Azure AD Connect “An error occurred while connecting to the state store: attempted to perform an authorized operation”

The other day, while trying to enable an optional feature on a staging Azure AD Connect server, I came across the following error:

The Trace log, located at C:\ProgramData\AADConnect, had the following:

[06:42:08.604] [  1] [INFO ] MicrosoftOnlinePersistedStateProvider.Save: saving the persisted state file
[06:42:08.605] [  1] [INFO ] MicrosoftOnlinePersistedStateProvider.UpdateFileProtection: updating file protection from the persisted state file: C:\ProgramData\AADConnect\PersistedState.xml, isAddProtection: False
[06:42:08.607] [  1] [ERROR] PerformConfigurationPageViewModel: Caught exception when connecting to persisted state store.
Exception Data (Raw): System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
   at System.Security.AccessControl.Win32.SetSecurityInfo(ResourceType type, String name, SafeHandle handle, SecurityInfos securityInformation, SecurityIdentifier owner, SecurityIdentifier group, GenericAcl sacl, GenericAcl dacl)
   at System.Security.AccessControl.NativeObjectSecurity.Persist(String name, SafeHandle handle, AccessControlSections includeSections, Object exceptionContext)
   at System.Security.AccessControl.FileSystemSecurity.Persist(String fullPath)
   at Microsoft.Online.Deployment.Types.PersistedState.MicrosoftOnlinePersistedStateProvider.UpdateFileProtection(String fileName, Boolean isAddProtection)
   at Microsoft.Online.Deployment.Types.PersistedState.MicrosoftOnlinePersistedStateProvider.Save(PersistedStateContainer state)
   at Microsoft.Online.Deployment.Types.PersistedState.MicrosoftOnlinePersistedStateProvider.SetStateElements(IEnumerable`1 elements)
   at Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.PerformConfigurationPageViewModel.SavePersistedState()

Looking at the properties of the PersistedState.xml file, located in the same directory, I noticed it was set to Read-Only:

And that Everyone only had read access (the special permissions only block deletion) with no other users specified:

Comparing this to a “healthy” server, the configuration was the same. Nonetheless, I temporarily gave the service account full access to the file, and it worked!