Resolving DirSync user permission errors (another cool script)

Let’s start with this image. DirSync is unable to perform the appropriate reads and write backs to these users.


This is because the “Inheritance is blocked” on these users. This is normal for users that belong to Domain Admins. In the event that someone does something stupid and applies the wrong permissions to the domain or OU, it won’t apply to users that are members of Domain Admins. For example, what if we applied Deny all rights to the Everyone group at the domain level? It would basically break all access to active directory. So there is a built in service on domain controllers that un-checks this box on users that are members of the Domain Admins group… and keeps them from being completely locked out… but I’m getting off topic…

What we need to do to fix these DirSync issues is hunt down each of these users using active directory users and computers and perform a series of steps.

I labeled each of these steps with a number.

  1. Find the user, check the box to enable inheritance
  2. Click apply
  3. Un-check the box
  4. Choose Add, this will add the DirSync permissions onto the user
  5. Take a sip of coffee
  6. Click Apply
  7. Click Yes
  8. Click Ok






Wow, that’s a lot of clicking.

Here is a script to make it easy.

Step 1) Right click on the error in DirSync and click Save to file…
It will be in XML format… call it whatever you want, like DirSyncErrors.xml


The XML file will look like this


Step 2) Run these two PowerShell commands from the directory where the xml file is located. This will extract the users distinguished names.

$xmlFile = [xml] (Get-Content ./DirSyncErrors.xml)
$xmlFile.SelectNodes('//export-error')|select -expand dn > UsersToFix.txt

The output will look like this text file. I called mine UsersToFix.txt


Now download the Quest ActiveRoles Managment Shell tools from here:

Step 3) Create a script, I called it FixInheritance.ps1 that has the following code. Start the Quest ActiveRoles Shell and run this script in the shell.

$File = Get-Content './UsersToFix.txt'
Foreach ($user in $File) {
Set-QADObjectSecurity $user -UnlockInheritance
Set-QADObjectSecurity $user -LockInheritance

This will perform the same 8 steps shown above and it’s a whole let less clicking, and keep those scripts in your toolbox folder for future Office 365 deployments.


About Mike

owner of blog
This entry was posted in Migration, Office 365, PowerShell. Bookmark the permalink.

One Response to Resolving DirSync user permission errors (another cool script)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s