Home > Enterprise >  Removing Permissions for Password Hash Synchronization
Removing Permissions for Password Hash Synchronization

Time:04-21

While configuring Azure AD Connect I needed to create an AD DS Connector account with sufficient permissions. I needed to give the new account permissions for password synchronization and I found the following command:

Set-ADSyncPasswordHashSyncPermissions -ADConnectorAccountName <ADAccountName> -ADConnectorAccountDomain <ADDomainName>

After running the command and reviewing the output I am worried that I did something incorrect. I expected to see the password hash synchronization permissions granted only to new AD DS Connector account, but instead it appears to have been applied to the entire domain (sample output shown below).

Grant permissions on all Domains: AD Domain 'DC=XXX,DC=XXX'...
Owner: BUILTIN\Administrators
Group: BUILTIN\Administrators

Access list:
Deny  Everyone                        SPECIAL ACCESS
                                      DELETE CHILD
Allow XXX\Exchange Windows Permissions
                                      SPECIAL ACCESS
                                      DELETE TREE
Allow XXX\Exchange Windows Permissions
                                      SPECIAL ACCESS
                                      DELETE TREE
Allow XXX\Domain Admins               SPECIAL ACCESS
                                      READ PERMISSONS
                                      WRITE PERMISSIONS
                                      CHANGE OWNERSHIP
                                      CREATE CHILD
                                      LIST CONTENTS
                                      WRITE SELF
                                      WRITE PROPERTY
                                      READ PROPERTY
                                      LIST OBJECT
                                      CONTROL ACCESS
Allow XXX\Organization Management     SPECIAL ACCESS
                                      READ PERMISSONS
                                      LIST CONTENTS
                                      READ PROPERTY
                                      LIST OBJECT
Allow XXX\Exchange Recipient Administrators
                                      SPECIAL ACCESS
                                      READ PERMISSONS
                                      LIST CONTENTS
                                      READ PROPERTY
                                      LIST OBJECT
Allow XXX\Exchange Trusted Subsystem  SPECIAL ACCESS
                                      READ PERMISSONS
                                      LIST CONTENTS
                                      READ PROPERTY
                                      LIST OBJECT
Allow XXX\Enterprise Admins           FULL CONTROL
Allow BUILTIN\Pre-Windows 2000 Compatible Access
                                      SPECIAL ACCESS
                                      READ PERMISSONS
                                      READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access
                                      SPECIAL ACCESS
                                      LIST CONTENTS
Allow BUILTIN\Administrators          SPECIAL ACCESS
                                      DELETE
                                      READ PERMISSONS
                                      WRITE PERMISSIONS
                                      CHANGE OWNERSHIP
                                      CREATE CHILD
                                      LIST CONTENTS
                                      WRITE SELF
                                      WRITE PROPERTY
                                      READ PROPERTY
                                      LIST OBJECT
                                      CONTROL ACCESS
Allow Everyone                        SPECIAL ACCESS
                                      READ PROPERTY
...

I was unable to find much information about this online and need to know if there is anyway to undo this permissions change? Any assistance would be greatly appreciated.

I also want to apologize for any issues with my post as this is my first time posting on here. Any feedback for future posts would be helpful. Thanks.

CodePudding user response:

To resolve this issue, follow these steps:

  1. Run Azure AD Connect, and then select View current configuration. In the details pane, check whether Password synchronization is enabled on your tenant. enter image description here

  2. Disable the Password synchronization feature. To do this, follow these steps:

    1. Run Azure AD Connect, and then select Configure.
    2. Select the Customize synchronization options task.
    3. On the Optional features page, clear the Password synchronization feature check box.
    4. Complete the wizard.

Optionally, if you want to clear password hashes that are already synchronized to Azure AD, follow these steps:

  1. Make sure that the Password writeback feature is disabled on your tenant. To do that, follow these steps:

    1. Run Azure AD Connect, and then select Configure.
    2. Select the Customize synchronization options task.
    3. On the Optional features page, clear the Password writeback feature check box.
    4. Complete the wizard.
  2. Use the Set-MsolUserPassword cmdlet to set random passwords on all affected users. You have to run this cmdlet five times for each user because Azure AD stores the last four password hashes in the password hash history.

For further refer ref1 , ref2 , ref3 .

  • Related