Forum Discussion

StefanoC66's avatar
StefanoC66
Iron Contributor
Aug 20, 2025
Solved

OU list incomplete in AAD connect

We're facing a strange issue while configuring EntraID Connect.

At the point of selecting the OU we want to synchronize the list we see in the EntraID application is not complete in respect of what we see in ADUC. 

We miss an OU at first level, which by the way is ont of the OU we need to sync.

Any idea ?

 

Azure Active Directory (AAD)
Azure AD Connect
  • LainRobertson's avatar
    LainRobertson
    Aug 20, 2025

    Hi StefanoC66​,

    This occurs when the service account that the Microsoft Azure AD Sync runs under does not have permissions to read that specific organisational unit.

     

    This is the service from my host, where you can see it runs under an account named svcSync:

    Here's an organisational unit named Dummy I created where svcSync has been denied access:

     

    And this is AAD Connect not showing the Dummy organisational unit:

     

    Finally, I have removed the "deny" permission shown above and restarted the AAD Connect wizard, which now shows the Dummy organisational unit.

     

     

    If you look at the permissions on your "missing" organisational unit, you probably won't see a "deny" permission like I've shown above (you might, but I'm betting you won't). It's more likely the case that someone has disabled permissions inheritance and your AAD Connect service account has not been added in with sufficient permissions to read and write to that organisational unit and eligible child objects.

    So, what you'd want to do is add your service account to that organisational unit's permissions.

    Permissions can vary, so I won't specify what you should add, nor will I suggest re-enabling permissions inheritance (if it is indeed disabled) as there may be a valid reason inheritance has been disabled.

    What you will need to achieve is giving that AAD Sync service account the necessary rights to read your missing organisational unit. You may be able to refer to a different organisational unit - or even the topmost domain node - to determine exactly what that access should look like.

     

    Cheers,

    Lain

4 Replies

  • LainRobertson's avatar
    LainRobertson
    Silver Contributor
    Aug 20, 2025

    Hi StefanoC66​,

    This occurs when the service account that the Microsoft Azure AD Sync runs under does not have permissions to read that specific organisational unit.

     

    This is the service from my host, where you can see it runs under an account named svcSync:

    Here's an organisational unit named Dummy I created where svcSync has been denied access:

     

    And this is AAD Connect not showing the Dummy organisational unit:

     

    Finally, I have removed the "deny" permission shown above and restarted the AAD Connect wizard, which now shows the Dummy organisational unit.

     

     

    If you look at the permissions on your "missing" organisational unit, you probably won't see a "deny" permission like I've shown above (you might, but I'm betting you won't). It's more likely the case that someone has disabled permissions inheritance and your AAD Connect service account has not been added in with sufficient permissions to read and write to that organisational unit and eligible child objects.

    So, what you'd want to do is add your service account to that organisational unit's permissions.

    Permissions can vary, so I won't specify what you should add, nor will I suggest re-enabling permissions inheritance (if it is indeed disabled) as there may be a valid reason inheritance has been disabled.

    What you will need to achieve is giving that AAD Sync service account the necessary rights to read your missing organisational unit. You may be able to refer to a different organisational unit - or even the topmost domain node - to determine exactly what that access should look like.

     

    Cheers,

    Lain

    • StefanoC66's avatar
      StefanoC66
      Iron Contributor
      Aug 20, 2025

      LainRobertson​ 

      Thanks for the input.

      I checked the missing OU's security settings and it has the inheritance enabled as the OU that I see.

      Checking the permissions they looked the same.


      The AdSync service is running as NT SERVICE\ADSync

       

      EDIT:

      even if apparently they have the same security settings applied "inherited" checking with "effective access" in the advanced tab for the "user" NETWORK SERVICE there's actually a difference that I couldn't understand coming from.

       

      • LainRobertson's avatar
        LainRobertson
        Silver Contributor
        Aug 20, 2025

        Hi StefanoC66​,

         

        That's fine - it just means you're using the installation defaults.

         

        If you run the program named miisclient.exe on your AAD Connect box, then:

        1. Go to the Connectors tab;
        2. Right-click on the Active Directory Domain Service Connector and choose Properties;
        3. You will be able to see which account AAD Connect is using to talk to Active Directory;
        4. Cancel out - you don't want to make any changes here.

         

         

        This is the account you need to ensure has access to the missing organisational unit.

         

        Cheers,

        Lain

Resources