified ahead of time, an error will be received in the installation Wizard.

 

ERROR MESSAGE

Unable to install the Synchronization Service. Please see the event log for details.

Review the Application Event Log and notice the specific group that the install wizard was not able to locate. In this test scenario, it was Domain\ADSyncOperators.

APPLICATON EVENT LOG

Log Name:     ApplicationSource:       AzureActiveDirectorySyncEngineDate:         3/21/2017 1:48:09 PMEvent ID:     906Task Category: NoneLevel:         ErrorKeywords:     ClassicUser:         N/ADescription:Group 'DOMAIN\ADSyncOperators' was not found.

 

ADDITIONAL RESOURCES

• Forefront Identity Manager 2010 R2: Using Security Groups: https://technet.microsoft.com/en-us/library/jj590183(v=ws.10).aspx
• Azure AD Connect Sync: Accounts and Permissions: /en-us/azure/active-directory/connect/active-directory-aadconnect-accounts-permissions