Helpdesk users with limited administrative privileges may encounter the follow error when running the Start-ADSyncSyncCycle cmdlet:
PS C:\WINDOWS\system32> Start-ADSyncSyncCycle
Start-ADSyncSyncCycle : Retrieving the COM class factory for remote component with CLSID
{835BEE60-8731-4159-8BFF-941301D76D05} from machine failed due to the following error: 80070005
To sync Azure AD, you need to be a member of the ADSyncOperators local group on the Azure AD Connect server. (Or local administrator, that should work too 🙂 ). To do so, connect a Computer Management session to the Azure AD server, and add the user to the ADSyncOperators group under Local Users and Groups
Synchronization to Azure runs on a scheduled basis. However, you may want to run the Start-ADSyncSyncCycle cmdlet manually if you have created a user or changed group membership and want to reflect that change in Azure AD immediately.
I wrote an simple Powershell script to sync Active Directory with Azure remotely from our management server. This script allows users with limited administrative privileges (like Helpdesk, Servicedesk, or Application Administrators) to force a sync of users and groups.
To remotely start this script, the user need to a be a member of the following local groups on the Azure AD Connect server:
Remote Management Users
ADSyncOperators
#Run AzureAD Sync. No error handling available. If it runs successfully, it will take 20 seconds approximately. If the window disappears immediately, the cmdlet failed. $computer = "your_AzureADConnect_server" #i.e. WIN-AZUREAD.mydomain.local invoke-command -ComputerName $computer -ScriptBlock {start-adsyncsynccycle} -ErrorAction Stop Write-Host "AD is being synced with Azure AD. This will take up to 30 seconds"
Save the script as a ps1 file, and create a shortcut for your Helpdesk user that targets something like “powershell.exe c:\script\scriptname.ps1”
By the way: if you try to run the script remotely, but you didn’t add the user to the Remote Management Users group, the following error message pops up:
PS C:\WINDOWS\system32> Start-ADSyncSyncCycle
Connecting to remote server failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
The great Reset is happening, stand up and resist! -Q
Hello All,
Small advice for the above issue/error if you have installed Azure AD Connect on the DC server then you can find the same group in the ADUC/AD server, inside the group you go ahead and add the effected user that will fix the cause/issue/error.