Sharepoint 2010 How to give “Replicate Directory Changes” permission to User Profile Sync Account
28/03/2012 1 Comment
in Technet sometimes is getting hard to find what you are seeking because of it separated more than one article. So i decided that create and collect in one article for this issue for easy share. As you know the synchronization account for a connection to Active Directory Domain Services (AD DS) must have the following permissions:
Before do apply this permissions you already decided which account is your user profile sync account and needless to say it must be an AD account .
1) It must have Replicate Directory Changes permission on the domain that you will synchronize with.
Important: The Replicate Directory Changes permission allows an account to query for the changes in the directory. This permission does not allow an account to make any changes in the directory
To grant Replicate Directory Changes permission on a domain:
- On the domain controller, click Start, click Administrative Tools, and then click Active Directory Users and Computers.
- In Active Directory Users and Computers, right-click the domain, and then click Delegate Control.
- On the first page of the Delegation of Control Wizard, click Next.
- On the Users or Groups page, click Add.
- Type the name of the synchronization account, and then click OK.
- Click Next.
- On the Tasks to Delegate page, select Create a custom task to delegate, and then click Next.
- On the Active Directory Object Type page, select This folder, existing objects in this folder, and creation of new objects in this folder, and then click Next.
- On the Permissions page, in the Permissions box, select Replicating Directory Changes (select Replicate Directory Changes on Windows Server 2003), and then click Next.
- Click Finish.
2) If the NetBIOS name of the domain differs from the fully qualified domain name, the synchronization account must have Replicate Directory Changes permission on the cn=configuration container
To grant Replicate Directory Changes permission on the cn=configuration container:
- On the domain controller, click Start, click Run, type adsiedit.msc, and then click OK.
- If the Configuration node is not already present, do the following:
- In the navigation pane, click ADSI Edit.
- On the Action menu, click Connect to.
- In the Connection Point area of the Connection Settings dialog box, click Select a well know Naming Context, select Configuration from the drop-down list, and then click OK.
- Expand the Configuration node, right-click the CN=Configuration… node, and then click Properties.
- In the Properties dialog box, click the Security tab.
- In the Group or user names section, click Add.
- Type the name of the synchronization account, and then click OK.
- In the Group or user names section, select the synchronization account.
- In the Permissions section, select the Allow check box next to the Replicating Directory Changes (Replicate Directory Changes on Windows Server 2003) permission, and then click OK.
3) If you will export property values from SharePoint Server to AD DS, the synchronization account must have Create Child Objects (this object and all descendants) and Write All Properties (this object and all descendants) permissions on the organizational unit (OU) that you are synchronizing with.
To grant Create Child Objects and Write permission:
- On the domain controller, click Start, click Run, type adsiedit.msc, and then click OK.
- If the Default naming context node is not already present, do the following:
- In the navigation pane, click ADSI Edit.
- On the Action menu, click Connect to.
- In the Connection Point area of the Connection Settings dialog box, click Select a well know Naming Context, select Default naming context from the drop-down list, and then click OK.
- In the navigation pane of the ADSI Edit window, expand the domain, expand the DC=… node, right-click the OU to which you want to grant permission, and then click Properties.
- On the Security tab of the Properties dialog box, click Advanced.
- In the Advanced Security Settings dialog box, select the row whose value in the Name column is the synchronization account and whose value in the Inherited From column is <not inherited>, and then click Edit. If this row is not present, click Add, click Locations, select Entire Directory, click OK, type the synchronization account, and then click OK. This adds the appropriate row, which you can now select.
Important:Do not select the row for the synchronization account that is inherited from another location. Doing so would only enable you to apply the permissions to the OU and not to the contents of the OU. - In the Permission Entry dialog box, select This object and all descendant objects from the Apply to box, (select This object and all child objects on Windows Server 2003), select the Allow check box in the rows for the Write all properties and Create all child objects properties, and then click OK.
- Click OK to close the Advanced Security Settings dialog box.
- Click OK to close the Properties dialog box.
- Repeat steps 3 through 8 to grant permissions on any additional OUs.
For default configuration, i mean if you just read from Active Directory and not planning to export , you may need to apply just first 2 permission.
If you want to test that 2 permissions are correct you can use fallowing script described fallowing article.
https://blog.bugrapostaci.com/2011/04/27/checking-replication-directory-changes-for-account-by-powershell/
For more information please read:
http://technet.microsoft.com/en-us/library/8451dde9-bbd1-4285-bc24-71bd795fb912
http://technet.microsoft.com/en-us/library/0eeb69e0-c799-4da1-b3ec-c0cc4efd585e
About bpostaci
Bugra Postaci's Blog 
This helped me. Thank you.