Azure AD Connect – Insufficient access rights to perform the operation

My colleague and I was doing a fresh AAD Connect deployment in our test lab. Everything was smooth until the second time of export to on-premise AD operation having “Insufficient access rights to perform the operation” error.
Details of the error as below:

We enabled “Replicate Directory Changes” and “Replicate Directory Changes All” before we start the deployment but we look into the error and find out it is actually cause by msDS-ConistencyGuid.

Azure AD Connect (version 1.1.524.0 and after) now facilitates the use of msDS-ConsistencyGuid as sourceAnchor attribute and it required write permission to the msDS-ConsistencyGuid attribute in on-premises Active Directory.

So how we can delegate the special permission for this operation? Run PowerShell below:

$accountName = "domain\aadc.svc"
$ForestDN = "DC=domain,DC=com"
$cmd = "dsacls '$ForestDN' /I:S /G '`"$accountName`":WP;ms-ds-consistencyGuid;user'"
Invoke-Expression $cmd

Remember to replace the value of accountName and ForestDN for your environment!
Hope this help!

Share this post

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email

Recent News

Close Menu
Bitnami