memory: AAD Connect AdminSDHolder writeback-permission pattern

Reference memory + index entry: diagnosing/fixing AAD Connect "completed-export-errors"
(8344 INSUFF_ACCESS_RIGHTS) where AdminSDHolder strips the connector account's write
permission on a protected admin object. Covers msDS-KeyCredentialLink (Russo) and
msExchSafeSendersHash (Glaztech); csexport /f:x diagnosis + dsacls AdminSDHolder grant.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

.claude/memory/MEMORY.md

@@ -28,6 +28,7 @@
 - [Trebesch DESKTOP-QNP3ON5 shell replacement](reference_trebesch_qnp3on5.md) — AT Trebesch box runs an Explorer shell replacement; explorer.exe owner check returns blank — use Win32_ComputerSystem.UserName. GuruRMM SWIFT-LION-2892.
 - [reference_backblaze_storage_rate](reference_backblaze_storage_rate.md) -- ACG's Backblaze B2 storage cost rate ($0.00695/GB) for the GuruRMM mspbackups storage-cost calculation
 - [Unraid VM no-IP causes](unraid-windows-vm-virtio-no-ip.md) — PRIMARY (general "new VMs stopped getting IPs lately"): Docker sets bridge-nf-call-iptables=1, so br0 VM DHCP OFFERs hit DOCKER-FORWARD (no br0 ACCEPT) and get dropped; new VMs can't complete DORA (existing renew via ESTABLISHED). Fix `=0` runtime (needs persistent post-Docker hook; not yet persisted on Jupiter). SECONDARY (Windows VM): virtio-net has no in-box driver -> use e1000 or virtio-win. Diagnose: tcpdump DHCP on pfSense; /sys vnetN rx_packets.
+- [AAD Connect msDS-KeyCredentialLink writeback](reference_aadconnect_keycredlink_writeback.md) — "completed-export-errors" + 8344 INSUFF_ACCESS_RIGHTS on a protected admin account = WHfB key writeback blocked by AdminSDHolder. Diagnose with csexport /f:x; fix with dsacls WP;msDS-KeyCredentialLink on AdminSDHolder + SDProp.
 - [reference_sqlx_migrations_immutable](reference_sqlx_migrations_immutable.md) -- NEVER edit an already-applied sqlx migration file — even a comment. sqlx::migrate! checksums each file at compile time and validates against _sqlx_migrations at startup; a changed checksum crash-loops the server with "migration N was previously applied but has been modified". Code review MUST flag any edit to an applied migration.
 
 ## Users

.claude/memory/reference_aadconnect_keycredlink_writeback.md

@@ -0,0 +1,49 @@
+---
+name: reference_aadconnect_keycredlink_writeback
+description: Diagnose/fix AAD Connect "completed-export-errors" — msDS-KeyCredentialLink writeback (8344 INSUFF_ACCESS_RIGHTS) blocked by AdminSDHolder on protected accounts
+metadata:
+  type: reference
+---
+
+AAD/Entra Connect AD-connector Export shows **completed-export-errors** every cycle while
+AAD export + imports + sync all succeed, and one privileged account (Domain/Enterprise/Schema
+Admins, `adminCount=1`) won't update in the cloud → it's almost always the **msDS-KeyCredentialLink
+writeback** (Windows Hello for Business / passwordless key) being **denied by AdminSDHolder**.
+The connector account (`MSOL_xxxx`) has key-writeback rights inherited on the OU, but SDProp
+strips inheritance on protected objects → LDAP error **8344 / problem 4003 INSUFF_ACCESS_RIGHTS
+{ msDS-KeyCredentialLink }**.
+
+**Diagnose (all read-only, run on the Connect server; it's often the DC):**
+- `Get-ADSyncScheduler` (rule out StagingModeEnabled), `Get-Service ADSync`
+- `Get-ADSyncRunProfileResult -ConnectorId <id> -NumberRequested 8 | select RunProfileName,Result,StartDate`
+  — note WHICH connector errors (AD = writeback, not the AAD/cloud direction). NOTE: `-RunProfileName`
+  param and `.RunStepResults` detail are NOT available on older builds; event log id 6100 only gives counts.
+- Real error detail comes from **csexport errors-only**:
+  `& "$env:ProgramFiles\Microsoft Azure AD Sync\Bin\csexport.exe" "<AD-connector-name>" out.xml /f:x`
+  then read `//cs-object` → `export-errordetail/@error-type` + `cd-error/error-literal` + the failing attr.
+
+**Fix (grant the one attribute on AdminSDHolder so SDProp propagates to all protected accounts):**
+```
+dsacls "CN=AdminSDHolder,CN=System,DC=<dom>,DC=com" /G "<NETBIOS>\MSOL_xxxx:WP;msDS-KeyCredentialLink"
+# force SDProp now: rootDSE RunProtectAdminGroupsTask=1 ; then Start-ADSyncSyncCycle -PolicyType Delta
+```
+`dsacls /G` is additive (one attribute-scoped ACE, removes nothing). Verify ACE landed:
+`dsacls "<protected-user-DN>"` shows `Allow <dom>\MSOL_xxxx SPECIAL ACCESS for msDS-KeyCredentialLink`,
+then csexport `/f:x` returns **0 errored cs-objects** and the next AD Export = success.
+
+Same fault hits OTHER writeback attributes the same way — any attribute AAD Connect writes back to
+a protected on-prem object. Confirmed attributes: **msDS-KeyCredentialLink** (WHfB/passwordless key)
+and **msExchSafeSendersHash** (Exchange hybrid safe-senders writeback). Fix is identical; just swap
+the attribute name in the dsacls grant. A persistent single-object `completed-export-errors` on the
+AD connector with `permission-issue`/8344 on a Domain/Enterprise/Schema-Admin account = this pattern.
+
+Instances fixed (all via /rmm as SYSTEM on the client DC — RMM agent on the Entra Connect box):
+- 2026-06-16 **RUSSO-SRV** (Russo Law, rrs-law.com) — `guru@rrs-law.com`, msDS-KeyCredentialLink,
+  since 2025-05-07 (17.7k retries). The Microsoft "sync error" email = Entra Connect Health flagging it.
+- 2026-06-16 **GTI-INV-DC** (Glaztech, glaztech.com — Connect is on GTI-INV-DC not DC1) — `seastman`
+  (Steve Eastman, their IT lead), msExchSafeSendersHash, since 2025-08-28 (13.9k retries).
+
+NOT this pattern (different fix): a cloud-side `onPremisesProvisioningErrors` PropertyConflict
+(duplicate UPN/proxyAddress) — that's a directory data collision needing a who-owns-the-address
+decision, not a permission grant. (Glaztech also had one: CAS@glaztech.com on both the `CAS` user's
+UPN and an alias on `alex` → CAS1944 parked on onmicrosoft UPN.) Related: [[reference_gururmm]].