Update to Advanced AAD Connect Permissions tool

Update to Advanced AAD Connect Permissions tool

Rate this post

Since it’s initial creation, I’ve made a few updates to the Advanced AAD Connect permissions tool.  The most recent updates:

  • 2017-10-11 – delegating write permissions to the CN=adminSDHolder,CN=System container
  • 2017-10-05 – delegating write permissions to the ms-DS-ConsistencyGuid property

These two updates should allow for a more complete AAD Connect permissions delegation experience.  The script has been updated in the gallery (https://gallery.technet.microsoft.com/AD-Advanced-Permissions-49723f74).

Please be sure to leave any questions or feedback.


Reader Comments

  1. Hello and thanks for this very nice script.

    I am trying to only delegate writes to ms-ds-consistencyguid.

    .\AADConnectPermissions.ps1 -msDsConsistencyGuid -User ADFSSvc

    This workes flawlessly for our users BUT the AdminSDHolder ones that weren’t modified.

    I then issued:

    .\AADConnectPermissions.ps1 -msDsConsistencyGuid -User ADFSSvc -UpdateAdminSDHolder
    [2018-03-06 14:09:10] [SUCCESS] :: Elevated PowerShell session detected. Continuing.
    [2018-03-06 14:09:13] [SUCCESS] :: Completed permissions update for msDS-ConsistencyGuid.
    [2018-03-06 14:09:13] [INFO] :: Finished. View 2018-09-06_AADConnectPermissions.txt for more details.

    In theory, my AdminSD protected users would also have an entry in their ACLs for ADFSSvc account (like the rest of the user objects have), but this didn’t happen.

    Any ideas?

    1. So, all that parameter in the script attempts to do is modify the ACL for adminSDHolder. Try checking their permissions again after SDProp has run.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.