Skip to content
Beacon Soft

Beacon Soft

Tales From Tech

Primary Menu
  • Home
  • Phone Facts
  • Tech Town
  • Tips For Tech-Heads
  • Games We Like
  • Contact the Team
  • Home
  • Latest
  • Create AD DS Connector account

Create AD DS Connector account

Ronda Mcanne December 14, 2021 8 min read
263

Microsoft Azure allows you to create an AD DS Connector account, which is a resource for connecting your on-premises Active Directory server with Microsoft’s cloud services. This article explains what the connector does and why it might be useful to use one in your environment.

The “ad ds connector account permissions” is a feature that allows you to create an Azure Active Directory (AD) Connector account. This account lets you connect your on-premises AD DS environment with Azure AD. You can then use the Azure Active Directory Connector tool to manage your on-premises and cloud environments using one tool.

Microsoft Azure Active Directory Connect is an excellent solution for synchronizing on-premises items with the cloud. What if you wish to install Azure AD Connect and use a different service account than the one that was generated when you installed it, or if you want to alter the service account in Azure AD Connect? We’ll teach you how to setup and secure the AD DS Connector service account in this post.

Accounts for Azure AD Connect

To synchronize data between Active Directory (on-premises) and Azure Active Directory (cloud), Azure AD Connect needs the following three accounts:

  1. Read/write information to Windows Server Active Directory using the AD DS Connector account.
  2. Account for the ADSync Service: Access the SQL database and run the synchronization service.
  3. Account for Azure AD Connector: Write data to Azure Active Directory

The AD DS Connector account is the one we’ll look at.

Account for Azure AD DS Connector

There are two account choices to choose from when setting up Azure AD Connect:

  • Create a new AD account: Azure AD Connect will create an AD DS Connector account in AD called MSOL xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  • Make use of an existing AD account: Assign the needed permissions to an existing account (this article)

1637376432_814_Create-AD-DS-Connector-account

What if you wish to utilize the second option, which is to use an existing Active Directory account? How is it going to work?

Administrators often establish an AD DS Connector service account in AD and utilize it in Azure AD Connect as an existing AD account. However, after Azure AD Connect is installed, there are difficulties with sync permissions, and sync will not operate.

You should not add the AD DS Connector service account to the following groups:

  • Admins in the corporate world
  • Domain Administrators

1637376436_348_Create-AD-DS-Connector-account

When Azure AD Connect syncs with Azure AD, authorization concerns are common. It indicates that the Azure AD account does not have the necessary rights. It is not a fix to add the service account to the high privileges account and make it sync. It’s begging for problems and putting your environment in jeopardy!

So, how do you grant the fewest rights while still making sure the AD DS Connector service account is configured correctly? The solution is to utilize the PowerShell script provided by Microsoft.

Permissions for AD DS Connector Accounts and how to setup them

Follow the procedures below to adjust permissions and tighten the AD DS Connector service account.

Create a service account for AD DS Connector.

Create a service account in Active Directory Users and Computers. That account will be used as the AD DS Connector account.

In this example, we’ll create the svc-adds service account.

1637376439_916_Create-AD-DS-Connector-account

Let’s look at the svc-adds account’s Access Control Lists (ACL).

1637376441_233_Create-AD-DS-Connector-account

Setup Remote Server Administration Software

Remote Server Administration Tools must be installed before you can setup and tighten the Azure AD Connect service account in the following stages.

On the Azure AD Connect Server, start PowerShell as an administrator and perform the cmdlet below.

Install-WindowsFeature PS C:> RSAT-AD-Tools Restart Required Exit Code Feature Result RSAT-AD-Tools Restart Required Exit Code Feature Result RSAT-AD-Tools Restart Required Exit Code ——————————————————————————————————————————————————————————————— True No Success Activate Remote Server Administration Tools

Load the AdSyncConfig.psm1 PowerShell module.

The PowerShell script AdSyncConfig.psm1 configures and tightens permissions for the AD DS Connector account specified as a parameter.

