Once you have done a specific task a couple of times, you start to wonder how it can be made easier and faster. This happened to me when I was setting up the required permissions for a service account for AADSync in Active Directory. With AADSync, you have a couple of optional features that you can enable during the installation wizard. Most of those features requires specific permissions for the account used to connect to the on-premise Active Directory. The features that require specific permissions are the following:

  • Password Synchronization
  • Password Write-Back
  • Exchange Hybrid Deployment

Over on TechNet, there’s some really good documentation of what the required permissions and attributes are in detail, and if you like to deep more into those,  have a look here.

Download the script

I’ve made the script availabe on TechNet Gallery.

Using the script

Since this script is created to support the three optional features that you can enable in AADSync, I’ll go through all of them with example codes of how to execute the script to get the best results. Before we do that, I first want to give you a hint of what the script does. There are 2 different parameter sets, which can be used in the following manner:

Set-AADSyncPermissions [-Feature <string>] [-IdentityName <string>] [-Inheritance <string>]
Set-AADSyncPermissions [-Feature <string>] [-IdentityName <string>] [-Inheritance <string>] [-ObjectType <string>]

The first way of using this script is the most basic one, it will simply just add the required permissions for a specified identity with the selected inheritance option for all descendant objects. For the second method, you have the option to specify for a particular Object Type as well, in this case only for user objects. As for the feature Exchange Hybrid Deployment, the script will delegate the minimum required permissions listed in the documentation on TechNet. In addition to this, it’s worth mentioning that the script will update the ACL on the domain level. I’ve decided not to add support for targeting a specific Organizational Unit, it may though come in future updates to this script.

The script leverages some of the cmdlets available in the Active Directory PowerShell module, which that’s also the only requirement for this script. In the following examples below, I’ve used a service account as my indentity reference. You can also specify a group if you wish.

Password Synchronization

1. Open an elevated PowerShell console on a member server or domain controller where the Active Directory PowerShell module is available.
2. Browse to where you’ve saved the script, e.g. C:\Scripts.
3. Run the following command:

.\Set-AADSyncPermissions.ps1 -Feature PasswordSynchronization -IdentityName "AADSync_SA" -Inheritance All -Verbose

134_1

Password Write-Back

1. Open an elevated PowerShell console on a member server or domain controller where the Active Directory PowerShell module is available.
2. Browse to where you’ve saved the script, e.g. C:\Scripts.
3. Run the following command:

.\Set-AADSyncPermissions.ps1 -Feature PasswordWriteBack -IdentityName "AADSync_SA" -Inheritance All -Verbose

134_2

Exchange Hybrid Deployment

1. Open an elevated PowerShell console on a member server or domain controller where the Active Directory PowerShell module is available.
2. Browse to where you’ve saved the script, e.g. C:\Scripts.
3. Run the following command:

.\Set-AADSyncPermissions.ps1 -Feature ExchangeHybrid -IdentityName "AADSync_SA" -Inheritance All -Verbose

134_3

If you have any questions regarding the script, feel free to comment below or send me an email. I hope this helps!

Nickolaj Andersen
Principal Consultant and Enterprise Mobility MVP since 2016. Nickolaj has been in the IT industry for the past 10 years specializing in Enterprise Mobility and Security, Windows devices and deployments including automation. Currently working for TrueSec as a Principal Consultant. Awarded as PowerShell Hero in 2015 by the community for his script and tools contributions. Creator of ConfigMgr Prerequisites Tool, ConfigMgr OSD FrontEnd, ConfigMgr WebService to name a few. Frequent speaker at conferences and user groups.

(797)

comments
  • Sam
    Posted at 14:04 April 2, 2015
    Sam
    Reply
    Author

    Thanks a lot! great post.

    • Nickolaj
      Posted at 17:50 April 2, 2015
      Nickolaj
      Reply
      Author

      You’re welcome Sam and thanks for you kind words!

      Regards,
      Nickolaj

  • DS
    Posted at 15:36 May 11, 2015
    DS
    Reply
    Author

    When running the Hybrid cmdlet above, I’m getting an error regarding Missing closing ‘>’ in expression at:\scripts\Set-AADSyncPermissions.ps1:27 char:5

    Any idea what that’s about?

    • Nickolaj
      Posted at 17:42 May 11, 2015
      Nickolaj
      Reply
      Author

      Hi DS,

      What’s the PowerShell version on the server where you’re running the script? This script requires version 3.0 or above. You can check that by running $host in the PowerShell console.

      Regards,
      Nickolaj

      • DS
        Posted at 22:43 May 11, 2015
        DS
        Reply
        Author

        OK, that was the problem………….I was running 2.0. Thanks

  • erik hof
    Posted at 21:19 July 10, 2015
    erik hof
    Reply
    Author

    Can this also be used with the new AD Connect ?

    Permissions are described here https://azure.microsoft.com/nl-nl/documentation/articles/active-directory-aadconnect-account-summary/

  • Leave a Reply