--- name: reference_aadconnect_keycredlink_writeback description: Diagnose/fix AAD Connect "completed-export-errors" — msDS-KeyCredentialLink writeback (8344 INSUFF_ACCESS_RIGHTS) blocked by AdminSDHolder on protected accounts metadata: type: reference --- AAD/Entra Connect AD-connector Export shows **completed-export-errors** every cycle while AAD export + imports + sync all succeed, and one privileged account (Domain/Enterprise/Schema Admins, `adminCount=1`) won't update in the cloud → it's almost always the **msDS-KeyCredentialLink writeback** (Windows Hello for Business / passwordless key) being **denied by AdminSDHolder**. The connector account (`MSOL_xxxx`) has key-writeback rights inherited on the OU, but SDProp strips inheritance on protected objects → LDAP error **8344 / problem 4003 INSUFF_ACCESS_RIGHTS { msDS-KeyCredentialLink }**. **Diagnose (all read-only, run on the Connect server; it's often the DC):** - `Get-ADSyncScheduler` (rule out StagingModeEnabled), `Get-Service ADSync` - `Get-ADSyncRunProfileResult -ConnectorId -NumberRequested 8 | select RunProfileName,Result,StartDate` — note WHICH connector errors (AD = writeback, not the AAD/cloud direction). NOTE: `-RunProfileName` param and `.RunStepResults` detail are NOT available on older builds; event log id 6100 only gives counts. - Real error detail comes from **csexport errors-only**: `& "$env:ProgramFiles\Microsoft Azure AD Sync\Bin\csexport.exe" "" out.xml /f:x` then read `//cs-object` → `export-errordetail/@error-type` + `cd-error/error-literal` + the failing attr. **Fix (grant the one attribute on AdminSDHolder so SDProp propagates to all protected accounts):** ``` dsacls "CN=AdminSDHolder,CN=System,DC=,DC=com" /G "\MSOL_xxxx:WP;msDS-KeyCredentialLink" # force SDProp now: rootDSE RunProtectAdminGroupsTask=1 ; then Start-ADSyncSyncCycle -PolicyType Delta ``` `dsacls /G` is additive (one attribute-scoped ACE, removes nothing). Verify ACE landed: `dsacls ""` shows `Allow \MSOL_xxxx SPECIAL ACCESS for msDS-KeyCredentialLink`, then csexport `/f:x` returns **0 errored cs-objects** and the next AD Export = success. Same fault hits OTHER writeback attributes the same way — any attribute AAD Connect writes back to a protected on-prem object. Confirmed attributes: **msDS-KeyCredentialLink** (WHfB/passwordless key) and **msExchSafeSendersHash** (Exchange hybrid safe-senders writeback). Fix is identical; just swap the attribute name in the dsacls grant. A persistent single-object `completed-export-errors` on the AD connector with `permission-issue`/8344 on a Domain/Enterprise/Schema-Admin account = this pattern. Instances fixed (all via /rmm as SYSTEM on the client DC — RMM agent on the Entra Connect box): - 2026-06-16 **RUSSO-SRV** (Russo Law, rrs-law.com) — `guru@rrs-law.com`, msDS-KeyCredentialLink, since 2025-05-07 (17.7k retries). The Microsoft "sync error" email = Entra Connect Health flagging it. - 2026-06-16 **GTI-INV-DC** (Glaztech, glaztech.com — Connect is on GTI-INV-DC not DC1) — `seastman` (Steve Eastman, their IT lead), msExchSafeSendersHash, since 2025-08-28 (13.9k retries). NOT this pattern (different fix): a cloud-side `onPremisesProvisioningErrors` PropertyConflict (duplicate UPN/proxyAddress) — that's a directory data collision needing a who-owns-the-address decision, not a permission grant. (Glaztech also had one: CAS@glaztech.com on both the `CAS` user's UPN and an alias on `alex` → CAS1944 parked on onmicrosoft UPN.) Related: [[reference_gururmm]].