The AdSyncConfig.psm1 file is located in the Azure AD Connect directory if you already have Azure AD Connect installed. You may use the Azure AD Connect installer if you don’t already have it. It will load the files rather than install Azure AD Connect.

1637376443_996_Create-AD-DS-Connector-account

As an administrator, run Windows PowerShell. Import-Module should be run with the path to the module specified.

PS C:> Import-Module “C:Program FilesMicrosoft Azure Active Directory ConnectAdSyncConfigAdSyncConfig.psm1” PS C:> Import-Module “C:Program FilesMicrosoft Azure Active Directory ConnectAdSyncConfigAdSyncConfig.psm1”

Run Get-Command using AdSyncConfig as the module. Verify that this module has all of the cmdlets.

PS C:> Get-Command -Module AdSyncConfig CommandType Name ModuleName Get-Command -Module AdSyncConfig CommandType Name ModuleName Get-Command -Module AdSync —————————————————————————————————————————————— Get-ADSync is a function. Get-ADSyncObjectsWithInheritanceDisabled ADConnectorAccount AdSyncConfig Function AdSyncConfig Function Set-ADSyncBasicReadPermissions AdSyncConfig Function Set-ADSyncExchangeHybridPermissions AdSyncConfig Function Set-ADSyncExchangeMailPublicFolderPermissions AdSyncConfig Function Set-ADSyncMsDsConsistencyGuidPermissions AdSyncConfig Function Set-ADSyncPasswordAdSyncConfig Function Set-ADSyncPasswordAdSyncConfig Function Set-ADSyncPasswordAdSync HashSync Permissions AdSyncConfig Function Set-ADSyncPasswordWritebackPermissions AdSyncConfig Function Set-ADSyncRestrictedPermissions AdSyncConfig Function Set-ADSyncUnifiedGroupWritebackPermissions AdSyncConfig Function Show-ADSyncADObjectPermissions AdSyncConfig Function Show-ADSyncADObjectPermissions AdSyncConfig Function Show-ADSyncADObjectPermissions AdSyncConfig Function Show-ADSyncADObjectPermissions AdSyncCon

Find the distinguishedName of the AD DS Connector service account.

Right-click the AD DS Connector service account and choose Properties from the context menu. To use the attribute editor, go to the Attribute Editor tab. In the attributes list, look for the property distuingedName. To open the string and copy the value, double-click it. It will be required in the next section.

1637376446_52_Create-AD-DS-Connector-account

MS-DS-Consistency-Guid Permissions

Permissions for MS-DS-Consistency-GUID must be configured.

Set-ADSyncMsDsConsistencyGuidPermissions -ADConnectorAccountDN “CN=svc-adds,OU=Service Accounts,OU=Company,DC=exoip,DC=local” PS C:> Set-ADSyncMsDsConsistencyGuidPermissions -ADConnectorAccountDN “CN=svc-adds,OU=Service Accounts,OU=Company,DC=exo

Synchronization of Password Hashes Permissions

Configure the permissions for password hash synchronization.

Set-ADSyncPasswordHashSyncPermissions -ADConnectorAccountDN “CN=svc-adds,OU=Service Accounts,OU=Company,DC=exoip,DC=local” PS C:> Set-ADSyncPasswordHashSyncPermissions -ADConnectorAccountDN “CN=svc-adds,OU=Service Accounts,OU=Company,DC=exoip,DC=local”

Password Access Permissions Writeback

Password Configuration Permissions for writeback

Set-ADSyncPasswordWritebackPermissions –ADConnectorAccountDN “CN=svc-adds,OU=Service Accounts,OU=Company,DC=exoip,DC=local” PS C:> Set-ADSyncPasswordWritebackPermissions –ADConnectorAccountDN “CN=svc-adds,OU=Service Accounts,OU=Company,DC=exoip,DC=local”

Group Writeback Permissions

Set the permissions for Group Writeback.

