Export (0) Print
Expand All
3 out of 5 rated this helpful - Rate this topic

Grant Active Directory Domain Services permissions for profile synchronization in SharePoint Server 2013

Published: October 23, 2012

Summary: Learn how to grant the appropriate permissions in Active Directory Domain Services that are used for profile synchronization by the User Profile service in SharePoint Server 2013.

Applies to:  SharePoint Server 2013 

This article contains procedures that an Active Directory Domain Services (AD DS) administrator can use to configure the permissions that are required to synchronize profile information with SharePoint Server 2013. The "Plan account permissions" section of Plan account permissions describes the required permissions for various circumstances.

The procedures in this article use the phrase "synchronization account" for the account to which you grant permissions. The synchronization account is the account that SharePoint Server uses to connect to AD DS during profile synchronization.

In this article:

Before you begin

note Note:

Administrators typically use the SharePoint Central Administration website and the SharePoint Management Shell to manage deployments. For information about accessibility for administrators, see Accessibility for SharePoint 2013.

Because SharePoint 2013 runs as websites in Internet Information Services (IIS), administrators and users depend on the accessibility features that browsers provide. SharePoint 2013 supports the accessibility features of supported browsers. For more information, see the following resources:

Grant Replicate Directory Changes permission on a domain

Use this procedure to grant Replicate Directory Changes permission on a domain to an account.

The Replicate Directory Changes permission enables the synchronization account to read AD DS objects and to discover AD DS objects that have been changed in the domain. The Grant Replicate Directory Changes permission does not enable an account to create, modify or delete AD DS objects.

To grant Replicate Directory Changes permission on a domain

  1. On the domain controller, click Start, click Administrative Tools, and then click Active Directory Users and Computers.

  2. In Active Directory Users and Computers, right-click the domain, and then click Delegate Control.

  3. On the first page of the Delegation of Control Wizard, click Next.

  4. On the Users or Groups page, click Add.

  5. Type the name of the synchronization account, and then click OK.

  6. Click Next.

  7. On the Tasks to Delegate page, select Create a custom task to delegate, and then click Next.

  8. On the Active Directory Object Type page, select This folder, existing objects in this folder, and creation of new objects in this folder, and then click Next.

  9. On the Permissions page, in the Permissions box, select Replicating Directory Changes (select Replicate Directory Changes on Windows Server 2003), and then click Next.

  10. Click Finish.

Add an account to the Pre-Windows 2000 Compatible Access group

Use this procedure to add an account to the Pre-Windows 2000 Compatible Access group.

To add an account to the Pre-Windows 2000 Compatible Access group

  1. On the domain controller, click Start, click Administrative Tools, and then click Active Directory Users and Computers.

  2. In Active Directory Users and Computers, expand the domain, expand Builtin, right-click Pre-Windows 2000 Compatible Access, and then click Properties.

  3. In the Properties dialog box, click the Members tab, and then click Add.

  4. Type the name of the synchronization account, and then click OK.

  5. Click OK.

Grant Replicate Directory Changes permission on the cn=configuration container

Use this procedure to grant Replicate Directory Changes permission on the cn=configuration container to an account.

To grant Replicate Directory Changes permission on the cn=configuration container

  1. On the domain controller, click Start, click Run, type adsiedit.msc, and then click OK.

  2. If the Configuration node is not already present, do the following:

    1. In the navigation pane, click ADSI Edit.

    2. On the Action menu, click Connect to.

    3. In the Connection Point area of the Connection Settings dialog box, click Select a well know Naming Context, select Configuration from the drop-down list, and then click OK.

  3. Expand the Configuration node, right-click the CN=Configuration... node, and then click Properties.

  4. In the Properties dialog box, click the Security tab.

  5. In the Group or user names section, click Add.

  6. Type the name of the synchronization account, and then click OK.

  7. In the Group or user names section, select the synchronization account.

  8. In the Permissions section, select the Allow check box next to the Replicating Directory Changes (Replicate Directory Changes on Windows Server 2003) permission, and then click OK.

Grant Create Child Objects and Write permission

Use this procedure to grant Create Child Objects and Write permission to an account.

To grant Create Child Objects and Write permission

  1. On the domain controller, click Start, click Run, type adsiedit.msc, and then click OK.

  2. If the Default naming context node is not already present, do the following:

    1. In the navigation pane, click ADSI Edit.

    2. On the Action menu, click Connect to.

    3. In the Connection Point area of the Connection Settings dialog box, click Select a well know Naming Context, select Default naming context from the drop-down list, and then click OK.

  3. In the navigation pane of the ADSI Edit window, expand the domain, expand the DC=... node, right-click the OU to which you want to grant permission, and then click Properties.

  4. On the Security tab of the Properties dialog box, click Advanced.

  5. In the Advanced Security Settings dialog box, select the row whose value in the Name column is the synchronization account and whose value in the Inherited From column is <not inherited>, and then click Edit. If this row is not present, click Add, click Locations, select Entire Directory, click OK, type the synchronization account, and then click OK. This adds the appropriate row, which you can now select.

    note Note:

    Do not select the row for the synchronization account that is inherited from another location. Doing so would only enable you to apply the permissions to the OU and not to the contents of the OU.

  6. In the Permission Entry dialog box, select This object and all descendant objects from the Apply to box, (select This object and all child objects on Windows Server 2003), select the Allow check box in the rows for the Write all properties and Create all child objects properties, and then click OK.

  7. Click OK to close the Advanced Security Settings dialog box.

  8. Click OK to close the Properties dialog box.

  9. Repeat steps 3 through 8 to grant permissions on any additional OUs.

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.