Bugra Postaci's Blog

All my posts are provided "AS IS" with no warranties, and confer no rights.

  • Home
  • About
  • Docs
  • Privacy
Posts Comments
  • Sharepoint
    • Sharepoint 2010
    • SharePoint 2013
    • Sharepoint Tips & Tricks
    • SharePoint 2016
    • Sharepoint Tools
  • ASP.NET
  • C#
    • Tips & Tricks
  • Uncategorized

Sharepoint 2010 How to give “Replicate Directory Changes” permission to User Profile Sync Account

28/03/2012 1 Comment

in Technet sometimes is getting hard to find what you are seeking because of it separated more than one article. So i decided that create and collect in one article for this issue for easy share. As you know the synchronization account for a connection to Active Directory Domain Services (AD DS) must have the following permissions:
Before do apply this permissions you already decided which account is your user profile sync account and needless to say it must be an AD account .

1) It must have Replicate Directory Changes permission on the domain that you will synchronize with.
Important: The Replicate Directory Changes permission allows an account to query for the changes in the directory. This permission does not allow an account to make any changes in the directory

To grant Replicate Directory Changes permission on a domain:

  1. On the domain controller, click Start, click Administrative Tools, and then click Active Directory Users and Computers.
  2. In Active Directory Users and Computers, right-click the domain, and then click Delegate Control.
  3. On the first page of the Delegation of Control Wizard, click Next.
  4. On the Users or Groups page, click Add.
  5. Type the name of the synchronization account, and then click OK.
  6. Click Next.
  7. On the Tasks to Delegate page, select Create a custom task to delegate, and then click Next.
  8. On the Active Directory Object Type page, select This folder, existing objects in this folder, and creation of new objects in this folder, and then click Next.
  9. On the Permissions page, in the Permissions box, select Replicating Directory Changes (select Replicate Directory Changes on Windows Server 2003), and then click Next.
  10. Click Finish.

2) If the NetBIOS name of the domain differs from the fully qualified domain name, the synchronization account must have Replicate Directory Changes permission on the cn=configuration container

To grant Replicate Directory Changes permission on the cn=configuration container:

  1. On the domain controller, click Start, click Run, type adsiedit.msc, and then click OK.
  2. If the Configuration node is not already present, do the following:
    1. In the navigation pane, click ADSI Edit.
    2. On the Action menu, click Connect to.
    3. In the Connection Point area of the Connection Settings dialog box, click Select a well know Naming Context, select Configuration from the drop-down list, and then click OK.
  3. Expand the Configuration node, right-click the CN=Configuration… node, and then click Properties.
  4. In the Properties dialog box, click the Security tab.
  5. In the Group or user names section, click Add.
  6. Type the name of the synchronization account, and then click OK.
  7. In the Group or user names section, select the synchronization account.
  8. In the Permissions section, select the Allow check box next to the Replicating Directory Changes (Replicate Directory Changes on Windows Server 2003) permission, and then click OK.

3) If you will export property values from SharePoint Server to AD DS, the synchronization account must have Create Child Objects (this object and all descendants) and Write All Properties (this object and all descendants) permissions on the organizational unit (OU) that you are synchronizing with.

To grant Create Child Objects and Write permission:

  1. On the domain controller, click Start, click Run, type adsiedit.msc, and then click OK.
  2. If the Default naming context node is not already present, do the following:
    1. In the navigation pane, click ADSI Edit.
    2. On the Action menu, click Connect to.
    3. In the Connection Point area of the Connection Settings dialog box, click Select a well know Naming Context, select Default naming context from the drop-down list, and then click OK.
  3. In the navigation pane of the ADSI Edit window, expand the domain, expand the DC=… node, right-click the OU to which you want to grant permission, and then click Properties.
  4. On the Security tab of the Properties dialog box, click Advanced.
  5. In the Advanced Security Settings dialog box, select the row whose value in the Name column is the synchronization account and whose value in the Inherited From column is <not inherited>, and then click Edit. If this row is not present, click Add, click Locations, select Entire Directory, click OK, type the synchronization account, and then click OK. This adds the appropriate row, which you can now select.
    Important:Do not select the row for the synchronization account that is inherited from another location. Doing so would only enable you to apply the permissions to the OU and not to the contents of the OU.
  6. In the Permission Entry dialog box, select This object and all descendant objects from the Apply to box, (select This object and all child objects on Windows Server 2003), select the Allow check box in the rows for the Write all properties and Create all child objects properties, and then click OK.
  7. Click OK to close the Advanced Security Settings dialog box.
  8. Click OK to close the Properties dialog box.
  9. Repeat steps 3 through 8 to grant permissions on any additional OUs.

