[810025] ADSGroup: Write permission denied for value "AllowWriteMembers".

Question

Hello, 
 v9.2.1 
 We recently migrated the AD sync project shell from Dev to Prod. In Dev, we connected to the Prod domain and targeted a specific OU for our testing. In Prod while running the sync, all schemas were successfully synced except for the ADGroup, which resulted in the following error; however the AOB.Customizer.dll and its dependencies file exist in the installation folder. 
 https://postimg.cc/bDvJtzHc 
 Suddenly, I encountered the error mentioned below, despite no changes being made to the service account. Additionally, I am running the sync to get the ADGroups synced to OneIM, not writing back to AD, as the AD is in read-only mode. 
 https://postimg.cc/MXMZ239D 
 Any suggestions would be greatly appreciated. 
 Thanks,

tlindner · Answer

Hi pavithra, 
 "allow write members" is an access right on each AD object. This will be set using the SID of another AD object and makes this other object to "manager" of this object. This relation will be shown as "Manager" in "AD Users & Computers" tool at tab "Organization". During sync of the AD objects the AD connector has to read the security descriptor of AD objects to get this manager relation. If your Prod domain does not allow to read security descriptors of users and groups this step could fail this way. May be the used AD account for sync project has not enough rights to do this. 
 Regards, 
 Tino