Drawing attention to -ADObjectDN parameter. #67509
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
I noticed in AdSyncConfig.psm1, the comment-based help for the `Set-ADSyncUnifiedGroupWritebackpermissions` function doesn't include a .Parameter keyword for `-ADObjectDN` parameter, however, the parameter is there:
```powershell
# DistinguishedName of the target AD object to set permissions (optional)
[string] $ADobjectDN = $null,
```
And the description also covers it:
```powershell
.DESCRIPTION
The Set-ADSyncUnifiedGroupWritebackPermissions Function will give required permissions to the AD synchronization account, which include the following:
1. Generic Read/Write, Delete, Delete Tree and Create\Delete Child for Group Object types and SubObjects
These permissions are applied to all domains in the forest.
Optionally you can provide a DistinguishedName in ADobjectDN parameter to set these permissions on that AD Object only (including inheritance to sub objects).
In this case, ADobjectDN will be the Distinguished Name of the Container that you desire to link with the GroupWriteback feature.
```
...and also one of the examples covers it:
```powershell
.EXAMPLE
Set-ADSyncUnifiedGroupWritebackPermissions -ADConnectorAccountName 'ADConnector' -ADConnectorAccountDomain 'Contoso.com' -ADobjectDN 'OU=AzureAD,DC=Contoso,DC=com'
```
It is a good idea to use it, vs granting permissions all through the entire forest which won't be necessary (only the chosen OU needs the permissions set).
|
@JeremyTBradshaw : Thanks for your contribution! The author(s) have been notified to review your proposed change. |
billmath
approved these changes
Jan 15, 2021
|
#sign-off |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I noticed in AdSyncConfig.psm1, the comment-based help for the
Set-ADSyncUnifiedGroupWritebackpermissionsfunction doesn't include a .Parameter keyword for-ADObjectDNparameter, however, the parameter is there:And the description also covers it:
.DESCRIPTION The Set-ADSyncUnifiedGroupWritebackPermissions Function will give required permissions to the AD synchronization account, which include the following: 1. Generic Read/Write, Delete, Delete Tree and Create\Delete Child for Group Object types and SubObjects These permissions are applied to all domains in the forest. Optionally you can provide a DistinguishedName in ADobjectDN parameter to set these permissions on that AD Object only (including inheritance to sub objects). In this case, ADobjectDN will be the Distinguished Name of the Container that you desire to link with the GroupWriteback feature....and also one of the examples covers it:
.EXAMPLE Set-ADSyncUnifiedGroupWritebackPermissions -ADConnectorAccountName 'ADConnector' -ADConnectorAccountDomain 'Contoso.com' -ADobjectDN 'OU=AzureAD,DC=Contoso,DC=com'It is a good idea to use it, vs granting permissions all through the entire forest which won't be necessary (only the chosen OU needs the permissions set).