This is quite a common issue when setting up AD connect to sync user accounts with Azure AD. Once you have setup sync you will see the following errors in event viewer. (This can happen also when changing what variable is used to sync accounts, such as changing from objectGUID to mS-DS-ConsistencyGuid)
Insufficient access means that your AAD account doesn’t have the correct write back permissions. The resolution is quite simple, there are a ton of scripts out there to change permissions however the manual mode is safer if you are not a code monkey.
Time needed: 30 minutes.
Add permission inheritance to user objects in AD
- In Active Directory Users and Computers, open user properties. Go to the Security tab and click Advanced
Here we enable permission inheritance on the user in question. This will need doing for any user which generates the error in AD Connect.
- Enabling Inheritance
Here we allow the user object to inherit permissions. Select “Enable Inheritance”
Allow the AAD sync to run again and you should see the error does not occur for users with the above permissions.
Tags: AD Connect