I encounted a weird problem where Azure AD connect was having an issue doing password writeback on the users. I checked invoke-adsyncdiagnostics and inded there was an issue with Password Sync.
Looking into the issue, it was AD Objects that had inheritance disabled, in particular, users.
So this script allowed me to set the inheritance on the OU:
Function Set-Inheritance {
param($ObjectPath)
$ACL = Get-ACL -path "AD:\$ObjectPath"
If ($acl.AreAccessRulesProtected){
$ACL.SetAccessRuleProtection($False, $True)
Set-ACL -AclObject $ACL -path "AD:\$ObjectPath"
Write-Host "MODIFIED "$ObjectPath
} #End IF
} #End Function Set-Inheritance
#Find user with AdminCount set to 1
$users = get-aduser -SearchBase "OU=YOUR_OU,DC=DOMAINNAME,DC=COM" -Filter {AdminCount -eq 1}
#Enable inheritance flag for each user
$users | foreach {Set-Inheritance $_.distinguishedname}
After this, no errors were appearing.
Looking into the issue, it was AD Objects that had inheritance disabled, in particular, users.
So this script allowed me to set the inheritance on the OU:
Function Set-Inheritance {
param($ObjectPath)
$ACL = Get-ACL -path "AD:\$ObjectPath"
If ($acl.AreAccessRulesProtected){
$ACL.SetAccessRuleProtection($False, $True)
Set-ACL -AclObject $ACL -path "AD:\$ObjectPath"
Write-Host "MODIFIED "$ObjectPath
} #End IF
} #End Function Set-Inheritance
#Find user with AdminCount set to 1
$users = get-aduser -SearchBase "OU=YOUR_OU,DC=DOMAINNAME,DC=COM" -Filter {AdminCount -eq 1}
#Enable inheritance flag for each user
$users | foreach {Set-Inheritance $_.distinguishedname}
After this, no errors were appearing.