Azure AD Connect: Configure AD DS Connector account permissions - Microsoft Entra (2023)

Table of Contents
in text overview Summary of permissions Using the PowerShell ADSyncConfig module Identify your AD DS Connector account Locate the AD DS objects that have rights inheritance disabled View the AD DS permissions for the object Configure AD DS Connector account permissions Configure basic read-only permissions Configure MS-DS-Consistency-Guid permissions Password hash sync permissions Password saving permission Group writeback permissions Exchange hybrid deployment permissions Exchange public mail folder permissions Restrict AD DS Connector account permissions next step
  • article

The PowerShell module has a nameADSyncConfig.psm1Introduced in version 1.1.880.0 (released August 2018), it includes a set of cmdlets to help you configure the correct Active Directory permissions for your Azure AD Connect deployment.

overview

The following PowerShell cmdlets can be used to set the AD DS Connector account's Active Directory permissions for each feature you want to enable in Azure AD Connect. To prevent any issues, every time you install Azure AD Connect using a custom domain account to connect to your forest, prepare Active Directory permissions in advance. This ADSyncConfig module can also be used to configure permissions after Azure AD Connect is deployed.

Azure AD Connect: Configure AD DS Connector account permissions - Microsoft Entra (1)

When installing Azure AD Connect Express, an auto-generated account (MSOL_nnnnnnnnnn) is created in Active Directory with all necessary permissions, so there is no need to use this ADSyncConfig module unless you have locked permissions to OUs or specific Active Directory objects. you want to synchronize with Azure AD.

Summary of permissions

The following table summarizes the permissions required for AD objects:

functionright
MS-DS-ConsistencyGuid CapabilitiesRead and write permissions to the ms-DS-ConsistencyGuid attribute are documented inDesign concept - using MS-DS-ConsistencyGuid as sourceAnchor.
Password hash synchronization
  • Replicate directory changes - Required for read-only primary
  • copy directory change all
    • Exchange hybrid deploymentRead and write access to properties documented inreplace hybrid writebackFor users, groups and contacts.
    Exchange public mail foldersRead access to properties documented inExchange public mail foldersfor public folders.
    write back the passwordRead and write access to properties documented inIntroduction to password managementfor users.
    device write offRead and write permissions for device and container objects are documented indevice write off.
    group write backRead, create, update, and delete sync group objectsGroup Office365.

    Using the PowerShell ADSyncConfig module

    The ADSyncConfig module requiresRemote Server Administration Tools (RSAT) for AD DSBecause it relies on AD DS PowerShell modules and tools. To install RSAT for AD DS, use "Run as Administrator" to open a Windows PowerShell window and execute:

    Zainstaluj WindowsFeature RSAT-AD-Tools

    Azure AD Connect: Configure AD DS Connector account permissions - Microsoft Entra (2)

    notes

    You can also copy filesC:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\ADSyncConfig.psm1to a domain controller where RSAT AD DS is already installed and from there use this PowerShell module. Note that some cmdlets can only be run on a machine that supports Azure AD Connect.

    To start using ADSyncConfig, you need to load the module in a Windows PowerShell window:

    See Also
    Azure AD Connect: Accounts and permissions - Microsoft EntraConfigure Tenant Restrictions - Azure AD - Microsoft EntraCreate resource accounts for Teams rooms and shared devices - Microsoft Teams

    Moduł importu „C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1”

    To check all the cmdlets included in this module, you can type:

    Obtain -AdSyncConfig module

    Azure AD Connect: Configure AD DS Connector account permissions - Microsoft Entra (3)

    Each cmdlet has the same parameters to enter the AD DS Connector account and the AdminSDHolder switch. To specify the AD DS connector account, you can specify the account name and domain, or just the account distinguished name (DN),

    For example. :

    set-ADSyncPasswordHashSyncPermissions -ADConnectorAccountName-ADConnectorAccountDomain

    The

    set-ADSyncPasswordHashSyncPermissions -ADConnectorAccountDN

    Remember to exchange,Iwith the correct value for your environment.

    If you want to modify the permissions of the AdminSDHolder container, use the switch-IncludeAdminSdHolders.Note that this is not recommended.

    By default, all cmdlets that set permissions attempt to set AD DS permissions on the root of every domain in the forest, which means that the user starting a PowerShell session needs domain admin permissions on every domain in the forest. Due to this requirement, it is recommended that you use the enterprise administrator at the root of the forest. If your Azure AD Connect deployment has multiple AD DS connectors, you must run the same cmdlets in each forest that has an AD DS connector.

