Create AD DS Connector account

Microsoft Azure allows you to create an AD DS Connector account, which is a resource for connecting your on-premises Active Directory server with Microsoft’s cloud services. This article explains what the connector does and why it might be useful to use one in your environment.

The “ad ds connector account permissions” is a feature that allows you to create an Azure Active Directory (AD) Connector account. This account lets you connect your on-premises AD DS environment with Azure AD. You can then use the Azure Active Directory Connector tool to manage your on-premises and cloud environments using one tool.

Microsoft Azure Active Directory Connect is an excellent solution for synchronizing on-premises items with the cloud. What if you wish to install Azure AD Connect and use a different service account than the one that was generated when you installed it, or if you want to alter the service account in Azure AD Connect? We’ll teach you how to setup and secure the AD DS Connector service account in this post.

Accounts for Azure AD Connect

To synchronize data between Active Directory (on-premises) and Azure Active Directory (cloud), Azure AD Connect needs the following three accounts:

  1. Read/write information to Windows Server Active Directory using the AD DS Connector account.
  2. Account for the ADSync Service: Access the SQL database and run the synchronization service.
  3. Account for Azure AD Connector: Write data to Azure Active Directory

The AD DS Connector account is the one we’ll look at.

Account for Azure AD DS Connector

There are two account choices to choose from when setting up Azure AD Connect:

  • Create a new AD account: Azure AD Connect will create an AD DS Connector account in AD called MSOL xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  • Make use of an existing AD account: Assign the needed permissions to an existing account (this article)

1637376432_814_Create-AD-DS-Connector-account

What if you wish to utilize the second option, which is to use an existing Active Directory account? How is it going to work?

Administrators often establish an AD DS Connector service account in AD and utilize it in Azure AD Connect as an existing AD account. However, after Azure AD Connect is installed, there are difficulties with sync permissions, and sync will not operate.

You should not add the AD DS Connector service account to the following groups:

  • Admins in the corporate world
  • Domain Administrators

1637376436_348_Create-AD-DS-Connector-account

When Azure AD Connect syncs with Azure AD, authorization concerns are common. It indicates that the Azure AD account does not have the necessary rights. It is not a fix to add the service account to the high privileges account and make it sync. It’s begging for problems and putting your environment in jeopardy!

So, how do you grant the fewest rights while still making sure the AD DS Connector service account is configured correctly? The solution is to utilize the PowerShell script provided by Microsoft.

Permissions for AD DS Connector Accounts and how to setup them

Follow the procedures below to adjust permissions and tighten the AD DS Connector service account.

Create a service account for AD DS Connector.

Create a service account in Active Directory Users and Computers. That account will be used as the AD DS Connector account.

In this example, we’ll create the svc-adds service account.

1637376439_916_Create-AD-DS-Connector-account

Let’s look at the svc-adds account’s Access Control Lists (ACL).

1637376441_233_Create-AD-DS-Connector-account

Setup Remote Server Administration Software

Remote Server Administration Tools must be installed before you can setup and tighten the Azure AD Connect service account in the following stages.

On the Azure AD Connect Server, start PowerShell as an administrator and perform the cmdlet below.

Install-WindowsFeature PS C:> RSAT-AD-Tools Restart Required Exit Code Feature Result RSAT-AD-Tools Restart Required Exit Code Feature Result RSAT-AD-Tools Restart Required Exit Code ——————————————————————————————————————————————————————————————— True No Success Activate Remote Server Administration Tools

Load the AdSyncConfig.psm1 PowerShell module.

The PowerShell script AdSyncConfig.psm1 configures and tightens permissions for the AD DS Connector account specified as a parameter.

The AdSyncConfig.psm1 file is located in the Azure AD Connect directory if you already have Azure AD Connect installed. You may use the Azure AD Connect installer if you don’t already have it. It will load the files rather than install Azure AD Connect.

1637376443_996_Create-AD-DS-Connector-account

As an administrator, run Windows PowerShell. Import-Module should be run with the path to the module specified.

PS C:> Import-Module “C:Program FilesMicrosoft Azure Active Directory ConnectAdSyncConfigAdSyncConfig.psm1” PS C:> Import-Module “C:Program FilesMicrosoft Azure Active Directory ConnectAdSyncConfigAdSyncConfig.psm1”

Run Get-Command using AdSyncConfig as the module. Verify that this module has all of the cmdlets.

