Mike Swanson
5f347dcf79
Reference memory + index entry: diagnosing/fixing AAD Connect "completed-export-errors" (8344 INSUFF_ACCESS_RIGHTS) where AdminSDHolder strips the connector account's write permission on a protected admin object. Covers msDS-KeyCredentialLink (Russo) and msExchSafeSendersHash (Glaztech); csexport /f:x diagnosis + dsacls AdminSDHolder grant. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
3.5 KiB
name, description, metadata
| name | description | metadata | ||
|---|---|---|---|---|
| reference_aadconnect_keycredlink_writeback | Diagnose/fix AAD Connect "completed-export-errors" — msDS-KeyCredentialLink writeback (8344 INSUFF_ACCESS_RIGHTS) blocked by AdminSDHolder on protected accounts |
|
AAD/Entra Connect AD-connector Export shows completed-export-errors every cycle while
AAD export + imports + sync all succeed, and one privileged account (Domain/Enterprise/Schema
Admins, adminCount=1) won't update in the cloud → it's almost always the msDS-KeyCredentialLink
writeback (Windows Hello for Business / passwordless key) being denied by AdminSDHolder.
The connector account (MSOL_xxxx) has key-writeback rights inherited on the OU, but SDProp
strips inheritance on protected objects → LDAP error 8344 / problem 4003 INSUFF_ACCESS_RIGHTS
{ msDS-KeyCredentialLink }.
Diagnose (all read-only, run on the Connect server; it's often the DC):
Get-ADSyncScheduler(rule out StagingModeEnabled),Get-Service ADSyncGet-ADSyncRunProfileResult -ConnectorId <id> -NumberRequested 8 | select RunProfileName,Result,StartDate— note WHICH connector errors (AD = writeback, not the AAD/cloud direction). NOTE:-RunProfileNameparam and.RunStepResultsdetail are NOT available on older builds; event log id 6100 only gives counts.- Real error detail comes from csexport errors-only:
& "$env:ProgramFiles\Microsoft Azure AD Sync\Bin\csexport.exe" "<AD-connector-name>" out.xml /f:xthen read//cs-object→export-errordetail/@error-type+cd-error/error-literal+ the failing attr.
Fix (grant the one attribute on AdminSDHolder so SDProp propagates to all protected accounts):
dsacls "CN=AdminSDHolder,CN=System,DC=<dom>,DC=com" /G "<NETBIOS>\MSOL_xxxx:WP;msDS-KeyCredentialLink"
# force SDProp now: rootDSE RunProtectAdminGroupsTask=1 ; then Start-ADSyncSyncCycle -PolicyType Delta
dsacls /G is additive (one attribute-scoped ACE, removes nothing). Verify ACE landed:
dsacls "<protected-user-DN>" shows Allow <dom>\MSOL_xxxx SPECIAL ACCESS for msDS-KeyCredentialLink,
then csexport /f:x returns 0 errored cs-objects and the next AD Export = success.
Same fault hits OTHER writeback attributes the same way — any attribute AAD Connect writes back to
a protected on-prem object. Confirmed attributes: msDS-KeyCredentialLink (WHfB/passwordless key)
and msExchSafeSendersHash (Exchange hybrid safe-senders writeback). Fix is identical; just swap
the attribute name in the dsacls grant. A persistent single-object completed-export-errors on the
AD connector with permission-issue/8344 on a Domain/Enterprise/Schema-Admin account = this pattern.
Instances fixed (all via /rmm as SYSTEM on the client DC — RMM agent on the Entra Connect box):
- 2026-06-16 RUSSO-SRV (Russo Law, rrs-law.com) —
guru@rrs-law.com, msDS-KeyCredentialLink, since 2025-05-07 (17.7k retries). The Microsoft "sync error" email = Entra Connect Health flagging it. - 2026-06-16 GTI-INV-DC (Glaztech, glaztech.com — Connect is on GTI-INV-DC not DC1) —
seastman(Steve Eastman, their IT lead), msExchSafeSendersHash, since 2025-08-28 (13.9k retries).
NOT this pattern (different fix): a cloud-side onPremisesProvisioningErrors PropertyConflict
(duplicate UPN/proxyAddress) — that's a directory data collision needing a who-owns-the-address
decision, not a permission grant. (Glaztech also had one: CAS@glaztech.com on both the CAS user's
UPN and an alias on alex → CAS1944 parked on onmicrosoft UPN.) Related: reference_gururmm.