MSEndpointMgr

Delegate Required Permissions for AADSync in Active Directory with PowerShell

Once you have done a specific task a couple of times, you start to wonder how it can be made easier and faster. This happened to me when I was setting up the required permissions for a service account for AADSync in Active Directory. With AADSync, you have a couple of optional features that you can enable during the installation wizard. Most of those features requires specific permissions for the account used to connect to the on-premise Active Directory. The features that require specific permissions are the following:

  • Password Synchronization
  • Password Write-Back
  • Exchange Hybrid Deployment

Over on TechNet, there’s some really good documentation of what the required permissions and attributes are in detail, and if you like to deep more into those,  have a look here.

Download the script

I’ve made the script availabe on TechNet Gallery.

Using the script

Since this script is created to support the three optional features that you can enable in AADSync, I’ll go through all of them with example codes of how to execute the script to get the best results. Before we do that, I first want to give you a hint of what the script does. There are 2 different parameter sets, which can be used in the following manner:
Set-AADSyncPermissions [-Feature <string>] [-IdentityName <string>] [-Inheritance <string>]
Set-AADSyncPermissions [-Feature <string>] [-IdentityName <string>] [-Inheritance <string>] [-ObjectType <string>]
The first way of using this script is the most basic one, it will simply just add the required permissions for a specified identity with the selected inheritance option for all descendant objects. For the second method, you have the option to specify for a particular Object Type as well, in this case only for user objects. As for the feature Exchange Hybrid Deployment, the script will delegate the minimum required permissions listed in the documentation on TechNet. In addition to this, it’s worth mentioning that the script will update the ACL on the domain level. I’ve decided not to add support for targeting a specific Organizational Unit, it may though come in future updates to this script.
The script leverages some of the cmdlets available in the Active Directory PowerShell module, which that’s also the only requirement for this script. In the following examples below, I’ve used a service account as my indentity reference. You can also specify a group if you wish.

Password Synchronization

1. Open an elevated PowerShell console on a member server or domain controller where the Active Directory PowerShell module is available.
2. Browse to where you’ve saved the script, e.g. C:\Scripts.
3. Run the following command:

.\Set-AADSyncPermissions.ps1 -Feature PasswordSynchronization -IdentityName "AADSync_SA" -Inheritance All -Verbose
134_1

Password Write-Back

1. Open an elevated PowerShell console on a member server or domain controller where the Active Directory PowerShell module is available.
2. Browse to where you’ve saved the script, e.g. C:\Scripts.
3. Run the following command:

.\Set-AADSyncPermissions.ps1 -Feature PasswordWriteBack -IdentityName "AADSync_SA" -Inheritance All -Verbose
134_2

Exchange Hybrid Deployment

1. Open an elevated PowerShell console on a member server or domain controller where the Active Directory PowerShell module is available.
2. Browse to where you’ve saved the script, e.g. C:\Scripts.
3. Run the following command:

.\Set-AADSyncPermissions.ps1 -Feature ExchangeHybrid -IdentityName "AADSync_SA" -Inheritance All -Verbose

134_3
If you have any questions regarding the script, feel free to comment below or send me an email. I hope this helps!

Nickolaj Andersen

Chief Technical Architect and Enterprise Mobility MVP since 2016. Nickolaj has been in the IT industry for the past 10 years specializing in Enterprise Mobility and Security, Windows devices and deployments including automation. Awarded as PowerShell Hero in 2015 by the community for his script and tools contributions. Creator of ConfigMgr Prerequisites Tool, ConfigMgr OSD FrontEnd, ConfigMgr WebService to name a few. Frequent speaker at conferences such as Microsoft Ignite, NIC Conference and IT/Dev Connections including nordic user groups.

6 comments

Sponsors