    Parameters can also be used to set permissions to specific organizational units or AD DS objects-ADobjectDNfollowed by the distinguished name of the target for which you want to set permissions. When using a target ADobjectDN, the cmdlet will only set permissions to that object, not to the root of the domain or the AdminSDHolder container. This parameter can be useful when some organizational units or AD DS objects have permission inheritance turned off (see Finding AD DS objects with permission inheritance turned off)

    There are exceptions to these general parametersSet ADSyncRestrictedPermissionscmdlets to set permissions on the AD DS Connector account itself, andset ADSyncPasswordHashSyncPermissionscmdlet, because the permissions required for password hash synchronization are set only on the root of the domain, this cmdlet does not include- DN of the objectLub-IncludeAdminSdHoldersparameter.

    Identify your AD DS Connector account

    If Azure AD Connect is already installed and you want to check what AD DS Connector account Azure AD Connect is currently using, you can execute the following cmdlet:

    Get-ADSyncADConnectorAccount

    Locate the AD DS objects that have rights inheritance disabled

    If you want to check if there are any AD DS objects with permission inheritance disabled, you can run:

    ADSyncObjectsWithInheritanceDisabled -SearchBase ''

    By default, this cmdlet will only search OUs with inheritance turned off, but you can specify other AD DS object classes in- object classparameter or use '*' for all feature classes as follows:

    ADSyncObjectsWithInheritanceDisabled -SearchBase '' -Class object *

    View the AD DS permissions for the object

    You can use the following cmdlet to list the permissions currently set on an Active Directory object by specifying its distinguished name:

    show ADSyncADObjectPermissions -ADobjectDN''

    Configure AD DS Connector account permissions

    Configure basic read-only permissions

    To set basic read-only permissions for your AD DS Connector account when you're not using any Azure AD Connect features, run:

    set-ADSyncBasicReadPermissions-ADConnectorAccountName-ADConnectorAccountDomain[-IncludeAdminSdHolders] []

    The

    Ustaw ADSyncBasicReadPermissions -ADConnectorAccountDN[-ADobjectDN] []

    This cmdlet will set the following permissions:

    typNameright to useapply to
    allowAD DS Connector accountread all propertieschild device object
    allowAD DS Connector accountread all propertiesChild objects of InetOrgPerson
    allowAD DS Connector accountread all propertieschild computer object
    allowAD DS Connector accountread all propertieschildren of ForeignSecurityPrincipal
    allowAD DS Connector accountread all propertieschild group object
    allowAD DS Connector accountread all propertieschild user object
    allowAD DS Connector accountread all propertieschild contact object
    allowAD DS Connector accountReplicate directory changesOnly this object (domain root)

    Configure MS-DS-Consistency-Guid permissions

    To set permissions for the AD DS Connector account when using the ms-Ds-Consistency-Guid attribute as the source anchor (also known as "Let Azure manage the source anchor for me"), run:

    set-ADSyncMsDsConsistencyGuidPermissions-ADConnectorAccountName-ADConnectorAccountDomain[-IncludeAdminSdHolders] []

    The

    Ustaw ADSyncMsDsConsistencyGuidPermissions-ADConnectorAccountDN[-ADobjectDN] []

    This cmdlet will set the following permissions:

    typNameright to useapply to
    allowAD DS Connector accountread/write propertieschild user object

    Password hash sync permissions

    To set permissions for the AD DS Connector account when using password hash synchronization, run:

    set-ADSyncPasswordHashSyncPermissions -ADConnectorAccountName-ADConnectorAccountDomain[]

    The

    set-ADSyncPasswordHashSyncPermissions -ADConnectorAccountDN[]

    This cmdlet will set the following permissions:

    typNameright to useapply to
    allowAD DS Connector accountReplicate directory changesOnly this object (domain root)
    allowAD DS Connector accountcopy directory change allOnly this object (domain root)

    Password saving permission

    To set permissions for the AD DS Connector account when using password writeback, run:

    set-ADSyncPasswordWritebackPermissions -ADConnectorAccountName-ADConnectorAccountDomain[-IncludeAdminSdHolders] []

    The

    Ustaw ADSyncPasswordWritebackPermissions -ADConnectorAccountDN[-ADobjectDN] []

    This cmdlet will set the following permissions:

    typNameright to useapply to
    allowAD DS Connector accountReset your passwordchild user object
    allowAD DS Connector accountwrite the lockoutTime attributechild user object
    allowAD DS Connector accountSave the pwdLastSet propertychild user object

    Group writeback permissions

    To set permissions for the AD DS Connector account when using group writeback, run:

    Ustaw ADSyncUnifiedGroupWritebackPermissions-ADConnectorAccountName-ADConnectorAccountDomain[-IncludeAdminSdHolders] []

    The

    Ustaw ADSyncUnifiedGroupWritebackPermissions-ADConnectorAccountDN[-ADobjectDN] []

    This cmdlet will set the following permissions:

    typNameright to useapply to
    allowAD DS Connector accountgeneral purpose read/writeAll properties of object type and subobject groups
    allowAD DS Connector accountCreate/delete child objectsAll properties of object type and subobject groups
    allowAD DS Connector accountdelete/delete tree objectAll properties of object type and subobject groups

    Exchange hybrid deployment permissions

    To set permissions for the AD DS Connector account when using an Exchange hybrid deployment, run:

    set-ADSyncExchangeHybridPermissions-ADConnectorAccountName-ADConnectorAccountDomain[-IncludeAdminSdHolders] []

    The

    set-ADSyncExchangeHybridPermissions-ADConnectorAccountDN[-ADobjectDN] []

    This cmdlet will set the following permissions:

    typNameright to useapply to
    allowAD DS Connector accountread/write all attributeschild user object
    allowAD DS Connector accountread/write all attributesChild objects of InetOrgPerson
    allowAD DS Connector accountread/write all attributeschild group object
    allowAD DS Connector accountread/write all attributeschild contact object

    Exchange public mail folder permissions

    To set permissions for the AD DS Connector account when using the Exchange Mail Public Folders feature, run:

    set-ADSyncExchangeMailPublicFolderPermissions -ADConnectorAccountName-ADConnectorAccountDomain[-IncludeAdminSdHolders] []

    The

    set-ADSyncExchangeMailPublicFolderPermissions -ADConnectorAccountDN[-ADobjectDN] []

    This cmdlet will set the following permissions:

    typNameright to useapply to
    allowAD DS Connector accountread all propertieschild PublicFolder objects

    Restrict AD DS Connector account permissions

    This PowerShell script will force the AD Connector account permissions given as a parameter. Hardening of privileges includes the following steps:

    • disable inheritance for a specific object

    • Removes all ACEs for the specified object, except SELF-specific ACEs, because we want to keep the default permissions intact when SELF is involved.

      The -ADConnectorAccountDN parameter is the AD account whose permissions need to be tightened. Typically, this is the domain account MSOL_nnnnnnnnnnnn configured in the AD DS Connector (see Specify the AD DS Connector account). The -Credential parameter is required to specify an administrator account that has the necessary permissions to restrict Active Directory permissions on the target AD object (this account must be different from ADConnectorAccountDN). This is usually an enterprise or domain administrator.

    set-ADSyncRestrictedPermissions [-ADConnectorAccountDN][-Certificate][-Disable Credential Verification] [-WhatIf] [-Confirm] []

    For example:

    $credential = Get-Credential Set-ADSyncRestrictedPermissions -ADConnectorAccountDN 'CN=ADConnectorAccount,OU=Users,DC=Contoso,DC=com'-凭据 $credential

    This cmdlet will set the following permissions:

    typNameright to useapply to
    allowsystemfully controlthis object
    allowenterprise administratorfully controlthis object
    allowadministrator domainfully controlthis object
    allowadministratorfully controlthis object
    allowCorporate domain controllerlist contentsthis object
    allowCorporate domain controllerread all propertiesthis object
    allowCorporate domain controllerread permissionthis object
    allowAuthenticated userlist contentsthis object
    allowAuthenticated userread all propertiesthis object
    allowAuthenticated userread permissionthis object

    next step

    • Azure AD Connect: accounts and permissions
    • quick installation
    • custom installation
    • ADSyncConfig documentation
    Top Articles
    Latest Posts
    Article information

    Author: Pres. Lawanda Wiegand

    Last Updated: 17/02/2023

    Views: 5287

    Rating: 4 / 5 (71 voted)

    Reviews: 94% of readers found this page helpful

    Author information

    Name: Pres. Lawanda Wiegand

    Birthday: 1993-01-10

    Address: Suite 391 6963 Ullrich Shore, Bellefort, WI 01350-7893

    Phone: +6806610432415

    Job: Dynamic Manufacturing Assistant

    Hobby: amateur radio, Taekwondo, Wood carving, Parkour, Skateboarding, Running, Rafting

    Introduction: My name is Pres. Lawanda Wiegand, I am a inquisitive, helpful, glamorous, cheerful, open, clever, innocent person who loves writing and wants to share my knowledge and understanding with you.