Forum Discussion

Sebastien_SCSL's avatar
Sebastien_SCSL
Copper Contributor
Oct 19, 2021

Set-ADSyncPasswordWritebackPermissions powershell cmdlet execution error (empty searchbase)

Hi, 

 

Currently installing a brand new instance of AD Connect (in staging mode) at a client running a very old version. The previously used Azure AD Sync account is a domain admin, which is no longer supported in newer versions of Azure AD Connect. So I created the new Azure AD Sync account, and using the PowerShell cmdlets from AdSyncConfig.psm1 module began granting this brand new account the rights required. 

 

Set-ADSyncMsDsConsistencyGuidPermissions worked well. 

Set-ADSyncPasswordHashSyncPermissions worked well. 

But Set-ADSyncPasswordWritebackPermissions returns an error: 

 

Get-ADObject : An empty SearchBase is only supported while connected to a GlobalCatalog.
At C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1:373 char:15
+ ... $object = Get-ADObject -SearchBase $ADobjectDN -SearchScope 0 -Filt ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-ADObject], ArgumentException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.ArgumentException,Microsoft.ActiveDirectory.Management.Comm
ands.GetADObject

 

I was using this syntax: Set-ADSyncPasswordWritebackPermissions -ADConnectorAccountName "<samAccountName>" -ADConnectorAccountDomain <fqdn domain name>. 

 

I initially installed Azure AD Connect v1.6.14.2. I looked for a newer one, found 1.6.16.0, installed it and got the same error. 

 

I saw in the error a reference to a variable I was not passing ($ADobjectDN). I tried adding a -ADObjectDN parameter pointing to the root of my domain "DC=top,DC=level", but it also failed with another error: 

GrantAcls : user is specified as Inherited Object Type. /I:S must be present. The parameter is incorrect. The
command failed to complete successfully.
At C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1:1666 char:9
+ GrantAcls $targetADObj.DistinguishedName $finalACL $Inheritan ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,GrantAcls

 

 

Am I doing anything incorrectly?

 

Regards, 

 

Sebastien

Azure Active Directory (AAD)
Identity Management
No RepliesBe the first to reply

Resources