Grant Active Directory Domain Services permissions for profile synchronization (SharePoint Server 2010)

  • Article

 

Applies to: SharePoint Server 2010

This article contains procedures that an Active Directory Domain Services (AD DS) administrator can use to configure the permissions that are required to synchronize profile information with Microsoft SharePoint Server 2010. The Plan account permissions section of the "Plan for profile synchronization" article describes which permissions are needed in which circumstances.

The procedures in this article use the phrase "synchronization account" for the account to which you grant permissions. The synchronization account is the account that SharePoint Server uses to connect to AD DS during profile synchronization.

In this article:

  • Grant Replicate Directory Changes permission on a domain

  • Add an account to the Pre-Windows 2000 Compatible Access group

  • Grant Replicate Directory Changes permission on the cn=configuration container

  • Grant Create Child Objects and Write permission

Grant Replicate Directory Changes permission on a domain

Use this procedure to grant Replicate Directory Changes permission on a domain to an account.

The Replicate Directory Changes permission enables the synchronization account to read AD DS objects and to discover AD DS objects that have been changed in the domain. The Grant Replicate Directory Changes permission does not enable an account to create, modify or delete AD DS objects.

To grant Replicate Directory Changes permission on a domain

  1. On the domain controller, click Start, click Administrative Tools, and then click Active Directory Users and Computers.

  2. In Active Directory Users and Computers, right-click the domain, and then click Delegate Control.

  3. On the first page of the Delegation of Control Wizard, click Next.

  4. On the Users or Groups page, click Add.

  5. Type the name of the synchronization account, and then click OK.

  6. Click Next.

  7. On the Tasks to Delegate page, select Create a custom task to delegate, and then click Next.

  8. On the Active Directory Object Type page, select This folder, existing objects in this folder, and creation of new objects in this folder, and then click Next.

  9. On the Permissions page, in the Permissions box, select Replicating Directory Changes (select Replicate Directory Changes on Windows Server 2003), and then click Next.

  10. Click Finish.

Add an account to the Pre-Windows 2000 Compatible Access group

Use this procedure to add an account to the Pre-Windows 2000 Compatible Access group.

To add an account to the Pre-Windows 2000 Compatible Access group

  1. On the domain controller, click Start, click Administrative Tools, and then click Active Directory Users and Computers.

  2. In Active Directory Users and Computers, expand the domain, expand Builtin, right-click Pre-Windows 2000 Compatible Access, and then click Properties.

  3. In the Properties dialog box, click the Members tab, and then click Add.

  4. Type the name of the synchronization account, and then click OK.

  5. Click OK.

Grant Replicate Directory Changes permission on the cn=configuration container

Use this procedure to grant Replicate Directory Changes permission on the cn=configuration container to an account.

To grant Replicate Directory Changes permission on the cn=configuration container

  1. On the domain controller, click Start, click Run, type adsiedit.msc, and then click OK.

  2. If the Configuration node is not already present, do the following:

    1. In the navigation pane, click ADSI Edit.

    2. On the Action menu, click Connect to.

    3. In the Connection Point area of the Connection Settings dialog box, click Select a well know Naming Context, select Configuration from the drop-down list, and then click OK.

  3. Expand the Configuration node, right-click the CN=Configuration... node, and then click Properties.

  4. In the Properties dialog box, click the Security tab.

  5. In the Group or user names section, click Add.

  6. Type the name of the synchronization account, and then click OK.

  7. In the Group or user names section, select the synchronization account.

  8. In the Permissions section, select the Allow check box next to the Replicating Directory Changes (Replicate Directory Changes on Windows Server 2003) permission, and then click OK.

Grant Create Child Objects and Write permission

Use this procedure to grant Create Child Objects and Write permission to an account.

To grant Create Child Objects and Write permission

  1. On the domain controller, click Start, click Run, type adsiedit.msc, and then click OK.

  2. If the Default naming context node is not already present, do the following:

    1. In the navigation pane, click ADSI Edit.

    2. On the Action menu, click Connect to.

    3. In the Connection Point area of the Connection Settings dialog box, click Select a well know Naming Context, select Default naming context from the drop-down list, and then click OK.

  3. In the navigation pane of the ADSI Edit window, expand the domain, expand the DC=... node, right-click the OU to which you want to grant permission, and then click Properties.

  4. On the Security tab of the Properties dialog box, click Advanced.

  5. In the Advanced Security Settings dialog box, select the row whose value in the Name column is the synchronization account and whose value in the Inherited From column is <not inherited>, and then click Edit. If this row is not present, click Add, click Locations, select Entire Directory, click OK, type the synchronization account, and then click OK. This adds the appropriate row, which you can now select.

    Note

    Do not select the row for the synchronization account that is inherited from another location. Doing so would only enable you to apply the permissions to the OU and not to the contents of the OU.

  6. In the Permission Entry dialog box, select This object and all descendant objects from the Apply to box, (select This object and all child objects on Windows Server 2003), select the Allow check box in the rows for the Write all properties and Create all child objects properties, and then click OK.

  7. Click OK to close the Advanced Security Settings dialog box.

  8. Click OK to close the Properties dialog box.

  9. Repeat steps 3 through 8 to grant permissions on any additional OUs.

See Also

Concepts

Plan for profile synchronization (SharePoint Server 2010)
Configure profile synchronization (SharePoint Server 2010)