如何修复 Azure AD Connect 权限问题错误代码 8344

Azure AD Connect 同步服务未导出 AD 对象并显示错误权限问题。单击该错误以获取更多详细信息，显示访问权限不足，无法执行该操作，并显示错误代码 8344。为什么会发生这种情况以及解决方案是什么？在本文中，你将了解如何修复 Azure AD Connect 权限问题错误代码 8344。

错误 8344 - 没有足够的访问权限来执行操作

登录 Azure AD Connect 服务器并启动 Azure AD Connect 同步服务。

您将看到导出错误：权限问题。

点击权限问题查看错误信息。

错误信息显示：

错误：权限问题
连接的数据源错误代码： 8344
连接的数据源错误：没有足够的访问权限来执行手术。

为什么会出现此错误？在 Azure AD Connect 同步服务管理器中，如果访问权限不足，无法执行错误代码为 8344 的操作，解决方案是什么？

Azure AD Connect 权限问题错误代码 8344 的解决方案

Azure AD DS 连接器帐户没有设置所有正确的权限，这就是导出 AD 对象时 Azure AD Connect 中出现错误代码 8344 权限问题的原因。

注意：Azure AD Connect 使用 3 个帐户在 Windows Server Active Directory 和 Azure Active Directory 之间同步信息。

方法 1. 在 AD DS 连接器帐户上设置正确的权限

请执行以下步骤来修复 Azure AD Connect 没有足够的访问权限来执行操作 - 错误代码 8344：

1. 启动Azure AD Connect。
2. 单击配置。

1. 单击疑难解答。
2. 单击下一步。

1. 单击启动。

1. 将出现 AADConnect 故障排除屏幕 (PowerShell)。

----------------------------------------AADConnect Troubleshooting------------------------------------------


        Enter '1' - Troubleshoot Object Synchronization
        Enter '2' - Troubleshoot Password Hash Synchronization
        Enter '3' - Collect General Diagnostics
        Enter '4' - Configure AD DS Connector Account Permissions
        Enter '5' - Test Azure Active Directory Connectivity
        Enter '6' - Test Active Directory Connectivity
        Enter 'Q' - Quit


        Please make a selection:

1. 选择4并按Enter。

----------------------------------------AADConnect Troubleshooting------------------------------------------


        Enter '1' - Troubleshoot Object Synchronization
        Enter '2' - Troubleshoot Password Hash Synchronization
        Enter '3' - Collect General Diagnostics
        Enter '4' - Configure AD DS Connector Account Permissions
        Enter '5' - Test Azure Active Directory Connectivity
        Enter '6' - Test Active Directory Connectivity
        Enter 'Q' - Quit


        Please make a selection: 4

1. 选择12并按Enter。

--------------------------------------------Configure Permissions------------------------------------------


        Enter '1' - Get AD Connector account
        Enter '2' - Get objects with inheritance disabled
        Enter '3' - Set basic read permissions
        Enter '4' - Set Exchange Hybrid permissions
        Enter '5' - Set Exchange mail public folder permissions
        Enter '6' - Set MS-DS-Consistency-Guid permissions
        Enter '7' - Set password hash sync permissions
        Enter '8' - Set password writeback permissions
        Enter '9' - Set restricted permissions
        Enter '10' - Set unified group writeback permissions
        Enter '11' - Show AD object permissions
        Enter '12' - Set default AD Connector account permissions
        Enter '13' - Compare object read permissions when running in context of AD Connector account vs Admin account
        Enter 'B' - Go back to main troubleshooting menu
        Enter 'Q' - Quit


        Please make a selection: 12

1. 选择Y并按Enter。

This option will set permissions required for the following:
    Password Hash Sync
    Password Writeback
    Hybrid Exchange
    Exchange Mail Public Folder
    MsDsConsistencyGuid
It will then restrict permissions

Confirm
Would you like to continue with these options?
[Y] Yes  [N] No  [?] Help (default is "Y"): Y

1. 选择E并按Enter。

Account to Configure
Would you like to configure an existing connector account or a custom account?
[E] Existing Connector Account  [C] Custom Account  [?] Help (default is "E"): E

1. 输出显示 AD DS 连接器帐户和更多信息。

Configured connectors and their related accounts:

ADConnectorName ADConnectorForest ADConnectorAccountName ADConnectorAccountDomain
--------------- ----------------- ---------------------- ------------------------
exoip.local     exoip.local       svc-adds               EXOIP.LOCAL

1. 填写 ADConnectorName (exoip.local) 并按 Enter。

Name of the connector who's account to configure: exoip.local

1. 将出现 Windows PowerShell 凭据请求。
2. 填写本地管理员凭据，然后单击确定。

注意：系统将询问您 7 次是否确定要在 AD DS 连接器帐户上设置权限。每次按A并Enter。

1. 授予密码哈希同步权限。

Confirm
Are you sure you want to perform this action?
Performing the operation "Grant Password Hash Synchronization permissions" on target "exoip.local".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): A

1. 授予密码写回权限。

Confirm
Are you sure you want to perform this action?
Performing the operation "Grant Password Writeback permissions" on target "exoip.local".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): A

1. 授予取消密码过期扩展权限的密码写回权限。

Confirm
Are you sure you want to perform this action?
Performing the operation "Grant Password Writeback permission for Unexpire Password extended right" on target
"exoip.local".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): A

1. 授予 Exchange 混合权限。

Confirm
Are you sure you want to perform this action?
Performing the operation "Grant Exchange Hybrid permissions" on target "exoip.local".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): A

1. 授予 Exchange 邮件公用文件夹权限。

Confirm
Are you sure you want to perform this action?
Performing the operation "Grant Exchange Mail Public Folder permissions" on target "exoip.local".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): A

1. 授予 mS-DS-ConsistencyGuid 权限。

Confirm
Are you sure you want to perform this action?
Performing the operation "Grant mS-DS-ConsistencyGuid permissions" on target "exoip.local".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): A

1. 设置限制权限。

Confirm
Are you sure you want to perform this action?
Performing the operation "Set restricted permissions" on target "CN=svc-adds,OU=Service
Accounts,OU=Company,DC=exoip,DC=local".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): A

1. 已为 AD DS 连接器帐户正确设置所有权限。
2. 关闭 AADConnect PowerShell 故障排除和 Azure AD Connect 窗口。
3. 启动 Windows PowerShell 并运行完整的 Microsoft Entra Connect Sync。

Start-ADSyncSyncCycle -PolicyType Initial

1. 等待几分钟并验证所有 AD 对象是否已同步、是否不再有 8344 权限错误以及导出统计信息是否显示值。

在我们的示例中，它确实更新了 5 个用户。

就是这样！

方法 2. 创建 AD DS 连接器帐户

创建具有正确权限的 AD DS 连接器帐户，并在 Azure AD Connect 同步中更改 AD DS 连接器以修复权限问题错误代码 8344：

1. 创建 AD DS 连接器帐户
2. 更改 AD DS 连接器帐户

您选择哪种方法？

了解更多：Azure AD Connect 同步导出错误 dn-attributes-failure »

结论

您了解了如何修复 Azure AD Connect 权限问题错误代码 8344。在 AD DS 连接器帐户上设置正确的权限至关重要。设置完成后，您将不会看到没有足够的访问权限来执行操作错误，并且同步将起作用。

您喜欢这篇文章吗？您可能还喜欢将 Azure AD Connect 迁移到新服务器。不要忘记关注我们并分享这篇文章。