In an Exchange Hybrid configuration, DirSync needs to be able to “write-back” a limited number of attributes from the cloud to your on-premises AD. The permissions for this operation are assigned during the DirSync installation and applied at the root level of Active Directory. The expectation is that the permissions will flow down to the necessary objects, unless of course you have inheritance disabled on an object or its parent.


If DirSync is unable to write to an object, you’ll likely see the following error: Permission-issue 8344 insufficient access rights to perform the operation
If the list of errors are contained within a common set of OUs, there’s a good chance inheritance is disabled on that OU.

Additional Resources


Some might be quick to check the box to enable inheritance. While this would likely resolve your DirSync errors, there’s also a very good chance you created another mess for yourself. As an alternative, I would advise to assign the appropriate DirSync permissions explicitly on that OU so that you can perform the write-back operation but will have not changed any other permissions.


The script below looks at the permissions currently assigned to “MSOL_AD_Sync_RichCoexistence” at the root and applies them to the OU or object you specify. You’ll want to run it from your Exchange 2010 or later EMS with an account that has permissions to modify the ACL on the target object. In the script you’ll specify the DN for the domain where the “MSOL_AD_Sync_RichCoexistence” group resides and the DN for the object you want to add the permissions to.

If while running the script, you receive an error stating “INSUFF_ACCESS_RIGHTS”, you may need to execute the steps in Microsoft KB2983209 before running the script.
The script for this post can be found in the Microsoft Script Center at the following link:

Was this article helpful?