while i am working in one of the ADConnect deployment, we faced an issue in the export operation with error “Permission-Issue” for some users as appears in below snapshot:
from above console, when we clicked on the one of the effected users to expand the error, we got below snapshot with an error “Insufficient access rights to perform this operation” as appears below:
when we went to the AD users and computers, we noticed that all effected users have disabled inheritance permission as appear below (since the button enable inheritance appears this mean the inheritance is disabled):
Simply, enabling the inheritance solve the issue and the ADConnect was able to export these identities.
Now, the important question is why to enable the inheritance !
the answer is very simple, Disable Inheritance means that the account no longer inherits permissions from a parent object (I.E. an OU), in most cases this happens when the object were added to privileged group such as domain admins group.
Ahmad Yasin is a Microsoft Cloud Engineer and the Owner & publisher of AzureDummies blog. He also holds many certificates in office 365 and windows azure including Developing Microsoft Azure Solutions, Implementing Microsoft Azure Infrastructure Solutions and MCSA office 365.