Set-ADSyncPasswordWritebackPermissions powershell cmdlet execution error (empty searchbase)

%3CLINGO-SUB%20id%3D%22lingo-sub-2863106%22%20slang%3D%22en-US%22%3ESet-ADSyncPasswordWritebackPermissions%20powershell%20cmdlet%20execution%20error%20(empty%20searchbase)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2863106%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECurrently%20installing%20a%20brand%20new%20instance%20of%20AD%20Connect%20(in%20staging%20mode)%20at%20a%20client%20running%20a%20very%20old%20version.%20The%20previously%20used%20Azure%20AD%20Sync%20account%20is%20a%20domain%20admin%2C%20which%20is%20no%20longer%20supported%20in%20newer%20versions%20of%20Azure%20AD%20Connect.%20So%20I%20created%20the%20new%20Azure%20AD%20Sync%20account%2C%20and%20using%20the%20PowerShell%20cmdlets%20from%20AdSyncConfig.psm1%20module%20began%20granting%20this%20brand%20new%20account%20the%20rights%20required.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESet-ADSyncMsDsConsistencyGuidPermissions%20worked%20well.%26nbsp%3B%3C%2FP%3E%3CP%3ESet-ADSyncPasswordHashSyncPermissions%20worked%20well.%26nbsp%3B%3C%2FP%3E%3CP%3EBut%26nbsp%3BSet-ADSyncPasswordWritebackPermissions%20returns%20an%20error%3A%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGet-ADObject%20%3A%20An%20empty%20SearchBase%20is%20only%20supported%20while%20connected%20to%20a%20GlobalCatalog.%3CBR%20%2F%3EAt%20C%3A%5CProgram%20Files%5CMicrosoft%20Azure%20Active%20Directory%20Connect%5CAdSyncConfig%5CAdSyncConfig.psm1%3A373%20char%3A15%3CBR%20%2F%3E%2B%20...%20%24object%20%3D%20Get-ADObject%20-SearchBase%20%24ADobjectDN%20-SearchScope%200%20-Filt%20...%3CBR%20%2F%3E%2B%20~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~%3CBR%20%2F%3E%2B%20CategoryInfo%20%3A%20InvalidArgument%3A%20(%3A)%20%5BGet-ADObject%5D%2C%20ArgumentException%3CBR%20%2F%3E%2B%20FullyQualifiedErrorId%20%3A%20ActiveDirectoryCmdlet%3ASystem.ArgumentException%2CMicrosoft.ActiveDirectory.Management.Comm%3CBR%20%2F%3Eands.GetADObject%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20was%20using%20this%20syntax%3A%26nbsp%3BSet-ADSyncPasswordWritebackPermissions%20-ADConnectorAccountName%20%22%3CSAMACCOUNTNAME%3E%22%20-ADConnectorAccountDomain%20%3CFQDN%20domain%3D%22%22%20name%3D%22%22%3E.%26nbsp%3B%3C%2FFQDN%3E%3C%2FSAMACCOUNTNAME%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20initially%20installed%20Azure%20AD%20Connect%20v1.6.14.2.%20I%20looked%20for%20a%20newer%20one%2C%20found%201.6.16.0%2C%20installed%20it%20and%20got%20the%20same%20error.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20saw%20in%20the%20error%20a%20reference%20to%20a%20variable%20I%20was%20not%20passing%20(%24ADobjectDN).%20I%20tried%20adding%20a%20-ADObjectDN%20parameter%20pointing%20to%20the%20root%20of%20my%20domain%20%22DC%3Dtop%2CDC%3Dlevel%22%2C%20but%20it%20also%20failed%20with%20another%20error%3A%26nbsp%3B%3C%2FP%3E%3CP%3EGrantAcls%20%3A%20user%20is%20specified%20as%20Inherited%20Object%20Type.%20%2FI%3AS%20must%20be%20present.%20The%20parameter%20is%20incorrect.%20The%3CBR%20%2F%3Ecommand%20failed%20to%20complete%20successfully.%3CBR%20%2F%3EAt%20C%3A%5CProgram%20Files%5CMicrosoft%20Azure%20Active%20Directory%20Connect%5CAdSyncConfig%5CAdSyncConfig.psm1%3A1666%20char%3A9%3CBR%20%2F%3E%2B%20GrantAcls%20%24targetADObj.DistinguishedName%20%24finalACL%20%24Inheritan%20...%3CBR%20%2F%3E%2B%20~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~%3CBR%20%2F%3E%2B%20CategoryInfo%20%3A%20NotSpecified%3A%20(%3A)%20%5BWrite-Error%5D%2C%20WriteErrorException%3CBR%20%2F%3E%2B%20FullyQualifiedErrorId%20%3A%20Microsoft.PowerShell.Commands.WriteErrorException%2CGrantAcls%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAm%20I%20doing%20anything%20incorrectly%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESebastien%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2863106%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
New Contributor

Hi, 

 

Currently installing a brand new instance of AD Connect (in staging mode) at a client running a very old version. The previously used Azure AD Sync account is a domain admin, which is no longer supported in newer versions of Azure AD Connect. So I created the new Azure AD Sync account, and using the PowerShell cmdlets from AdSyncConfig.psm1 module began granting this brand new account the rights required. 

 

Set-ADSyncMsDsConsistencyGuidPermissions worked well. 

Set-ADSyncPasswordHashSyncPermissions worked well. 

But Set-ADSyncPasswordWritebackPermissions returns an error: 

 

Get-ADObject : An empty SearchBase is only supported while connected to a GlobalCatalog.
At C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1:373 char:15
+ ... $object = Get-ADObject -SearchBase $ADobjectDN -SearchScope 0 -Filt ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-ADObject], ArgumentException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.ArgumentException,Microsoft.ActiveDirectory.Management.Comm
ands.GetADObject

 

I was using this syntax: Set-ADSyncPasswordWritebackPermissions -ADConnectorAccountName "<samAccountName>" -ADConnectorAccountDomain <fqdn domain name>. 

 

I initially installed Azure AD Connect v1.6.14.2. I looked for a newer one, found 1.6.16.0, installed it and got the same error. 

 

I saw in the error a reference to a variable I was not passing ($ADobjectDN). I tried adding a -ADObjectDN parameter pointing to the root of my domain "DC=top,DC=level", but it also failed with another error: 

GrantAcls : user is specified as Inherited Object Type. /I:S must be present. The parameter is incorrect. The
command failed to complete successfully.
At C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1:1666 char:9
+ GrantAcls $targetADObj.DistinguishedName $finalACL $Inheritan ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,GrantAcls

 

 

Am I doing anything incorrectly?

 

Regards, 

 

Sebastien

0 Replies