Insufficient access rights to perform the operation - error 8344

NeverKnow 31 Reputation points
2020-07-09T05:38:31.793+00:00

I am running into the common 8344 "Insufficient access rights to perform the operation"

I went through various tips/blogs and tried the following:

In AD, ensure that the user account performing the operations has inheritance enabled
Tried the following powershell command:

$DN = "DC=domain,DC=local"
$Account = "domain.LOCAL\AccountName"
$cmd = "dsacls $DN /I:S /G '"$accountName":RPWP;mS-DS-ConsistencyGuid;user'"
Invoke-Expression $cmd

It is trying to write back to the mS-DS-ConsistencyGuid but failing there.
Password writeback seems to be ok.

I am not sure what else to try other than what I have done

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,689 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. AmanpreetSingh-MSFT 56,311 Reputation points
    2020-07-09T08:39:03.537+00:00

    Hi @NeverKnow-2832

    Here is a PowerShell script: https://gallery.technet.microsoft.com/office/AD-Advanced-Permissions-49723f74 that you can use to configure required permissions for the following features:

    • Device WriteBack
    • Exchange Hybrid WriteBack
    • Office 365 Group WriteBack
    • Password Hash Sync (Replicating Directory Changes / Replicating Directory Changes All)
    • Password WriteBack
    • ms-DS-ConsistencyGuid permission
    • adminSDHolder

    Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.

    0 comments