Modifying a user’s group membership may impact Exchange hybrid

Many organizations are currently running an Exchange Hybrid deployment between their on-premises Exchange and Exchange Online in Office 365. In this scenario, as part of the AS synchronization configuration, users that are added to some AD security groups before the Exchange hybrid deployment configuration is successfully written back to the on-premises AD will not have access to those features until the procedure documented below is executed.

 The affected security groups are:

    • Schema Admins;
    • Enterprise Admins;
    • Cert Publishers;
    • Domain Admins;
    • Account Operators;
    • Print Operators;
    • Administrators (domain local);
    • Server Operators;
    • Backup Operators.

To resolve this issue, you should use the dsacls tool to re-provision the MSOL_AD_Sync_RichCoexistence account permissions to the AdminSDHolder object in your local Active Directory forest.

To modify the AdminSDHolder container, download and install the Windows Server 2003 Service Pack 1 (SP1) Support Tools. Dsacls.exe is available as part of the Windows Support Tools. Next, run the following commands:

dsacls CN=AdminSDHolder,CN=System,DC=<mydomain>,DC=com /G MSOL_AD_SYNC_RICHCOEXISTENCE:WP;"MSExchArchiveStatus"

dsacls CN=AdminSDHolder,CN=System,DC=<mydomain>,DC=com /G MSOL_AD_SYNC_RICHCOEXISTENCE:WP;"MSExchBlockedSendersHash"

dsacls CN=AdminSDHolder,CN=System,DC=<mydomain>,DC=com /G MSOL_AD_SYNC_RICHCOEXISTENCE:WP;"MSExchSafeRecipientsHash"

dsacls CN=AdminSDHolder,CN=System,DC=<mydomain>,DC=com /G MSOL_AD_SYNC_RICHCOEXISTENCE:WP;"MSExchSafeSendersHash"

dsacls CN=AdminSDHolder,CN=System,DC=<mydomain>,DC=com /G MSOL_AD_SYNC_RICHCOEXISTENCE:WP;"MSExchUCVoiceMailSettings"

dsacls CN=AdminSDHolder,CN=System,DC=<mydomain>,DC=com /G MSOL_AD_SYNC_RICHCOEXISTENCE:WP;"ProxyAddresses"

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top