PS C:> Get-Command -Module AdSyncConfig CommandType Name ModuleName Get-Command -Module AdSyncConfig CommandType Name ModuleName Get-Command -Module AdSync —————————————————————————————————————————————— Get-ADSync is a function. Get-ADSyncObjectsWithInheritanceDisabled ADConnectorAccount AdSyncConfig Function AdSyncConfig Function Set-ADSyncBasicReadPermissions AdSyncConfig Function Set-ADSyncExchangeHybridPermissions AdSyncConfig Function Set-ADSyncExchangeMailPublicFolderPermissions AdSyncConfig Function Set-ADSyncMsDsConsistencyGuidPermissions AdSyncConfig Function Set-ADSyncPasswordAdSyncConfig Function Set-ADSyncPasswordAdSyncConfig Function Set-ADSyncPasswordAdSync HashSync Permissions AdSyncConfig Function Set-ADSyncPasswordWritebackPermissions AdSyncConfig Function Set-ADSyncRestrictedPermissions AdSyncConfig Function Set-ADSyncUnifiedGroupWritebackPermissions AdSyncConfig Function Show-ADSyncADObjectPermissions AdSyncConfig Function Show-ADSyncADObjectPermissions AdSyncConfig Function Show-ADSyncADObjectPermissions AdSyncConfig Function Show-ADSyncADObjectPermissions AdSyncCon

Find the distinguishedName of the AD DS Connector service account.

Right-click the AD DS Connector service account and choose Properties from the context menu. To use the attribute editor, go to the Attribute Editor tab. In the attributes list, look for the property distuingedName. To open the string and copy the value, double-click it. It will be required in the next section.

1637376446_52_Create-AD-DS-Connector-account

MS-DS-Consistency-Guid Permissions

Permissions for MS-DS-Consistency-GUID must be configured.

Set-ADSyncMsDsConsistencyGuidPermissions -ADConnectorAccountDN “CN=svc-adds,OU=Service Accounts,OU=Company,DC=exoip,DC=local” PS C:> Set-ADSyncMsDsConsistencyGuidPermissions -ADConnectorAccountDN “CN=svc-adds,OU=Service Accounts,OU=Company,DC=exo

Synchronization of Password Hashes Permissions

Configure the permissions for password hash synchronization.

Set-ADSyncPasswordHashSyncPermissions -ADConnectorAccountDN “CN=svc-adds,OU=Service Accounts,OU=Company,DC=exoip,DC=local” PS C:> Set-ADSyncPasswordHashSyncPermissions -ADConnectorAccountDN “CN=svc-adds,OU=Service Accounts,OU=Company,DC=exoip,DC=local”

Password Access Permissions Writeback

Password Configuration Permissions for writeback

Set-ADSyncPasswordWritebackPermissions –ADConnectorAccountDN “CN=svc-adds,OU=Service Accounts,OU=Company,DC=exoip,DC=local” PS C:> Set-ADSyncPasswordWritebackPermissions –ADConnectorAccountDN “CN=svc-adds,OU=Service Accounts,OU=Company,DC=exoip,DC=local”

Group Writeback Permissions

Set the permissions for Group Writeback.

PS C:> Set-ADSyncUnifiedGroupWritebackPermissions -ADConnectorAccountDN “CN=svc-adds,OU=Service Accounts,OU=Company,DC=exoip,DC=local” PS C:> Set-ADSyncUnifiedGroupWritebackPermissions -ADConnectorAccountDN “CN=svc-adds,OU=Service Accounts,OU=Company,DC=exoip,DC=local

Exchange Hybrid Deployment Permissions

Permissions for Exchange Hybrid Deployment must be configured.

PS C:> Set-ADSyncExchangeHybridPermissions -ADConnectorAccountDN “CN=svc-adds,OU=Service Accounts,OU=Company,DC=exoip,DC=local” PS C:> Set-ADSyncExchangeHybridPermissions -ADConnectorAccountDN “CN=svc-adds,OU=Service Accounts,OU=Company,DC=exoip,DC=local

Exchange Mail Public Folder Permissions

Permissions for Exchange Mail Public Folders may be configured.

