Checking Replication Directory Changes for account by PowerShell

27/04/2011 Leave a comment


This power shell script checks Replication Directory Changes rights for specific user. You can use this script for detect sharepoint 2010 user profile service account has correct rights

Important !!!: this script not work with Domain Administrator’s accounts .

#Save to script a file named CheckRDC.ps1
usage syntax:
open Sharepoint 2010 PowerShell Console
PS> .\CheckRDC.ps1 “DOMAIN\username”

param( [string] $userName="")
function Check-ADUserPermission(
    [System.DirectoryServices.DirectoryEntry]$entry, 
    [string]$user, 
    [string]$permission)
{
    $dse = [ADSI]"LDAP://Rootdse"
    $ext = [ADSI]("LDAP://CN=Extended-Rights," + $dse.ConfigurationNamingContext)

    $right = $ext.psbase.Children | 
        ? { $_.DisplayName -eq $permission }

    if($right -ne $null)
    {
        $perms = $entry.psbase.ObjectSecurity.Access |
            ? { $_.IdentityReference -eq $user } |
            ? { $_.ObjectType -eq [GUID]$right.RightsGuid.Value }

        return ($perms -ne $null)
    }
    else
    {
        Write-Warning "Permission '$permission' not found."
        return $false
    }
}

# Globals

$replicationPermissionName = "Replicating Directory Changes"

# Main()

$dse = [ADSI]"LDAP://Rootdse"

$entries = @(
    [ADSI]("LDAP://" + $dse.defaultNamingContext),
    [ADSI]("LDAP://" + $dse.configurationNamingContext));

Write-Host "User '$userName': "
foreach($entry in $entries)
{
    $result = Check-ADUserPermission $entry $userName $replicationPermissionName

    if($result)
    {
        Write-Host "`thas a '$replicationPermissionName' permission on '$($entry.distinguishedName)'" `
            -ForegroundColor Green
    }
    else
    {
        Write-Host "`thas no a '$replicationPermissionName' permission on '$($entry.distinguishedName)'" `
            -ForegroundColor Red
    }
}

The synchronization account for a connection to Active Directory Domain Services (AD DS) must have the following permissions:

It must have Replicate Directory Changes permission on the domain that you will synchronize with. See Grant Replicate Directory Changes permission on a domain for instructions to grant this permission.

If the domain controller is running Windows Server 2003, the synchronization account must be a member of the Pre-Windows 2000 Compatible Access built-in group. See Add an account to the Pre-Windows 2000 Compatible Access group for instructions to grant this permission.

If the NetBIOS name of the domain differs from the domain name, the synchronization account must have Replicate Directory Changes permission on the cn=configuration container. See Grant Replicate Directory Changes permission on the cn=configuration container for instructions to grant this permission.

If you will export property values from SharePoint Server to AD DS, the synchronization account must have Create Child Objects (this object and all descendants) and Write All Properties (this object and all descendants) permissions on the organizational unit (OU) that you are synchronizing with. See Grant Create Child Objects and Write permission for instructions to grant this permission.

for more info :
http://technet.microsoft.com/en-us/library/ee721049.aspx

Advertisement

Filed under Sharepoint 2010 Tagged with , , ,

About bpostaci
Escalation Engineer in Microsoft.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: