Azure ADConnect Export Failed with Permission-issue error (Insufficient access rights to perform this operation)

Hello Guys,

while i am working in one of the ADConnect deployment, we faced an issue in the export operation with error “Permission-Issue” for some users as appears in below snapshot:

from above console, when we clicked on the one of the effected users to expand the error, we got below snapshot with an error “Insufficient access rights to perform this operation” as appears below:

when we went to the AD users and computers, we noticed that all effected users have disabled inheritance permission as appear below (since the button enable inheritance appears this mean the inheritance is disabled):

Simply, enabling the inheritance solve the issue and the ADConnect was able to export these identities.

Now, the important question is why to enable the inheritance !

the answer is very simple, Disable Inheritance means that the account no longer inherits permissions from a parent object (I.E. an OU), in most cases this happens when the object were added to privileged group such as domain admins group.

Ahmad Yasin (MCSA office 365, MCSE : Messaging, Azure Certified)

Ahmad Yasin is a Microsoft Cloud Engineer and the Owner & publisher of AzureDummies blog. He also holds many certificates in office 365 and windows azure including Developing Microsoft Azure Solutions, Implementing Microsoft Azure Infrastructure Solutions and MCSA office 365.

Find Ahmad at Facebook and LinkedIn.




  1. Hello,

    I have recently began seeing this error myself, however the accounts i have checked do have inheritance enabled.

    “disable inheritance” is the button that shows for me, any thoughts on that?

    • Did you find any solution yet? We encounter the same “permissions-issue” with error 8344. Unfortunately I don’t remember when it has started.
      Inheritance is enabled, we have no Exchange hybrid installation, only on-premise. I have no idea, where the error comes from.

  2. Hi,

    Do you know what do exactly the operation “Export” on the Synchronization Service Manager ?
    – What are the different operations done during “Export” ?
    – Is useful as an operation ?


  3. Thank you so much! I just upgraded our AD connect from an older version and started getting this error on 3 accounts. No idea why these three had the inheritance disabled as I’m one of two admins that have been administering accounts for 22 years and neither of us would have done that purposely. Very glad to have a quick fix!!

  4. I asume this works for about an hour until this setting is reset by a process called SDPROP,
    this behavior is expected when the user is member of admin groups flaged with admincount=1 to prevent changes on administrative accounts in containers where delegation ist set

  5. Hallo,

    as Office 365 Cloud delivers more and more features, additional permissions are needed from the Azure AD Connect service account to be able to update all needed on-premises attributes to support all new features.

    For that purpose, a script found by MS Gallery called AAD Connect Advanced Permissions can help you
    to set all the proper and required from Azure AD Connect service account permissions :

    Kind regards

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.