28 February 2022

Azure ADConnect Access is Denied error code 5 - Azure ADConnect not syncing password hashes anymore

 After receiving a warning from Azure that the password sync has not run for 1 hour I started checking where this could come from.

The first place is to check the Office365 portal "Directory sync status" page under "Health":

https://admin.microsoft.com/Adminportal/Home?#/dirsyncmanagement

The second place is to check the "Azure AD Connect" page in the Azure portal:

https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/AzureADConnect

Now you know that there is a problem, the next step is to check the Azure ADConnect server itself.
After opening the Synchronization Service Manager you are greated with this error, well in my case anyway:

The thing to check is the account that is being used to sync with:

Import-Module
"C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1" Get-ADSyncADConnectorAccount Copy the "ADConnectorAccountName"

Copy the "ADConnectorAccountName"

Run the following commandlet's with your ADConnectorAccountName value:
Set-ADSyncMsDsConsistencyGuidPermissions -ADConnectorAccountName "MSOL_1234abcd1234" -ADConnectorAccountDomain domain.ads

Set-ADSyncPasswordHashSyncPermissions -ADConnectorAccountName "MSOL_1234abcd1234" -ADConnectorAccountDomain domain.ads

Set-ADSyncPasswordWritebackPermissions -ADConnectorAccountName "MSOL_1234abcd1234" -ADConnectorAccountDomain domain.ads

Set-ADSyncUnifiedGroupWritebackPermissions -ADConnectorAccountName "MSOL_1234abcd1234" -ADConnectorAccountDomain domain.ads

And now run a full sync

Start-ADSyncSyncCycle -PolicyType Initial -Verbose

17 February 2022

Reset the Teamsmeetingpolicy to "Global" for all users

Some users reported that they couldn't use certain features, such as "transcription".

When comparing myself with the affected user I noticed that my Teamsmeetingpolicy had no policy set.
I would expected it to show "Global". Turns out the "Global policy" isn't a user policy and therefore doesn't show up with a name.

The affected user did have a policy set: "RestricetedAnonymousAccess".

Now I had to give those users the "Global" Teamsmeetingpolicy and came up with this:

 1
2
3
4
5
6
7
$users = Get-CsOnlineUser -ResultSize unlimited
foreach($User in $Users)
{
$userId = $User.UserPrincipalName
Write-Host $userId
Grant-CsTeamsMeetingPolicy -Identity $userId -PolicyName $Null -ErrorAction SilentlyContinue
}

This resets all users to no policy and thus the "Global" policy.

Maybe it is a bit much for large environments, it takes quite a long time to run.
With some filtering this could be done quicker.

 1
2
3
4
5
6
7
$users = Get-CsOnlineUser -ResultSize unlimited -Filter {Teamsmeetingpolicy -ne $null}
foreach($User in $Users)
{
$userId = $User.UserPrincipalName
Write-Host $userId
Grant-CsTeamsMeetingPolicy -Identity $userId -PolicyName $Null -ErrorAction SilentlyContinue
}