For default configuration, i mean if you just read from Active Directory and not planning to export , you may need to apply just first 2 permission.
If you want to test that 2 permissions are correct you can use fallowing script described fallowing article.
https://blog.bugrapostaci.com/2011/04/27/checking-replication-directory-changes-for-account-by-powershell/

For more information please read:
http://technet.microsoft.com/en-us/library/8451dde9-bbd1-4285-bc24-71bd795fb912
http://technet.microsoft.com/en-us/library/0eeb69e0-c799-4da1-b3ec-c0cc4efd585e

 

 

 

Advertisement

Filed under Sharepoint 2010 Tagged with Account, Active, AD, ADSI, Changes, CN=Configuration, Directory, Grant, Permission, Priviledge, Profile, Replicate, Syncronization, user

RSS Register

  • RSS - Posts
  • RSS - Comments

Search

Inside my brain

2010 2013 AAM Access Denied AD ASP.NET Authentication Backup C# configuration Content Content-type CU Cumulative Database Delete deployment enum Error Excel Feature GAC GC Http HttpHandler IE8 IIS LDAP list Lock() Log meeting Moss 2007 Moss2007 mysite Ninject NTLM Performance PowerShell problem Profile RBS Redirection request Search security server Service Service Pack session Sharepoint Sharepoint 2007 Sharepoint 2010 Sharepoint2010 SharePoint 2013 Site SP1 SP2 SPS2010 SPS2013 SQL stsadm Support Supportability Sync Syncronization TimerJob tools ULS UPA Update user Web Webpart Workflow

Categories

  • .Net Tools (6)
  • ASP.NET (34)
  • C# (32)
  • Coolite (1)
  • Debugging (1)
  • Design Patterns (1)
  • IIS (4)
  • Microsoft Support (1)
  • Powershell (2)
  • Sharepoint (105)
  • Sharepoint 2010 (89)
  • SharePoint 2013 (54)
  • SharePoint 2016 (9)
  • SharePoint 2019 (3)
  • SharePoint Online (5)
  • Sharepoint Tips & Tricks (20)
  • Sharepoint Tools (7)
  • System (2)
  • T-SQL (5)
  • Tips & Tricks (10)
  • Uncategorized (30)
  • Visual Studio IDE (4)
  • Windows 10 (3)

Top Posts

  • Loading this assembly would produce a different grant set from other instances. (Exception from HRESULT: 0x80131401)
  • Clean up - Search Service Application in SharePoint 2013
  • Sharepoint 2010 How to give "Replicate Directory Changes" permission to User Profile Sync Account
  • Unable to send email from SharePoint

My Recents

  • The code execution cannot proceed because edgegdi.dll was not found
  • Who is listening on port 80 (http.sys ?)
  • Win10 Search from Start shows a black box
  • Anjular.js fragment identifier “#” hash issue with SharePoint 2019 Modern UI
  • About future of the Content Deployment feature for SharePoint 2019

Archives

  • August 2021 (1)
  • February 2020 (2)
  • November 2019 (2)
  • August 2019 (2)
  • July 2019 (2)
  • June 2019 (1)
  • May 2019 (1)
  • April 2019 (2)
  • March 2019 (2)
  • January 2019 (1)
  • July 2018 (1)
  • June 2018 (1)
  • May 2018 (1)
  • January 2018 (1)
  • December 2017 (1)
  • November 2017 (1)
  • July 2017 (1)
  • June 2017 (3)
  • May 2017 (1)
  • February 2017 (2)
  • May 2016 (1)
  • March 2016 (1)
  • February 2016 (1)
  • December 2015 (1)
  • November 2015 (1)
  • October 2015 (2)
  • August 2015 (3)
  • July 2015 (1)
  • June 2015 (4)
  • May 2015 (2)
  • April 2015 (1)
  • March 2015 (1)
  • February 2015 (3)
  • January 2015 (1)
  • December 2014 (3)
  • October 2014 (3)
  • August 2014 (6)
  • July 2014 (2)
  • May 2014 (5)
  • April 2014 (5)
  • March 2014 (2)
  • February 2014 (17)
  • December 2013 (2)
  • November 2013 (3)
  • October 2013 (5)
  • August 2013 (1)
  • July 2013 (3)
  • June 2013 (4)
  • May 2013 (2)
  • April 2013 (1)
  • March 2013 (3)
  • February 2013 (3)
  • January 2013 (4)
  • December 2012 (1)
  • November 2012 (4)
  • October 2012 (3)
  • September 2012 (2)
  • August 2012 (3)
  • July 2012 (5)
  • June 2012 (2)
  • May 2012 (3)
  • April 2012 (9)
  • March 2012 (7)
  • February 2012 (10)
  • January 2012 (8)
  • December 2011 (8)
  • November 2011 (2)
  • October 2011 (11)
  • September 2011 (10)
  • August 2011 (5)
  • July 2011 (7)
  • June 2011 (13)
  • May 2011 (2)
  • April 2011 (11)
  • March 2011 (1)
  • February 2011 (1)
  • January 2011 (6)
  • December 2010 (4)
  • November 2010 (4)
  • October 2010 (14)
  • September 2010 (5)
  • August 2010 (3)
  • April 2010 (9)
  • March 2010 (7)
  • February 2010 (10)
  • January 2010 (42)
  • December 2009 (3)
  • November 2009 (9)

Create a free website or blog at WordPress.com.

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy
  • Follow Following
    • Bugra Postaci's Blog
      • Join 60 other followers
    • Already have a WordPress.com account? Log in now.
    • Bugra Postaci's Blog
    • Customize
    • Follow Following
    • Sign up
    • Log in
    • Report this content
    • View site in Reader
    • Manage subscriptions
    • Collapse this bar