Azure AD Connect – Insufficient access rights to perform the operation

My colleague and I was doing a fresh AAD Connect deployment in our test lab. Everything was smooth until the second time of export to on-premise AD operation having “Insufficient access rights to perform the operation” error.
Details of the error as below:

We enabled “Replicate Directory Changes” and “Replicate Directory Changes All” before we start the deployment but we look into the error and find out it is actually cause by msDS-ConistencyGuid.

Azure AD Connect (version 1.1.524.0 and after) now facilitates the use of msDS-ConsistencyGuid as sourceAnchor attribute and it required write permission to the msDS-ConsistencyGuid attribute in on-premises Active Directory.

So how we can delegate the special permission for this operation? Run PowerShell below:

$accountName = "domain\aadc.svc"
$ForestDN = "DC=domain,DC=com"
$cmd = "dsacls '$ForestDN' /I:S /G '`"$accountName`":WP;ms-ds-consistencyGuid;user'"
Invoke-Expression $cmd

Remember to replace the value of accountName and ForestDN for your environment!
Hope this help!

Share this post

Recent News