Forum Discussion
Azure AD Connect V1 post-uninstallation: can we safely remove the old Connector accounts ?
Hello experts, hope your week is off to a good start. Please consider a scenario where Azure AD Connect V1 has been migrated successfully to a new Azure AD Connect V2 server using a swing mig...
Hi there Dominik,
thank you for your reply. It is very much appreciated.
I confirm that new AADConnect server is using different accounts in the on-prem AD as well as in Azure AD.
I have also noticed that the following groups were created by the Azure AD Connect V1 installer: "ADSyncAdmins", "ADSyncBrowse", "ADSyncOperators" and "ADSyncPasswordSet". These groups were created as Active Directory domain groups as the old Azure AD Connect V1 server was previously installed on a domain controller. I believe it is safe to go ahead and remove them manually as the new Azure AD Connect V2 server is installed on a dedicated member server ?
Thanks and Regards,
Massimiliano Rizzi
thank you for your reply. It is very much appreciated.
I confirm that new AADConnect server is using different accounts in the on-prem AD as well as in Azure AD.
I have also noticed that the following groups were created by the Azure AD Connect V1 installer: "ADSyncAdmins", "ADSyncBrowse", "ADSyncOperators" and "ADSyncPasswordSet". These groups were created as Active Directory domain groups as the old Azure AD Connect V1 server was previously installed on a domain controller. I believe it is safe to go ahead and remove them manually as the new Azure AD Connect V2 server is installed on a dedicated member server ?
Thanks and Regards,
Massimiliano Rizzi
Hello @Massimiliano,
For groups I am not so sure if they are not shared with the new infrastructure. To verify that, please add a test account to ADSyncBrowse and try to open AADConnect console with that account. If there would be an error, then group is not used by AADConnect and you can remove it.
So what you should do:
1. Create a test account
2. Add test account to ADSyncAdmins or ADSyncBrowse
3. Try to log in to AADConnect server and AADConnect console with test account.
4. If that works, group is still used. If that won't work, you should be safe to remove the groups.
5. You can do additional test as well by removing one of existing members from ADSyncAdmins (to be 100% sure).
Best,
Dominik
For groups I am not so sure if they are not shared with the new infrastructure. To verify that, please add a test account to ADSyncBrowse and try to open AADConnect console with that account. If there would be an error, then group is not used by AADConnect and you can remove it.
So what you should do:
1. Create a test account
2. Add test account to ADSyncAdmins or ADSyncBrowse
3. Try to log in to AADConnect server and AADConnect console with test account.
4. If that works, group is still used. If that won't work, you should be safe to remove the groups.
5. You can do additional test as well by removing one of existing members from ADSyncAdmins (to be 100% sure).
Best,
Dominik
- Hi there Dominik,
thank you for your time. It is very much appreciated.
