•
•
•
•
•
•

It’s Two-fer Friday.  I don’t know if it was a thing, but it is now.

Based on received feedback, I have updated the AAD Connect Advanced Permissions tool to check for the Active Directory schema version in addition to the Exchange schema.  The msDS-ExternalDirectoryObjectID attribute was added to the schema as part of both the Exchange 2016 schema update or by updating the schema to Windows Server 2016.

The tl;dr version:

$ADSchema = (Get-ADObject (Get-ADRootDSE).schemaNamingContext -property objectVersion).objectVersion If ($ADschema -ge 87)
{
$cmd = "dsacls '$DN' /I:S /G '"$User":WP;msDS-ExternalDirectoryObjectID;iNetOrgPerson'n"$cmd = "dsacls '$DN' /I:S /G '"$User":WP;msDS-ExternalDirectoryObjectID;user'n"
}

There was also an issue reported where the ADSync module was not importing to finish configuring Password Writeback.  I have updated that as well.

Go get you some new AAD Connect Advanced Permissions tool stat.  Of course, if you ran it after deploying Exchange 2016 in your environment, then you don’t need it for this permissions delegation update. And, if you’re not Azure AD Password Writeback, you don’t need the other update, since it won’t affect you anyway.