Update to Advanced AAD Connect Permissions tool
Since it's initial creation, I've made a few updates to the Advanced AAD Connect permissions tool. The most recent updates:
- 2017-10-11 - delegating write permissions to the CN=adminSDHolder,CN=System container
- 2017-10-05 - delegating write permissions to the ms-DS-ConsistencyGuid property
These two updates should allow for a more complete AAD Connect permissions delegation experience. The script has been updated in the gallery (https://gallery.technet.microsoft.com/AD-Advanced-Permissions-49723f74).
Please be sure to leave any questions or feedback.
Thanks!
Comments
- Anonymous
October 13, 2017
You dont stop do you! Thanks :) - Anonymous
March 06, 2018
Hello and thanks for this very nice script.I am trying to only delegate writes to ms-ds-consistencyguid..\AADConnectPermissions.ps1 -msDsConsistencyGuid -User ADFSSvcThis workes flawlessly for our users BUT the AdminSDHolder ones that weren't modified.I then issued:.\AADConnectPermissions.ps1 -msDsConsistencyGuid -User ADFSSvc -UpdateAdminSDHolder[2018-03-06 14:09:10] [SUCCESS] :: Elevated PowerShell session detected. Continuing.[2018-03-06 14:09:13] [SUCCESS] :: Completed permissions update for msDS-ConsistencyGuid.[2018-03-06 14:09:13] [INFO] :: Finished. View 2018-09-06_AADConnectPermissions.txt for more details.In theory, my AdminSD protected users would also have an entry in their ACLs for ADFSSvc account (like the rest of the user objects have), but this didn't happen.Any ideas?- Anonymous
March 06, 2018
So, all that parameter in the script attempts to do is modify the ACL for adminSDHolder. Try checking their permissions again after SDProp has run.
- Anonymous