Update: AAD Connect Advanced Permissions Tool

Update: AAD Connect Advanced Permissions Tool

  •  
  •  
  •  
  •  
  •  
  •  

It’s Two-fer Friday.  I don’t know if it was a thing, but it is now.

Based on received feedback, I have updated the AAD Connect Advanced Permissions tool to check for the Active Directory schema version in addition to the Exchange schema.  The msDS-ExternalDirectoryObjectID attribute was added to the schema as part of both the Exchange 2016 schema update or by updating the schema to Windows Server 2016.

The tl;dr version:

$ADSchema = (Get-ADObject (Get-ADRootDSE).schemaNamingContext -property objectVersion).objectVersion
If ($ADschema -ge 87)
{
$cmd = "dsacls '$DN' /I:S /G '`"$User`":WP;msDS-ExternalDirectoryObjectID;iNetOrgPerson'`n"
$cmd = "dsacls '$DN' /I:S /G '`"$User`":WP;msDS-ExternalDirectoryObjectID;user'`n"
}

There was also an issue reported where the ADSync module was not importing to finish configuring Password Writeback.  I have updated that as well.

Go get you some new AAD Connect Advanced Permissions tool stat.  Of course, if you ran it after deploying Exchange 2016 in your environment, then you don’t need it for this permissions delegation update. And, if you’re not Azure AD Password Writeback, you don’t need the other update, since it won’t affect you anyway.

Published by Aaron Guilmette

Helping companies conquer inferior technology since 1997. I spend my time developing and implementing technology solutions so people can spend less time with technology. Specialties: Active Directory and Exchange consulting and deployment, Virtualization, Disaster Recovery, Office 365, datacenter migration/consolidation, cheese.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.