Freigeben über


Update to Advanced AAD Connect Permissions tool

Since it's initial creation, I've made a few updates to the Advanced AAD Connect permissions tool.  The most recent updates:

  • 2017-10-11 - delegating write permissions to the CN=adminSDHolder,CN=System container
  • 2017-10-05 - delegating write permissions to the ms-DS-ConsistencyGuid property

These two updates should allow for a more complete AAD Connect permissions delegation experience.  The script has been updated in the gallery (https://gallery.technet.microsoft.com/AD-Advanced-Permissions-49723f74).

Please be sure to leave any questions or feedback.

Thanks!

Comments

  • Anonymous
    October 13, 2017
    You dont stop do you! Thanks :)
  • Anonymous
    March 06, 2018
    Hello and thanks for this very nice script.I am trying to only delegate writes to ms-ds-consistencyguid..\AADConnectPermissions.ps1 -msDsConsistencyGuid -User ADFSSvcThis workes flawlessly for our users BUT the AdminSDHolder ones that weren't modified.I then issued:.\AADConnectPermissions.ps1 -msDsConsistencyGuid -User ADFSSvc -UpdateAdminSDHolder[2018-03-06 14:09:10] [SUCCESS] :: Elevated PowerShell session detected. Continuing.[2018-03-06 14:09:13] [SUCCESS] :: Completed permissions update for msDS-ConsistencyGuid.[2018-03-06 14:09:13] [INFO] :: Finished. View 2018-09-06_AADConnectPermissions.txt for more details.In theory, my AdminSD protected users would also have an entry in their ACLs for ADFSSvc account (like the rest of the user objects have), but this didn't happen.Any ideas?
    • Anonymous
      March 06, 2018
      So, all that parameter in the script attempts to do is modify the ACL for adminSDHolder. Try checking their permissions again after SDProp has run.