User Profile

Sebastien_SCSL

Copper Contributor

Joined 5 years ago

2 Posts

View All Badges

User Widgets

Recent Discussions

Set-ADSyncPasswordWritebackPermissions powershell cmdlet execution error (empty searchbase)
Hi, Currently installing a brand new instance of AD Connect (in staging mode) at a client running a very old version. The previously used Azure AD Sync account is a domain admin, which is no longer supported in newer versions of Azure AD Connect. So I created the new Azure AD Sync account, and using the PowerShell cmdlets from AdSyncConfig.psm1 module began granting this brand new account the rights required. Set-ADSyncMsDsConsistencyGuidPermissions worked well. Set-ADSyncPasswordHashSyncPermissions worked well. But Set-ADSyncPasswordWritebackPermissions returns an error: Get-ADObject : An empty SearchBase is only supported while connected to a GlobalCatalog. At C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1:373 char:15 + ... $object = Get-ADObject -SearchBase $ADobjectDN -SearchScope 0 -Filt ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidArgument: (:) [Get-ADObject], ArgumentException + FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.ArgumentException,Microsoft.ActiveDirectory.Management.Comm ands.GetADObject I was using this syntax: Set-ADSyncPasswordWritebackPermissions -ADConnectorAccountName "<samAccountName>" -ADConnectorAccountDomain <fqdn domain name>. I initially installed Azure AD Connect v1.6.14.2. I looked for a newer one, found 1.6.16.0, installed it and got the same error. I saw in the error a reference to a variable I was not passing ($ADobjectDN). I tried adding a -ADObjectDN parameter pointing to the root of my domain "DC=top,DC=level", but it also failed with another error: GrantAcls : user is specified as Inherited Object Type. /I:S must be present. The parameter is incorrect. The command failed to complete successfully. At C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1:1666 char:9 + GrantAcls $targetADObj.DistinguishedName $finalACL $Inheritan ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,GrantAcls Am I doing anything incorrectly? Regards, Sebastien
Jan 14, 2022 Place Microsoft Entra
Azure Active Directory (AAD)
Identity Management
2.2KViews
0likes
0Comments
Re: Just In Time access vs Azure Policy
Hi, Sorry if it's been a long while since you posted this but I just ran into the same issue. May I ask you if you had to work with support to work through this? Thank you for your time, Sebastien
Jun 10, 2021 Place Microsoft Defender for Cloud
1.3KViews
0likes
0Comments

Recent Blog Articles

No content to show