Update to Advanced AAD Connect Permissions tool


Since it's initial creation, I've made a few updates to the Advanced AAD Connect permissions tool.  The most recent updates:

  • 2017-10-11 - delegating write permissions to the CN=adminSDHolder,CN=System container
  • 2017-10-05 - delegating write permissions to the ms-DS-ConsistencyGuid property

These two updates should allow for a more complete AAD Connect permissions delegation experience.  The script has been updated in the gallery (https://gallery.technet.microsoft.com/AD-Advanced-Permissions-49723f74).

Please be sure to leave any questions or feedback.

Thanks!

Comments (3)

  1. Naytaris says:

    You dont stop do you! Thanks 🙂

  2. Alexander Kanakaris says:

    Hello and thanks for this very nice script.

    I am trying to only delegate writes to ms-ds-consistencyguid.

    .\AADConnectPermissions.ps1 -msDsConsistencyGuid -User ADFSSvc

    This workes flawlessly for our users BUT the AdminSDHolder ones that weren’t modified.

    I then issued:

    .\AADConnectPermissions.ps1 -msDsConsistencyGuid -User ADFSSvc -UpdateAdminSDHolder
    [2018-03-06 14:09:10] [SUCCESS] :: Elevated PowerShell session detected. Continuing.
    [2018-03-06 14:09:13] [SUCCESS] :: Completed permissions update for msDS-ConsistencyGuid.
    [2018-03-06 14:09:13] [INFO] :: Finished. View 2018-09-06_AADConnectPermissions.txt for more details.

    In theory, my AdminSD protected users would also have an entry in their ACLs for ADFSSvc account (like the rest of the user objects have), but this didn’t happen.

    Any ideas?

    1. So, all that parameter in the script attempts to do is modify the ACL for adminSDHolder. Try checking their permissions again after SDProp has run.

Skip to main content