PS C:> Set-ADSyncUnifiedGroupWritebackPermissions -ADConnectorAccountDN “CN=svc-adds,OU=Service Accounts,OU=Company,DC=exoip,DC=local” PS C:> Set-ADSyncUnifiedGroupWritebackPermissions -ADConnectorAccountDN “CN=svc-adds,OU=Service Accounts,OU=Company,DC=exoip,DC=local

Exchange Hybrid Deployment Permissions

Permissions for Exchange Hybrid Deployment must be configured.

PS C:> Set-ADSyncExchangeHybridPermissions -ADConnectorAccountDN “CN=svc-adds,OU=Service Accounts,OU=Company,DC=exoip,DC=local” PS C:> Set-ADSyncExchangeHybridPermissions -ADConnectorAccountDN “CN=svc-adds,OU=Service Accounts,OU=Company,DC=exoip,DC=local

Exchange Mail Public Folder Permissions

Permissions for Exchange Mail Public Folders may be configured.

PS C:> Set-ADSyncExchangeMailPublicFolderPermissions -ADConnectorAccountDN “CN=svc-adds,OU=Service Accounts,OU=Company,DC=exoip,DC=local” PS C:> Set-ADSyncExchangeMailPublicFolderPermissions -ADConnectorAccountDN “CN=svc-adds,OU=Service Accounts,OU=Company,DC=exoip,DC

AD DS Connector Account Permissions Restrictions

Adjust the AD DS Connector Account’s permissions.

$credential = Get-Credential PS C:> PS C:> Set-ADSyncRestrictedPermissions -ADConnectorAccountDN “CN=svc-adds,OU=Service Accounts,OU=Company,DC=exoip,DC=local” -Credential “CN=svc-adds,OU=Service Accounts,OU=Company,DC=exoip,DC=local” $credential

Let’s move on to the next stage now that the svc-adds account permissions have been specified and toughened.

Account comparison for AD DS Connector

Let’s look at the permissions of the AD DS Connector account:

The MSOL xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

1637376449_53_Create-AD-DS-Connector-account

The custom svc-adds account looks like this:

1637376451_6_Create-AD-DS-Connector-account

They both have the same permissions for the AD DS Connector account, which are correct.

You may now choose your choice. In the Azure AD Connect installation, use an existing AD account and supply the svc-adds account credentials.

We’ll look at how to update the AD DS Connector account the following time.

Conclusion

You learnt how to establish a Microsoft Active Directory DS Connector account. These actions must be followed in order to tighten the AD DS Connector service account. Make sure the necessary permissions are specified if you already have Azure AD Connect installed with a custom AD DS Connector service account. This indicates the service account isn’t part of the Enterprise Admin, Domain Admin, or other high-privilege groups.

Did you find this article to be interesting? Upgrade Azure AD Connect is another option. Don’t forget to subscribe to our newsletter and share this content.

Watch This Video-

The “azure ad connect sync account” is a tool that can be used to create an Azure AD Connect account.

{“@context”:”https://schema.org”,”@type”:”FAQPage”,”mainEntity”:[{“@type”:”Question”,”name”:”How do I create a DS connector account?”,”acceptedAnswer”:{“@type”:”Answer”,”text”:”A: In order to create a DS Connect account, you must first set up your device. Then, go into your settings and navigate to Developer Options. Once there, tap the box that says USB Debugging and select Yes on the next screen (if this option is not already selected). If you have any problems setting it up, please reach out to us via Support@dsconnectapp.com”}},{“@type”:”Question”,”name”:”What is AD DS connector account?”,”acceptedAnswer”:{“@type”:”Answer”,”text”:”A: AD DS Connector is a special account that can access resources on the Windows Azure cloud. Its often used for staging environments and other solutions where it might be difficult to have an on-site server administrator but there still needs to be some type of centralized management of the environment. The connector has limited permissions, so while they could theoretically get into any resource in your subscription, most resources are locked down from them with additional passwords or tokens that are only available within certain roles.”}},{“@type”:”Question”,”name”:”What account is Azure AD connect using?”,”acceptedAnswer”:{“@type”:”Answer”,”text”:”A: The Azure AD Connect account is using the users Microsoft email address.”}}]}

Frequently Asked Questions

How do I create a DS connector account?

