Jarrod Woerner

Personal blog about tech, classic arcades, gaming, and more

Azure AD Sync “Permission-Issue” – Error Code-8344

I had been working on troubleshooting our Azure AD Sync as I had realized we hadn’t had a successful sync in about a week. The only reason I knew was because we had made some changes in the AD and they were not syncing up to Azure. The sync process was reporting successful in the portal, even though this was not the case. I figured it would be good to talk about it here, in case I need the info again, and to help others who may have the issue as well.

AAD Sync Export Errors

Azure AD was in fact syncing with Office 365, but I was getting a lot of error messages on the export.

I verified the on-premise sync account , as well as the account online had the required permissions for syncing. Once I verified this was not the issue, I had hoped that clicking on the error may provide more details to help solve this issue.

Not very helpful, other than the connected data source error code of 8344. After some digging on this, I was able to resolve the issue with the following:

Run this Active Directory Inheritance PowerShell script to generate a CSV list of users that are not inheriting permissions.

For each user on that list, go to User Properties > Security > Advanced.  On the advanced screen the button will say ‘Enable Inheritance’ for these users. Go ahead and click this button. The button text will change to ‘Disable Inheritance’. Click on apply, and then close that user and move on to the next one.

Once I had verified all users were inheriting permissions, I ran a manual sync, and all changes were successful.

I hope this will help anyone else receiving this error,  and having Azure AD Sync issues.

1 Comment

  1. Thanks for sharing the script! I started running it in my environment and it was taking an extremely long time. I’ve edited the script to run much faster. Prior to making changes it took 710 seconds. It is now down to 106 seconds!

    I converted the arrays to arraylists, removed the wildcard property on the query, and added the Enabled -eq $True to the filter on the Get-ADUser. The arraylists were certainly not necessary in this scenario since the arrays we are dealing with aren’t large at all. The vast majority of the performance gains were by removing the -Property * on the queries and adding the filter Enabled -eq $True on the Get-ADUser query.

    I would post this on the gallery TechNet you listed the original script on but it looks like we can’t comment on that post. Thanks again for sharing the initial script.

    # Creating arraylists
    $AllContainers = New-Object System.Collections.ArrayList
    $UserStatuses = New-Object System.Collections.ArrayList

    “Getting all OUs”
    $OUs = Get-ADOrganizationalUnit -Filter * -Properties distinguishedname, canonicalname | select distinguishedname, canonicalname

    “Getting all containers”
    $Containers = Get-ADObject -SearchBase (Get-ADDomain).distinguishedname -SearchScope OneLevel -LDAPFilter ‘(objectClass=container)’ -Properties distinguishedname, canonicalname |
    select distinguishedname, canonicalname

    # Adding containers and OUs to common variable
    $AllContainers.AddRange($OUs)
    $AllContainers.AddRange($Containers)

    # Looping through each OU/Container
    foreach ($Cntr in $AllContainers) {

    “Evaluating – ” + $Cntr.distinguishedname

    $Entry = Get-ADUser -Filter {enabled -eq $true} -SearchBase $Cntr.distinguishedname -SearchScope OneLevel -Properties nTSecurityDescriptor, Enabled, displayname, userprincipalname, samAccountName |
    where {($_.nTSecurityDescriptor.AreAccessRulesProtected -eq $true)} |
    select @{n=’OU’;e={$Cntr.distinguishedname}}, displayname, userprincipalname,samAccountName, @{n=’InheritanceBroken’;e={$_.nTSecurityDescriptor.AreAccessRulesProtected}}

    # If we found something
    If ($Entry) {

    # You have to use .Add when adding a single value to an array list
    If ($Entry -isnot [array]) {

    [void]$UserStatuses.Add($Entry)

    }

    # You have to use .AddRange when adding a collection of objects to an array list
    Else {

    [void]$UserStatuses.AddRange($Entry)

    }

    }

    }

Leave a Reply

Your email address will not be published. Required fields are marked *

© 2019 Jarrod Woerner

Theme by Anders NorenUp ↑