I spent some quality time with Google and found where people needed to ensure the local sync account has been added to the domain level with:
So I did that, but it did not help. I start looking into the NTFS Security permissions on the users and OU's and low and behold not a single level has inheritance enabled.
So I found this powershell blurp: https://community.spiceworks.com/topic/2120107-powershell-to-enable-inheritance
Ran this and BOOM all my objects were now enabled, however re-running a Delta sync I was still getting mass errors. So as a test I added the sync account with FC permissions and that account's password hash was sync to AAD. Odd I thought, so I went looking further and in the event log event 611
So using this I found, eventually, that the sync account needs permissions to edit: ms-dS-ConsistencyGuid which then led me to this:
$accountname = "<domain>\ad_forest"
$forestdn = "dc=<domain1>,dc=<domain2>"
$cmd = "dsacls '$forestdn' /I:S /G '`"$accountname`":WP;ms-ds-consistencyGuid;user'"
invoke-expression $cmd
Once I ran that, I could then see the sync account under the Security tab of all my user objects and the next Delta sync kickoff ran without any errors.
