FOCUSED PRODUCT
- Azure AD Connect 1.1.443.0
Hello. The purpose of this blog, is to discuss the Security Groups that are installed when installing Azure AD Connect. If you have been using versions of the Synchronization Service engine for a while, you may already be familiar with these Security Groups.
These four(4) Security Groups are installed by default when executing the installation of Azure AD Connect. If you utilize the Express Settings, these will be installed locally on the Azure AD Connect Server. You will find them in Local Users and Groups.
| Group Name | Description |
| ADSyncAdmins |
|
| ADSyncBrowse |
|
| ADSyncOperators |
|
| ADSyncPasswordSet |
|
It is possible to make these Domain groups. A custom install will need to occur, and then select “Specify Custom Sync Groups”. The Security Groups must be created in the directory prior to executing the installation. In the “Specify Custom Sync Groups” section, specify the groups by DomainGroup Name.
If the Security Groups are not specified ahead of time, an error will be received in the installation Wizard.
| ERROR MESSAGE |
| Unable to install the Synchronization Service. Please see the event log for details. |
Review the Application Event Log and notice the specific group that the install wizard was not able to locate. In this test scenario, it was DomainADSyncOperators.
| APPLICATON EVENT LOG |
| Log Name: Application
Source: AzureActiveDirectorySyncEngine Date: 3/21/2017 1:48:09 PM Event ID: 906 Task Category: None Level: Error Keywords: Classic User: N/A Description: Group ‘DOMAINADSyncOperators’ was not found. |
ADDITIONAL RESOURCES
- Forefront Identity Manager 2010 R2: Using Security Groups: https://technet.microsoft.com/en-us/library/jj590183(v=ws.10).aspx
- Azure AD Connect Sync: Accounts and Permissions: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-accounts-permissions