Skip to content

Create AD DS Connector account

Microsoft Azure Active Directory Connect is a great tool to sync on-premises objects to the cloud. What if you want to install Azure AD Connect and use a service account or change the service account in Azure AD Connect instead of the default created service account when installing Azure AD Connect? In this article, we will show how to create and tighten the AD DS Connector service account.

Azure AD Connect accounts

Azure AD Connect uses the following 3 accounts to synchronize data between Active Directory (on-premises) and Azure Active Directory (cloud):

  1. AD DS Connector account: Read/write information to Windows Server Active Directory
  2. ADSync Service account: Run the synchronization service and access the SQL database
  3. Azure AD Connector account: Write information to Azure AD
Azure AD Connect accounts

The one that we will look at is the AD DS Connector account.

Read more: Find Azure AD Connect accounts »

Azure AD DS Connector account

Azure AD Connect setup has two account options to select:

  • Create new AD account: Azure AD Connect will create an AD DS Connector account (MSOL_xxxxxxxxxx) in AD with all the necessary permissions
  • Use existing AD account: Provide an existing account with the required permissions (this article)
Create new or use existing AD account

What if you want to use the second option: Use existing AD Account? How will that work?

Administrators will often create an AD DS Connector service account in AD and use that as an existing AD account in Azure AD Connect. However, after Azure AD Connect finishes the installation, there are sync permissions issues, and sync will not work.

You definitely do not want to add the AD DS Connector service account to the groups:

  • Enterprise Admins
  • Domain Admins
AD DS service account member of wrong

Note: You often see permission issues when Azure AD Connect runs a sync to Azure AD. It means that the Azure AD account does not have the permissions that it needs to have. Adding the service account to the high privileges account and making it sync is not a fix. It’s asking for trouble and danger to your environment!

So how do you give the least permissions and ensure that the AD DS Connector service account is set correctly? The answer is to use the PowerShell script that Microsoft provides.

How to configure AD DS Connector Account Permissions

To configure permissions and tighten the AD DS Connector service account, follow the steps below.

Create AD DS Connector service account

Start Active Directory Users and Computers and create a service account. You will use that account as the AD DS Connector account.

In our example, we will create the service account svc-adds.

Create AD DS Connector account svc-adds

Let’s check the Access Control Lists (ACL) on the svc-adds account.

Create AD DS Connector account svc-adds acl report before

Install Remote Server Administration Tools

To configure and tighten the Azure AD Connect service account in the next steps, you need to install Remote Server Administration Tools.

Run PowerShell as administrator on the Azure AD Connect Server and run the cmdlet below.

PS C:\> Install-WindowsFeature RSAT-AD-Tools

Success Restart Needed Exit Code      Feature Result
------- -------------- ---------      --------------
True    No             Success        {Remote Server Administration Tools, Activ...

Load PowerShell module AdSyncConfig.psm1

The AdSyncConfig.psm1 PowerShell script will configure and tighten permissions for the AD DS Connector account provided as a parameter.

If you already have Azure AD Connect installed, you have the AdSyncConfig.psm1 in the Azure AD Connect directory. If you don’t have Azure AD Connect, you can run the Azure AD Connect installer. It will not install Azure AD Connect but load the files.

AdSyncConfig.psm1

Run Windows PowerShell as administrator. Run the Import-Module and specify the path to load the module.

PS C:\> Import-Module "C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1"

Run the Get-Command and specify the module AdSyncConfig. Check that all the cmdlets are included in this module.

PS C:\> Get-Command -Module AdSyncConfig

CommandType     Name                                               ModuleName
-----------     ----                                               ----------
Function        Get-ADSyncADConnectorAccount                       AdSyncConfig
Function        Get-ADSyncObjectsWithInheritanceDisabled           AdSyncConfig
Function        Set-ADSyncBasicReadPermissions                     AdSyncConfig
Function        Set-ADSyncExchangeHybridPermissions                AdSyncConfig
Function        Set-ADSyncExchangeMailPublicFolderPermissions      AdSyncConfig
Function        Set-ADSyncMsDsConsistencyGuidPermissions           AdSyncConfig
Function        Set-ADSyncPasswordHashSyncPermissions              AdSyncConfig
Function        Set-ADSyncPasswordWritebackPermissions             AdSyncConfig
Function        Set-ADSyncRestrictedPermissions                    AdSyncConfig
Function        Set-ADSyncUnifiedGroupWritebackPermissions         AdSyncConfig
Function        Show-ADSyncADObjectPermissions                     AdSyncConfig

Find AD DS Connector service account distinguishedName

Right-click on the AD DS Connector service account and click Properties. Go to the Attribute Editor tab. Find the attribute distuingedName in the attributes list. Double-click to open the string and copy the value. You will need it in the next part.

AD user distinguishedname

Permissions for MS-DS-Consistency-Guid

Configure MS-DS-Consistency-GUID permissions.

PS C:\> Set-ADSyncMsDsConsistencyGuidPermissions -ADConnectorAccountDN "CN=svc-adds,OU=Service Accounts,OU=Company,DC=exoip,DC=local"

Permissions for Password Hash Synchronization

Configure the Password hash Synchronization permissions.

