Account is not a member of Enterprise Admins group when configuring AD Connect


When attempting to go through the configuration of Microsoft Azure AD Connect to set up directory synchronization from their on-premises AD to Office 365/Azure AD, they were encountering an error indicating that the account is not a member of the Enterprise Admins group.

Checking the properties of the user account showed it was a member of the Enterprise Admins group.

However, further investigation found that the Enterprise Admins has been set as the Primary Group on the user. As noted in https://support.microsoft.com/en-us/kb/275523, having the Primary Group set excludes the user from the group membership when checked via LDAP.

Normally the Primary group is set to Domain Users, so the admin account was returned to that as the Primary Group. After that the error was resolved, allowing AD Connect to configure successfully.

Testing recently with version 1.1.189.0 of AD Connect (the latest release as of 8/24/2016), I was unable to reproduce the problem. However I wanted to go ahead and post this should anyone else find themselves in this interesting state.


Comments (0)

Skip to main content