PS C:> Set-ADSyncExchangeMailPublicFolderPermissions -ADConnectorAccountDN “CN=svc-adds,OU=Service Accounts,OU=Company,DC=exoip,DC=local” PS C:> Set-ADSyncExchangeMailPublicFolderPermissions -ADConnectorAccountDN “CN=svc-adds,OU=Service Accounts,OU=Company,DC=exoip,DC

AD DS Connector Account Permissions Restrictions

Adjust the AD DS Connector Account’s permissions.

$credential = Get-Credential PS C:> PS C:> Set-ADSyncRestrictedPermissions -ADConnectorAccountDN “CN=svc-adds,OU=Service Accounts,OU=Company,DC=exoip,DC=local” -Credential “CN=svc-adds,OU=Service Accounts,OU=Company,DC=exoip,DC=local” $credential

Let’s move on to the next stage now that the svc-adds account permissions have been specified and toughened.

Account comparison for AD DS Connector

Let’s look at the permissions of the AD DS Connector account:

The MSOL xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

1637376449_53_Create-AD-DS-Connector-account

The custom svc-adds account looks like this:

1637376451_6_Create-AD-DS-Connector-account

They both have the same permissions for the AD DS Connector account, which are correct.

You may now choose your choice. In the Azure AD Connect installation, use an existing AD account and supply the svc-adds account credentials.

We’ll look at how to update the AD DS Connector account the following time.

Conclusion

You learnt how to establish a Microsoft Active Directory DS Connector account. These actions must be followed in order to tighten the AD DS Connector service account. Make sure the necessary permissions are specified if you already have Azure AD Connect installed with a custom AD DS Connector service account. This indicates the service account isn’t part of the Enterprise Admin, Domain Admin, or other high-privilege groups.

Did you find this article to be interesting? Upgrade Azure AD Connect is another option. Don’t forget to subscribe to our newsletter and share this content.

Watch This Video-

The “azure ad connect sync account” is a tool that can be used to create an Azure AD Connect account.

{“@context”:”https://schema.org”,”@type”:”FAQPage”,”mainEntity”:[{“@type”:”Question”,”name”:”How do I create a DS connector account?”,”acceptedAnswer”:{“@type”:”Answer”,”text”:”A: In order to create a DS Connect account, you must first set up your device. Then, go into your settings and navigate to Developer Options. Once there, tap the box that says USB Debugging and select Yes on the next screen (if this option is not already selected). If you have any problems setting it up, please reach out to us via Support@dsconnectapp.com”}},{“@type”:”Question”,”name”:”What is AD DS connector account?”,”acceptedAnswer”:{“@type”:”Answer”,”text”:”A: AD DS Connector is a special account that can access resources on the Windows Azure cloud. Its often used for staging environments and other solutions where it might be difficult to have an on-site server administrator but there still needs to be some type of centralized management of the environment. The connector has limited permissions, so while they could theoretically get into any resource in your subscription, most resources are locked down from them with additional passwords or tokens that are only available within certain roles.”}},{“@type”:”Question”,”name”:”What account is Azure AD connect using?”,”acceptedAnswer”:{“@type”:”Answer”,”text”:”A: The Azure AD Connect account is using the users Microsoft email address.”}}]}

Frequently Asked Questions

How do I create a DS connector account?

A: In order to create a DS Connect account, you must first set up your device. Then, go into your settings and navigate to Developer Options. Once there, tap the box that says USB Debugging and select Yes on the next screen (if this option is not already selected). If you have any problems setting it up, please reach out to us via Support@dsconnectapp.com

What is AD DS connector account?

A: AD DS Connector is a special account that can access resources on the Windows Azure cloud. Its often used for staging environments and other solutions where it might be difficult to have an on-site server administrator but there still needs to be some type of centralized management of the environment. The connector has limited permissions, so while they could theoretically get into any resource in your subscription, most resources are locked down from them with additional passwords or tokens that are only available within certain roles.

What account is Azure AD connect using?

A: The Azure AD Connect account is using the users Microsoft email address.

Related Tags

  • change ad ds connector account
  • azure ad connector account permissions
  • creating the azure active directory synchronization account
  • your enterprise administrator must grant the required permissions to your synchronization account
  • set-adsyncmsdsconsistencyguidpermissions
You May Also Like