Insufficient access rights to perform the operation - error 8344

Question

question

NeverKnow-2832 asked Jul 9, '20 JohanvanHaarlem-5870 commented Oct 12, '20

Insufficient access rights to perform the operation - error 8344

I am running into the common 8344 "Insufficient access rights to perform the operation"

I went through various tips/blogs and tried the following:

In AD, ensure that the user account performing the operations has inheritance enabled
Tried the following powershell command:

$DN = "DC=domain,DC=local"
$Account = "domain.LOCAL\AccountName"
$cmd = "dsacls $DN /I:S /G '`"$accountName`":RPWP;mS-DS-ConsistencyGuid;user'"
Invoke-Expression $cmd

It is trying to write back to the mS-DS-ConsistencyGuid but failing there.
Password writeback seems to be ok.

I am not sure what else to try other than what I have done

azure-ad-connect

· 1

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JohanvanHaarlem-5870 · Oct 12, 2020 at 12:33 PM

I had the same issue, i fixed it by enabeling inherritance on my user-object.

Regards,

0 ·

Answer 1 · 2020-07-09T08:39:03.537Z

amanpreetsingh-msft answered Jul 9, '20

Hi @NeverKnow-2832

Here is a PowerShell script: https://gallery.technet.microsoft.com/office/AD-Advanced-Permissions-49723f74 that you can use to configure required permissions for the following features:

Device WriteBack

Exchange Hybrid WriteBack

Office 365 Group WriteBack

Password Hash Sync (Replicating Directory Changes / Replicating Directory Changes All)

Password WriteBack

ms-DS-ConsistencyGuid permission

adminSDHolder

Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

question