Update to Advanced AAD Connect Permissions tool

Update to Advanced AAD Connect Permissions tool


Since it’s initial creation, I’ve made a few updates to the Advanced AAD Connect permissions tool.  The most recent updates:

  • 2017-10-11 – delegating write permissions to the CN=adminSDHolder,CN=System container
  • 2017-10-05 – delegating write permissions to the ms-DS-ConsistencyGuid property

These two updates should allow for a more complete AAD Connect permissions delegation experience.  The script has been updated in the gallery (https://gallery.technet.microsoft.com/AD-Advanced-Permissions-49723f74).

Please be sure to leave any questions or feedback.


Published by Aaron Guilmette

Helping companies conquer inferior technology since 1997. I spend my time developing and implementing technology solutions so people can spend less time with technology. Specialties: Active Directory and Exchange consulting and deployment, Virtualization, Disaster Recovery, Office 365, datacenter migration/consolidation, cheese.

Reader Comments

  1. Hello and thanks for this very nice script.

    I am trying to only delegate writes to ms-ds-consistencyguid.

    .\AADConnectPermissions.ps1 -msDsConsistencyGuid -User ADFSSvc

    This workes flawlessly for our users BUT the AdminSDHolder ones that weren’t modified.

    I then issued:

    .\AADConnectPermissions.ps1 -msDsConsistencyGuid -User ADFSSvc -UpdateAdminSDHolder
    [2018-03-06 14:09:10] [SUCCESS] :: Elevated PowerShell session detected. Continuing.
    [2018-03-06 14:09:13] [SUCCESS] :: Completed permissions update for msDS-ConsistencyGuid.
    [2018-03-06 14:09:13] [INFO] :: Finished. View 2018-09-06_AADConnectPermissions.txt for more details.

    In theory, my AdminSD protected users would also have an entry in their ACLs for ADFSSvc account (like the rest of the user objects have), but this didn’t happen.

    Any ideas?

    1. So, all that parameter in the script attempts to do is modify the ACL for adminSDHolder. Try checking their permissions again after SDProp has run.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.