Testing AAD Connect Write-Back permissions on an OU

When installing and configuring AAD Connect with Exchange Hybrid and any of the other special features (Group Writeback, Password Writeback, Device Writeback), it’s necessary to delegate service account permissions in Active Directory to allow the features to work properly.

Those permissions apply to features like : Exchange Hybrid Write-back, Password Write-back, Group Write-Back, Device Write-Back and include a list of Active Directory attributes that must be properly setup.

The great news is that Aaron Guilmette has created a PowerShell script to enable those permissions, make sure that you go check out his script here – it’s a great tool to have!

Now, assuming that you’ve used Aaron’s script, or you’ve delegated permissions yourself, and you want to confirm the permissions are properly configured, you can use this script to do that.

Simply run the PowerShell script with the -OU command and provide an OU that you want to check.

The script will return a list of all users \ groups delegated rights to the OU, along with the attribute and scope (AppliedTo) of the permission (ie. User, Group, Contact etc…).

If there are a large number of delegated permissions, you can also provide the -Identity switch to define a user / group using the UserPrincipalName, ObjectSID, ObjectGUID or SamAccountName attribute of that object and the report will only display those object’s rights.

I find that permission delegation is one of the most cumbersome readiness tasks when setting up your environment for Office 365 and synchronization with AAD Connect.  I hope that having access to Aaron’s script, and my permission tester, will help make this particular milestone a bit less challenging.