When setting up Azure AD synchronization tools, such as Azure AD Connect, there is the option to specify an on-premise AD user/service account to be used for the local sync authentication. During the setup wizard, you may encounter the error “Logon failure: the user has not been granted the required logon type at this computer” (image below).
This error occurs may be occurring if you’re installing Azure AD sync tools on a domain controller (DC), and the service account cannot login to the DC. In most cases, logon rights to DCs are limited to domain administrators. And if you’re following the best practices for Azure AD sync, then the service account is a low-rights domain user, and not an administrator.
Fortunately the fix is quite simple. To add logon rights, simply add the service account into the Default Domain Controllers group policy. The appropriate setting is Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment, then add the account into the “Allow log on locally” policy.
After performing a gpupdate on the domain controller, you’ll be able to click the install button and get on your way!
Filed under: Azure