Azure AD Connect can configure a lot of the requirements it needs automatically. One of the things it can configure for you is the AD Connector account, the account that is used to read and write into Active Directory. However, Azure AD Connect also provides PowerShell cmdlets to configure and secure AD Connector accounts of an admin’s own choice.
Today, I’m sharing a story how the Microsoft recommended way to provision AD Connector accounts is flawed. This story has its origin in a swing migration.
The situation
You are implementing Azure AD Connect, but you do not want an MSOL_* user account created by the Azure Active Directory Connect Configuration Wizard in the Users container of your Active Directory environment.
Instead, after installing Azure AD Connect, you close the wizard to use the cmdlets in the ADSyncConfig PowerShell module to create a user account, provide the appropriate permissions and secure the account for its use as Azure AD Connect’s AD Connector account. For the latter two steps, you use the following lines of Windows PowerShell:
$useraccount = 'CN=AD Connector account,CN=users,DC=domain,DC=tld'
Import-Module 'C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1'
Set-ADSyncBasicReadPermissions -ADConnectorAccountDN $useraccount
Set-ADSyncExchangeHybridPermissions -ADConnectorAccountDN $useraccount
Set-ADSyncMsDsConsistencyGuidPermissions -ADConnectorAccountDN $useraccount
Set-ADSyncPasswordHashSyncPermissions -ADConnectorAccountDN $useraccount
Set-ADSyncPasswordWritebackPermissions -ADConnectorAccountDN $useraccount
Set-ADSyncRestrictedPermissions -ADConnectorAccountDN $useraccount
Set-ADSyncRestrictedPermissions -ADConnectorAccountDN $useraccount
Note:
You might also experience this behavior when you configure permissions for the AD Connector account manually.
When you continue the Azure Active Directory Connect Configuration Wizard, you select the Password Writeback feature on the Additional features page.
The issue
In the Application log of the Azure AD Connect server, you start seeing events with EventID 33007 and EventID 33008:
The error messages are:
Error hr=8023061A
The password given does not specify the user’s current password.
The error messages are:
Error hr=80230619
A restriction prevents the password from being changed to the current one specified.
People in your organization would also notice that they are not able to use the self-service password reset functionality in Azure AD, although all settings in Azure AD and Azure AD Connect are correctly configured.
The cause
Azure AD Connect’s Set-ADSyncPasswordWritebackPermissions cmdlet does not provide the Change Password permission to the AD Connector account.
Note:
This behavior was observed with version 2.1.16.0 of Azure AD Connect.
Note:
The cmdlet does provide the Unexpire Password permission to the AD Connector account. This new permission was added as part of the permission set per Azure AD Connect version 2.1.15.0.
The solution
The solution is to add the Change Password permission at the root of all Active Directory domains in the Active Directory forest to Azure AD Connect’s AD Connector account(s). Perform these steps:
- Open Active Directory Users and Computers (dsa.msc) as a member of the Domain Admins group of the Active Directory domain.
- In the View menu, enable Advanced Features.
- In the left navigation menu, right-click the domain name. Select Properties from the context menu. The domain’s Properties pop-up window appears.
- In the domain’s Properties window, navigate to the Security tab.
- Click Advanced.
- Double-click the existing permission for Reset Password for the AD Connector account. The Permission Entry for ADConnectorAccount window appears:
- Select the Change Password permission too.
- Click OK three times.
- Close Active Directory Users and Computers.
Note:
The new permissions are added as separate permissions when you revisit the permissions in the Permission Entry window.
Concluding
The Set-ADSyncPasswordWritebackPermissions PowerShell cmdlet may not delegate the Active Directory Change Password permission.
Login