Granting replicating directory changes permission to profile synchronization account
Posted by adisimon
In order to allow Sharepoint 2010 User Profile Service (UPS) to do a profile synchronization to Active Directory, a service account needs to be provisioned and correct level of access needs to be granted for this account. This technet article describes the access needed for this service account. For consistency, we will be referring to this account as the profile synchronization account (PFS account). Refer to this wiki entry for more information about the user profile synchronization service.
This article tells us the steps in regards to how to grant permissions to this PFS account.
Here are the screenshot of the steps to grant read access and replicate directory access to PFS account, with a sample scenario of using a newly created account called SRV-PFS:
A. Granting access to the PFS account so it can read enumerate and read user properties
Note: The steps within this particular section needs to be reviewed.
- In ACL Editor, right click on the domain object, and choose Delegate Control
- Add the PFS account, and then click Next
- In the next screen, check “Read all user information” and click next, then click finish
B. Granting access to the PFS account to query for changes within the domain
- Within the ACL Editor, click on the View menu, then enable Advanced features. This would bring up additional options available in the ACL Editor when the screen refreshes
- Right click on the domain object, and choose Properties
- Click on the security tab and locate the PSF account. in the permissions section, check to allow the Replicating Directory Changes. Click OK.