While configuring Azure AD Connect I needed to create an AD DS Connector account with sufficient permissions. I needed to give the new account permissions for password synchronization and I found the following command:
Set-ADSyncPasswordHashSyncPermissions -ADConnectorAccountName <ADAccountName> -ADConnectorAccountDomain <ADDomainName>
After running the command and reviewing the output I am worried that I did something incorrect. I expected to see the password hash synchronization permissions granted only to new AD DS Connector account, but instead it appears to have been applied to the entire domain (sample output shown below).
Grant permissions on all Domains: AD Domain 'DC=XXX,DC=XXX'...
Owner: BUILTIN\Administrators
Group: BUILTIN\Administrators
Access list:
Deny Everyone SPECIAL ACCESS
DELETE CHILD
Allow XXX\Exchange Windows Permissions
SPECIAL ACCESS
DELETE TREE
Allow XXX\Exchange Windows Permissions
SPECIAL ACCESS
DELETE TREE
Allow XXX\Domain Admins SPECIAL ACCESS
READ PERMISSONS
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
LIST OBJECT
CONTROL ACCESS
Allow XXX\Organization Management SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow XXX\Exchange Recipient Administrators
SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow XXX\Exchange Trusted Subsystem SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow XXX\Enterprise Admins FULL CONTROL
Allow BUILTIN\Pre-Windows 2000 Compatible Access
SPECIAL ACCESS
READ PERMISSONS
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access
SPECIAL ACCESS
LIST CONTENTS
Allow BUILTIN\Administrators SPECIAL ACCESS
DELETE
READ PERMISSONS
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
LIST OBJECT
CONTROL ACCESS
Allow Everyone SPECIAL ACCESS
READ PROPERTY
...
I was unable to find much information about this online and need to know if there is anyway to undo this permissions change? Any assistance would be greatly appreciated.
I also want to apologize for any issues with my post as this is my first time posting on here. Any feedback for future posts would be helpful. Thanks.
CodePudding user response:
To resolve this issue, follow these steps:
Run Azure AD Connect, and then select View current configuration. In the details pane, check whether Password synchronization is enabled on your tenant.
Disable the Password synchronization feature. To do this, follow these steps:
- Run Azure AD Connect, and then select Configure.
- Select the Customize synchronization options task.
- On the Optional features page, clear the Password synchronization feature check box.
- Complete the wizard.
Optionally, if you want to clear password hashes that are already synchronized to Azure AD, follow these steps:
Make sure that the Password writeback feature is disabled on your tenant. To do that, follow these steps:
- Run Azure AD Connect, and then select Configure.
- Select the Customize synchronization options task.
- On the Optional features page, clear the Password writeback feature check box.
- Complete the wizard.
Use the Set-MsolUserPassword cmdlet to set random passwords on all affected users. You have to run this cmdlet five times for each user because Azure AD stores the last four password hashes in the password hash history.