Wednesday, October 28, 2015

Setting permissions for AADSync and password write-back

I love scripting things to save time, so when I found this article a while back on using PowerShell to configure the AADSync service account permissions, I bookmarked it, retweeted it and used it several times since then.

Today, I implemented Password Writeback, and the article only had two permissions set for it.   In testing, I found users received an error, but their password was still being reset correctly.

In the AADSync Event log, I noticed there was two failures followed by a success.  The error looked like this:

An unexpected error has occurred during a password set operation.
 "ERR_: MMS(3188): D:\bt\40256\sources\dev\Sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'ADMADoNormalization', 0x2
BAIL: MMS(3188): D:\bt\40256\sources\dev\Sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2
BAIL: MMS(3188): D:\bt\40256\sources\dev\Sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.)
ERR_: MMS(3188): D:\bt\40256\sources\dev\Sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'ADMARecursiveUserDelete', 0x2
BAIL: MMS(3188): D:\bt\40256\sources\dev\Sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2
BAIL: MMS(3188): D:\bt\40256\sources\dev\Sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.)
ERR_: MMS(3188): D:\bt\40256\sources\dev\Sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'ADMARecursiveComputerDelete', 0x2
BAIL: MMS(3188): D:\bt\40256\sources\dev\Sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2
BAIL: MMS(3188): D:\bt\40256\sources\dev\Sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.)
ERR_: MMS(3188): ..\session.cpp(2114): Asynchronous modify result (dn=) failed
WARNING: MMS(3188): ..\session.cpp(2115): Asynchronous modify result (dn=) failed
BAIL: MMS(3188): ..\session.cpp(2121): 0x80070005 (Access is denied.)
ERR_: MMS(3188): admaexport.cpp(4253): The password change operation failed: ERR_: MMS(3188): admaexport.cpp(4259): Insufficient Rights 0x32
BAIL: MMS(3188): admaexport.cpp(3516): 0x80004005 (Unspecified error)
ERR_: MMS(3188): ..\ma.cpp(8322): ExportPasswordSet failed with 0x80004005
Azure AD Sync 1.0.0494.0501"


This turned up a good TechNet forum post where someone highlighted the exact issue.  According to the TechNet article, two additional permissions are required.  I have documented these below, and have commented on the source article to add them (and added the powershell to technet) - hopefully more people can find the help they need now.

So for password writeback, two additional invocations of DSACLS are required:

$DN = "DC=domain,DC=com"
$Account = "domain\aadsync"

$cmd = "dsacls '$DN' /I:S /G '`"$Account`":CA;`"Reset Password`";user'"
Invoke-Expression $cmd
$cmd = "dsacls '$DN' /I:S /G '`"$Account`":CA;`"Change Password`";user'"
Invoke-Expression $cmd
$cmd = "dsacls '$DN' /I:S /G '`"$Account`":WP;pwdLastSet;user'"
Invoke-Expression $cmd
$cmd = "dsacls '$DN' /I:S /G '`"$Account`":WP;lockoutTime;user'"
Invoke-Expression $cmd


To check that the permissions are set:
dsacls “\\dc1.domain.com\DC=domain,DC=com” | findstr serviceaccountname

You should see something similar to this:

No comments: