cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Set-ADSyncPasswordWritebackPermissions powershell cmdlet execution error (empty searchbase)

Sebastien_SCSL
Copper Contributor

‎Oct 19 2021 02:05 PM - last edited on ‎Jan 14 2022 03:23 PM by

‎Oct 19 2021 02:05 PM - last edited on ‎Jan 14 2022 03:23 PM by

Set-ADSyncPasswordWritebackPermissions powershell cmdlet execution error (empty searchbase)

Hi, 

 

Currently installing a brand new instance of AD Connect (in staging mode) at a client running a very old version. The previously used Azure AD Sync account is a domain admin, which is no longer supported in newer versions of Azure AD Connect. So I created the new Azure AD Sync account, and using the PowerShell cmdlets from AdSyncConfig.psm1 module began granting this brand new account the rights required. 

 

Set-ADSyncMsDsConsistencyGuidPermissions worked well. 

Set-ADSyncPasswordHashSyncPermissions worked well. 

But Set-ADSyncPasswordWritebackPermissions returns an error: 

 

Get-ADObject : An empty SearchBase is only supported while connected to a GlobalCatalog.
At C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1:373 char:15
+ ... $object = Get-ADObject -SearchBase $ADobjectDN -SearchScope 0 -Filt ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-ADObject], ArgumentException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.ArgumentException,Microsoft.ActiveDirectory.Management.Comm
ands.GetADObject

 

I was using this syntax: Set-ADSyncPasswordWritebackPermissions -ADConnectorAccountName "<samAccountName>" -ADConnectorAccountDomain <fqdn domain name>. 

 

I initially installed Azure AD Connect v1.6.14.2. I looked for a newer one, found 1.6.16.0, installed it and got the same error. 

 

I saw in the error a reference to a variable I was not passing ($ADobjectDN). I tried adding a -ADObjectDN parameter pointing to the root of my domain "DC=top,DC=level", but it also failed with another error: 

GrantAcls : user is specified as Inherited Object Type. /I:S must be present. The parameter is incorrect. The
command failed to complete successfully.
At C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1:1666 char:9
+ GrantAcls $targetADObj.DistinguishedName $finalACL $Inheritan ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,GrantAcls

 

 

Am I doing anything incorrectly?

 

Regards, 

 

Sebastien

1,625 Views
0 Likes
0 Replies
Reply
0 Replies