Why is Doman Admin Required for Legacy Password Sync? (4378263)

Why is Doman Admin Required for Legacy Password Sync?

The requirement from the product documentation is the following.

• The Password Sync functionality requires that either a domain admin role or built-in admin role be granted to the service account.

The requirement is due to the password sync having to communicate with LSASS, and access to ADMIN$ and to accomplish this the account must be either a Domain Admin or an admin such as a service account and belongs to the built-in admin role.  

There are two other new password sync options available either Modern Password Sync or Password Propagation Service.

• Modern Password Sync moves away from using a service to interact with LSASS and injects a filter into LSASS on and like Legacy Password Sync relies on RC4 being enabled. 
• Password Propagation Service has the benefits of the Modern Password Sync with the addition that it does not require RC4 to be enabled.

To learn more about these options and the requirements for each see the links below.

• Modern Password 
• Password Propagation Service