Azure AD Setup – Sync Service Account – Login Failure

Posted on Updated on

When setting up Azure AD synchronization tools, such as Azure AD Connect, there is the option to specify an on-premise AD user/service account to be used for the local sync authentication.  During the setup wizard, you may encounter the error “Logon failure: the user has not been granted the required logon type at this computer” (image below).

azuresynclogon0

This error occurs may be occurring if you’re installing Azure AD sync tools on a domain controller (DC), and the service account cannot login to the DC.  In most cases, logon rights to DCs are limited to domain administrators.  And if you’re following the best practices for Azure AD sync, then the service account is a low-rights domain user, and not an administrator.

Fortunately the fix is quite simple.  To add logon rights, simply add the service account into the Default Domain Controllers group policy.  The appropriate setting is Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment, then add the account into the “Allow log on locally” policy.

azuresynclogon1

After performing a gpupdate on the domain controller, you’ll be able to click the install button and get on your way!

azuresynclogon2

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s