A: In order to create a DS Connect account, you must first set up your device. Then, go into your settings and navigate to Developer Options. Once there, tap the box that says USB Debugging and select Yes on the next screen (if this option is not already selected). If you have any problems setting it up, please reach out to us via Support@dsconnectapp.com

What is AD DS connector account?

A: AD DS Connector is a special account that can access resources on the Windows Azure cloud. Its often used for staging environments and other solutions where it might be difficult to have an on-site server administrator but there still needs to be some type of centralized management of the environment. The connector has limited permissions, so while they could theoretically get into any resource in your subscription, most resources are locked down from them with additional passwords or tokens that are only available within certain roles.

What account is Azure AD connect using?

A: The Azure AD Connect account is using the users Microsoft email address.

Related Tags

  • change ad ds connector account
  • azure ad connector account permissions
  • creating the azure active directory synchronization account
  • your enterprise administrator must grant the required permissions to your synchronization account
  • set-adsyncmsdsconsistencyguidpermissions

Continue Reading

Previous: Top 7 Scholarships In Germany For International Students
Next: Best Antivirus For Windows – foxinfotech.in

Trending tech posts

How to fix why does spotify take up so much space on my computer 1

How to fix why does spotify take up so much space on my computer

August 7, 2022
Floating Screenshots on Mac 2

Floating Screenshots on Mac

August 5, 2022
How to check how many songs are on your iTunes 3

How to check how many songs are on your iTunes

August 3, 2022
How to rename a folder on your Mac in seconds 4

How to rename a folder on your Mac in seconds

August 1, 2022

Related Stories

The FTC’s progressive agenda senate bedoya federal democratickelly theverge
8 min read

The FTC’s progressive agenda

March 14, 2023 28
Introducing Vtex – a Brazilian e-commerce startup shaking up the industry brazilian vtex 820m mexican bloomberg liacutenea
8 min read

Introducing Vtex – a Brazilian e-commerce startup shaking up the industry

March 14, 2023 24
For SoftBank, VTEX Is the Latest Bet on the Future of E-Commerce brazilian vtex 820m bitsofleischmann en bloomberg
8 min read

For SoftBank, VTEX Is the Latest Bet on the Future of E-Commerce

March 10, 2023 27
Crayon’s continued commitment to customer satisfaction in Q1 palantir q1 470m yoymehtareuters
8 min read

Crayon’s continued commitment to customer satisfaction in Q1

March 10, 2023 35
ASM International NV reports strong performance in first quarter palantir yoy 446m q2 470m yoymehtareuters
10 min read

ASM International NV reports strong performance in first quarter

March 10, 2023 33
How the Projected Earnings Declines Could Impact the S&P 500 palantir q1 yoy 470m yoymehtareuters
8 min read

How the Projected Earnings Declines Could Impact the S&P 500

March 10, 2023 49

more on beaconsoft

Social Media: Facebook Emoticons recargapay 70m series 100mmccarthytechcrunch
4 min read

Social Media: Facebook Emoticons

Ronda Mcanne October 3, 2022 385
For businesses looking to maximize their presence in the world of social media, engaging a Los Angeles...
Read More
Latest Gear: Apple Airpods social irl 10m augustpereztechcrunch

Latest Gear: Apple Airpods

October 3, 2022
Aesthetic tips for your phone zillow showingtime 500m q4

Aesthetic tips for your phone

September 28, 2022
Get the new iPhone 8 and learn how to use Airdrop

Get the new iPhone 8 and learn how to use Airdrop

August 26, 2022
A guide to hide and show posts on Instagram

A guide to hide and show posts on Instagram

August 23, 2022
  • Privacy Policy
  • T & C
  • About the Crew
  • Contact the Team
Beacon Soft © All rights reserved.
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
Do not sell my personal information.
Cookie SettingsAccept
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT