Retrieving the COM Class Factory for Remote Component with CLSID Failed

Azure AD Connect synchronization error PowerShell

You may receive the following error when trying to trigger an Azure AD Connect synchronization:

Retrieving the COM class factory for remote component with CLSID {835BEE60-8731-4159-8BFF-941301D76D05}
from machine DC-01 failed due to the following error: 80070005 DC-01.
    + CategoryInfo          : WriteError: (Microsoft.Ident...ADSyncSyncCycle:StartADSyncSyncCycle)
      [Start-ADSyncSyncCycle], UnauthorizedAccessException
    + FullyQualifiedErrorId : Retrieving the COM class factory for remote component with CLSID
      {835BEE60-8731-4159-8BFF-941301D76D05} from machine DC-01 failed due to the following error: 
      80070005 DC-01.,Microsoft.IdentityManagement.PowerShell.Cmdlet.StartADSyncSyncCycle

This error message indicates that your account does not have the necessary privileges to perform Azure AD Connect synchronization.

To solve this error message add your account to the ADSyncOperators group.

If Azure AD Connect is installed on a domain controller this is a domain group.

If Azure AD Connect is installed on a member server this is a local group.

Add your account to the group:

ADSyncOperators group membership

Make sure to log off and log on to update your access token with the new group membership.

If you have multiple DC’s and Azure AD Connect is running on one of them, ensure that the updated group membership has been replicated between domain controllers before you log in again.

Use the WhoAmI command to verify if your group membership has been updated:

PS C:\Windows\system32> whoami /all
USER INFORMATION
----------------
User Name               SID
======================= ============================================
gigacorp\adm.server.joe S-1-5-21-1571223705-546034849-413621382-1146

GROUP INFORMATION
-----------------
Group Name                                 Type             SID
========================================== ================ ===================
Everyone                                   Well-known group S-1-1-0
BUILTIN\Users                              Alias            S-1-5-32-545
BUILTIN\Administrators                     Alias            S-1-5-32-544
NT AUTHORITY\REMOTE INTERACTIVE LOGON      Well-known group S-1-5-14
NT AUTHORITY\INTERACTIVE                   Well-known group S-1-5-4
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11
NT AUTHORITY\This Organization             Well-known group S-1-5-15
LOCAL                                      Well-known group S-1-2-0
GIGACORP\G.U.ServerAdmins                  Group            S-1-5-21-1571223705
Authentication authority asserted identity Well-known group S-1-18-1
GIGACORP\ADSyncOperators                   Alias            S-1-5-21-1571223705
Mandatory Label\High Mandatory Level       Label            S-1-16-12288

With the corrected privileges in place you can now perform the Azure AD Connect synchronization:

PS C:\Windows\system32> Enter-PSSession DC-01
[DC-01]: PS C:\Users\adm.server.joe\Documents> Start-ADSyncSyncCycle -PolicyType Delta
 Result
 ------
Success

Summary

If you receive an UnauthorizedAccessException when running Start-ADSyncSyncCycle make sure to add your account to the ADSyncOperators group on the Azure AD Connect server.

You need this configuration for smooth operation if you’re running Easy365Manager.

Easy365Manager is a powerful snap-in to AD Users & Computers which lets you manage email attributes and Office 365 mailboxes and licenses as part of your AD user properties:

easy365manager ui
easy365manager ui

With Easy365Manager you can also get rid of your Exchange on-premises.

Download a fully functional 30-day trial of Easy365Manager here.