Account is not a member of Enterprise Admins group when configuring AD Connect

When attempting to go through the configuration of Microsoft Azure AD Connect to set up directory synchronization from their on-premises AD to Office 365/Azure AD, they were encountering an error indicating that the account is not a member of the Enterprise Admins group.

Checking the properties of the user account showed it was a member of the Enterprise Admins group.

However, further investigation found that the Enterprise Admins has been set as the Primary Group on the user. As noted in, having the Primary Group set excludes the user from the group membership when checked via LDAP.

Normally the Primary group is set to Domain Users, so the admin account was returned to that as the Primary Group. After that the error was resolved, allowing AD Connect to configure successfully.

Testing recently with version of AD Connect (the latest release as of 8/24/2016), I was unable to reproduce the problem. However I wanted to go ahead and post this should anyone else find themselves in this interesting state.

Comments (1)
  1. Matty-B says:

    This hung me up today. After setting the primary group back to domain users, the install proceeded. I’m using the latest Azure AD release from May 2017. (1.1.524.0)

Comments are closed.

Skip to main content