question

NikolasStylianides-6172 avatar image
0 Votes"
NikolasStylianides-6172 asked ·

Azure AD DS access rights

I cannot modify entries using the Apache Directory Studio. I am owner and Global Administrator in my Tenant. I can read but I cannot write. Error: LDAP: error code 50 - 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

azure-ad-domain-services
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

gurmukhsingh0505 avatar image
0 Votes"
gurmukhsingh0505 answered ·

Right-click on the application and select Run as Administrator.

When you are a member of one of the special restricted groups such as Domain Admins, Enterprise Admins, or Administrators, those group memberships are blocked from your normal process token. To use these group memberships, you need to elevate by using Run as Administrator.

You can verify that the groups are blocked by running SysInternals' Process Explorer, right-click on the application, select Properties, and on the Security tab, the groups will have a Deny in the Flags column.

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

NikolasStylianides-6172 avatar image
0 Votes"
NikolasStylianides-6172 answered ·

Thank you for your answer. I tried the solution, Run as Administrator the application Apache Directory Studio but the experience is the same. I have also noticed that I get no information about the Schema also.alt text


ads.png (33.9 KiB)
· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SamCogan avatar image
1 Vote"
SamCogan answered ·

The rights you are granted on the domain in AAD DS are limited, you are not a Domain Admin, which I would imagine this tool believes you are. You are granted only specific rights to undertake operations that are allowed in AAD DS. This includes managing users and groups, GPO's, OU's, DNS and a few other things.

You have no rights to access or modify the schema.

If you need more rights than this then you would need to look at using IaaS domain controllers and not AAD DS.

· 3 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you @SamCogan. But even modifying user, groups are restricted with my current configuration. I can read the directory but I cannot add/delete/modify any user or group. I have tried with Apache Directory Studio and even PHP ldap library. Is there a "trick" I am missing?

0 Votes 0 · ·
SamCogan avatar image SamCogan NikolasStylianides-6172 ·

Which OU are the users/groups you are trying to edit located in? As @KAREDD-MSFT mentioned, the users created in your Azure AD tenant directly are not available for editing in AAD DS, you can only edit users and groups you created directly in AAD DS.

0 Votes 0 · ·

Hi @SamCogan again. Is there a possibility that the issue is with my Certificate which is self signed? Is there a policy with Azure AD DS to restrict only reading in case of self signed certificates?

0 Votes 0 · ·
KAREDD-MSFT avatar image
0 Votes"
KAREDD-MSFT answered ·

Hi @NikolasStylianides-6172,

You cannot add/delete/modify any user or group that is being synchronized from Azure AD to a managed domain (Azure AD DS).

You can create OU's which are local to Azure ADDS and in those OU's you can modify the properties as needed.

This is documented in the FAQ: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/faqs#can-i-modify-group-memberships-using-ldap-or-other-ad-administrative-tools-on-managed-domains

This is by design and if you need to perform these actions, then you should look at using IAAS domain controllers as suggested by @SamCogan

This article does a great job of comparing on-premise AD. Azure AD and Azure AD DS.

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

NikolasStylianides-6172 avatar image
0 Votes"
NikolasStylianides-6172 answered ·

Dear @KAREDD-MSFT , thank you for the input.

So, based on what you said and what I read Azure AD DS is only for reading. I cannot even create an OU under OU=AADDC User. To achieve that I have to connect my on-premise AD with AD Connect with Azure AD DS and then work on my on-premise AD.

If that is the case I am wondering what is Azure AD DS good for since I can also connect my on-premise AD to Azure AD and be done for it. Then only benefit I see is redundancy.

Except if I am wrong.

· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

You cannot edit anything in the AADDC OU, including adding new OU's under it.

You can create new OU's under the root of the domain, and create users and groups that are local to AAD DS only, which you can manage. You can also edit the GPO applied to the AADDC OU.

For users created in AAD, AAD must remain the source of truth. These are the limitations of AAD DS. It was designed as a tool to assist with the lift and shift of applications that require LDAP, into Azure, providing a local LDAP source for these applications. It is not intended to be a replacement for you on-premises AD.

0 Votes 0 · ·
NikolasStylianides-6172 avatar image
0 Votes"
NikolasStylianides-6172 answered ·

Great answers @SamCogan Super clear. And my last question. Is sync from Azure AD to my on premise AD possible? I know that if I use Azure AD Connect on premise AD will sync to Azure AD. But does it work the other way around? For example add a user in Azure AD and this user get synced in my on premise AD?

Thank you in advance.

· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

No, it's not currently possible to sync the other way, sync always goes from AD to AAD. The request to go the other way has been a round for a long time, but has not been implemented so far.

0 Votes 0 · ·