Azure AD Connect – Insufficient access rights to perform the operation


My colleague and I was doing a fresh AAD Connect deployment in our test lab. Everything was smooth until the second time of export to on-premise AD operation having “Insufficient access rights to perform the operation” error.
Details of the error as below:

We enabled “Replicate Directory Changes” and “Replicate Directory Changes All” before we start the deployment but we look into the error and find out it is actually cause by msDS-ConistencyGuid.

Azure AD Connect (version 1.1.524.0 and after) now facilitates the use of msDS-ConsistencyGuid as sourceAnchor attribute and it required write permission to the msDS-ConsistencyGuid attribute in on-premises Active Directory.

So how we can delegate the special permission for this operation? Run PowerShell below:

$accountName = "domain\aadc.svc"
$ForestDN = "DC=domain,DC=com"
$cmd = "dsacls '$ForestDN' /I:S /G '`"$accountName`":WP;ms-ds-consistencyGuid;user'"
Invoke-Expression $cmd

Remember to replace the value of accountName and ForestDN for your environment!
Hope this help!

Want to stay in the know?

Sign up to our newsletter to receive the latest news, events, webinars, and thought leadership.
Subscription Form (#6)