PS C:\> Set-ADSyncPasswordHashSyncPermissions -ADConnectorAccountDN "CN=svc-adds,OU=Service Accounts,OU=Company,DC=exoip,DC=local"

Permissions for Password Writeback

Configure the Password Writeback permissions.

PS C:\> Set-ADSyncPasswordWritebackPermissions -ADConnectorAccountDN "CN=svc-adds,OU=Service Accounts,OU=Company,DC=exoip,DC=local"

Permissions for Group Writeback

Configure the Group Writeback permissions.

PS C:\> Set-ADSyncUnifiedGroupWritebackPermissions -ADConnectorAccountDN "CN=svc-adds,OU=Service Accounts,OU=Company,DC=exoip,DC=local"

Permissions for Exchange Hybrid Deployment

Configure Exchange Hybrid Deployment permissions.

PS C:\> Set-ADSyncExchangeHybridPermissions -ADConnectorAccountDN "CN=svc-adds,OU=Service Accounts,OU=Company,DC=exoip,DC=local"

Permissions for Exchange Mail Public Folders

Configure Exchange Mail Public folders permissions.

PS C:\> Set-ADSyncExchangeMailPublicFolderPermissions -ADConnectorAccountDN "CN=svc-adds,OU=Service Accounts,OU=Company,DC=exoip,DC=local"

Permissions restriction on AD DS Connector Account

Get a credential object and save it in the variable $credential.

PS C:\> $credential = Get-Credential

A prompt shows up. Fill in the credentials with admin rights. Click OK.

Tighten the permissions for the AD DS Connector Account.

PS C:\> Set-ADSyncRestrictedPermissions -ADConnectorAccountDN "CN=svc-adds,OU=Service Accounts,OU=Company,DC=exoip,DC=local" -Credential $credential

Now that the svc-adds account permissions are configured and hardened, let’s look at the next step.

Compare AD DS Connector account

Let’s compare the AD DS Connector account permissions:

This is how the ACL for MSOL_xxxxxxxxxx account looks like:

AD DS Connector account MSOL_ acl report

Read more: Export AD ACL permissions with PowerShell »

The Member Of shows only Domain Users.

AD DS Connector account MSOL_ member of

This is how the ACL for custom svc-adds account looks like:

AD DS Connector account svc-adds acl report after

The Member Of shows only Domain Users.

AD DS Connector account svc-adds member of

They both have the same permissions, which are the correct ones for the AD DS Connector account.

You’re ready to select Use existing AD account in Azure AD Connect installation and provide the svc-adds account credentials.

Do you already have Azure AD Connect installed and configured? Look at how to change AD DS Connector account.

Conclusion

You learned how to create an AD DS Connector account. It’s essential to go through these steps and tighten the AD DS Connector service account.

If you already have Azure AD Connect installed with a custom AD DS Connector service account, ensure that the correct permissions are set. This means that the service account is not added to the Enterprise Admin, Domain Admin, or other high privileges groups.

Did you enjoy this article? You may also like Upgrade Azure AD Connect. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 9 Comments

  1. Hi Ali,
    I have enjoyed reading and following many of your articles!

    Do you have an article on Azure AD Sync Connect issue with permission error 8344 ?
    I am getting this error in my AD Sync Connector and so for, no luck getting rid of it…

    Please let me know if you have seen this before?
    Thank you,
    Dan

  2. When I ran this Set-ADSyncPasswordWritebackPermissions ADConnectorAccountDN “CN=svc_adconnect,CN=Users,DC=xxxxx,DC=local”

    I got

    Set-ADSyncPasswordWritebackPermissions : Parameter set cannot be resolved using the specified named parameters.
    At line:1 char:1
    + Set-ADSyncPasswordWritebackPermissions ADConnectorAccountDN “CN=svc_a …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidArgument: (:) [Set-ADSyncPasswordWritebackPermissions], ParameterBindingException
    + FullyQualifiedErrorId : AmbiguousParameterSet,Set-ADSyncPasswordWritebackPermissions

    I had to run to get it to work

    Set-ADSyncPasswordWritebackPermissions -ADConnectorAccountName svc_adconnect -ADConnectorAccountDomain impactfs.local

  3. What about the user permissions that are set on the root domain? You only compare the account permissions.

    They seem to differ.

  4. I followed your steps on setting up service account with locked down permissions but I do get an error on the Export. I see permission denied when it tries to modify msExchBlockedSenderHash. I currently dont have a hybrid server in place and I cant seem to find a way to allow write access through AD permissions for the new service account. Any chance there is a powershell command to add the write access to msExchBlockedSenderHash?

  5. Hi Ali,
    Thank you for that!

    A thing i noticed which I’d like to ask for some clarity on.
    When you assign the needed permissions to the custom service account, I noticed you left out the following 2 of the 8:

    Set-ADSyncBasicReadPermissions
    Set-ADSyncRestrictedPermissions

    Would this not cause some needed permissions to be missed out of assignment?

    1. Hi Vitus,

      You don’t need to run these two cmdlets as you will use the AD DS Connector account for Azure AD Connect features.

      Use these two cmdlets if you want to set basic read-only permissions for the AD DS Connector account when not using any Azure AD Connect features.

  6. Hi Ali,
    Great write up and I appreciate & thank you for all the efforts you’ve put in.

    For the ACL report, how did you generate that?

Leave a Reply

Your email address will not be published. Required fields are marked *