GALSync Troubleshooting: Permission-Issue - Insufficient access rights to perform the operation
PROBLEM STATEMENT / EXPLANATION OF ERROR MESSAGE
A very common issue that we see on initial GalSync setups is when exporting objects we receive some export errors with the text “permission-issue”.
If you review the properties of the “permission issue” text, you will see the following text “Insufficient access rights to perform the operation”.
The error message is an error message that is bubbled up from Active Directory to the Synchronization Service Engine indicating the GalSync User account does not have permission to write to this object.
*NOTE* Permission issues could be at the Object Level, the Organizational Unit Level or higher in the directory structure.
For GalSync related issues, I would recommend reviewing the Permissions for the GalSync User wiki on Microsoft TechNet.
UNDERSTANDING GALSYNC PERMISSION ISSUES
Understanding where the permission problem is occurring, review the distinguishedName information at the top of the Object Properties window, and the object type.
If the object throwing the permission issue is a User object then GalSync is writing an X500 address back to the user object in the proxyAddresses attribute for reply-ability purposes.
We find that in most cases, permission to the Organizational Unit holding the Source User Objects has not been granted to the GalSync User Account. The main reason for this is that companies do not want to write back to the Source User Object.
The GalSync User Account needs permission to be able to write the information back to the user object. If you are concerned about what is being updated on the user object during an export there is an easy way to check and confirm this information.
- In the Synchronization Service Manager Console, select Management Agents
- Select the Management Agent in question (The one that is throwing the Permission-Issue error message.)
- From the Actions menu, select Properties
- Select Configure Attribute Flow
- Expand User to Person
The first item should be proxyAddresses <- LegacyExchangeDN. This is an Export Attribute Flow item. By default, this is the only Export Attribute Flow for information going from the Person object in the Metaverse to the proxyAddresses attribute on the User Object in Active Directory.
RESOLUTION
You can resolve this issue by providing the GalSync User Account with permission to write back to the source user object.
If this is a mail-enabled contact object, then you need to ensure that the GalSync User Account has permission to read and write to the mail-enabled contact object.
The best thing to do is to refer to the GalSync User Permissions Wiki on Microsoft TechNet.