Posted by adisimon
In order to allow Sharepoint 2010 User Profile Service (UPS) to do a profile synchronization to Active Directory, a service account needs to be provisioned and correct level of access needs to be granted for this account. This technet article describes the access needed for this service account. For consistency, we will be referring to this account as the profile synchronization account (PFS account). Refer to this wiki entry for more information about the user profile synchronization service.
This article tells us the steps in regards to how to grant permissions to this PFS account.
Here are the screenshot of the steps to grant read access and replicate directory access to PFS account, with a sample scenario of using a newly created account called SRV-PFS:
A. Granting access to the PFS account so it can read enumerate and read user properties
Note: The steps within this particular section needs to be reviewed.
- In ACL Editor, right click on the domain object, and choose Delegate Control
- Add the PFS account, and then click Next
- In the next screen, check “Read all user information” and click next, then click finish
B. Granting access to the PFS account to query for changes within the domain
- Within the ACL Editor, click on the View menu, then enable Advanced features. This would bring up additional options available in the ACL Editor when the screen refreshes
- Right click on the domain object, and choose Properties
- Click on the security tab and locate the PSF account. in the permissions section, check to allow the Replicating Directory Changes. Click OK.
Posted by adisimon
Profile synchronization overview
The User Profile Synchronization service allows you to create user profiles by importing information from other systems that are used in your organization. This service is the core of the synchronization architecture in SharePoint Server 2010. When you start the User Profile Synchronization service on the synchronization server, SharePoint Server 2010 provisions a version of Microsoft Forefront Identity Manager (FIM) to participate in synchronization.
You can create new profiles and import profile properties by synchronizing with a directory service. When you synchronize with a directory service, SharePoint Server 2010 does the following:
- Creates a user profile for each new user in the directory service containers that are being synchronized, and fills in the properties of each new profile with data from the directory service.
- Deletes the profile of any user that was removed from the directory service.
- For properties that are being imported, updates the property in the SharePoint user profile if the corresponding value in the directory service has changed.
For more information, please refer to this article.
Plan for profile synchronization
Note: For more information and complete planning worksheet, please refer to this article.
Each property in a user’s profile can come from an external system. There are two types of external systems: directory services and business systems. The phrase business system is used to mean an external system that is not a directory service. SAP, Siebel, SQL Server, and custom applications are all examples of business systems. This wiki entry assumes and focus on properties that come from directory services alone.
Each user that you want to have a profile in SharePoint Server must have an identity in a directory service. If users are not represented in a directory service, you cannot synchronize user profiles.
To indicate that a user profile property comes from an external system, you map the property to a specific attribute of the external system. Certain user profile properties are mapped by default. For a list of the default mappings for each type of directory service, see Default user profile property mappings (SharePoint Server 2010). When you synchronize profile information, in addition to importing profile properties from external systems, you can also write data back to a directory service. To indicate that SharePoint Server should export (ie, write back to directory services) a user profile property, you map the property, and set the direction of the mapping to Export. Note that all mapping direction are set to Import by default.
Under the hood: How user profile synchronization works in SharePoint 2010
This MSDN blog post describes the concepts and how user profile synchronizatin happens within Forefront Identity Manager 2010.
Account permissions for Active Directory Domain Services (AD DS)
In order to allow Sharepoint 2010 User Profile Service (UPS) to do a profile synchronization to Active Directory, a service account needs to be provisioned and correct level of access needs to be granted for this account. This technet article describes the access needed for this service account. For consistency, we will be referring to this account as the profile synchronization account (PFS account).
An extract from the technet article:
- It must have Replicate Directory Changes permission on the domain that you will synchronize with. For more information, see the Grant Replicate Directory Changes permission on a domain section of the “Grant Active Directory Domain Services permissions for profile synchronization” procedural reference article.
Note: The Replicate Directory Changes permission allows an account to query for the changes in the directory. This permission does not allow an account to make any changes in the directory.
- If the domain controller is running Windows Server 2003, the synchronization account must be a member of the Pre-Windows 2000 Compatible Access built-in group. For more information, see the Add an account to the Pre-Windows 2000 Compatible Access group section of the “Grant Active Directory Domain Services permissions for profile synchronization” procedural reference article.
- If the NetBIOS name of the domain differs from the fully qualified domain name, the synchronization account must have Replicate Directory Changes permission on the cn=configuration container. For example, if the NetBIOS domain name is contoso and the fully qualified domain name is contoso-corp.com, you must grant Replicate Directory Changes permission on the cn=configuration container. For more information, see the Grant Replicate Directory Changes permission on the cn=configuration container section of the “Grant Active Directory Domain Services permissions for profile synchronization” procedural reference article.
- If you will export property values from SharePoint Server to AD DS, the synchronization account must have Create Child Objects (this object and all descendants) and Write All Properties (this object and all descendants) permissions on the organizational unit (OU) that you are synchronizing with. For more information, see the Grant Create Child Objects and Write permission section of the “Grant Active Directory Domain Services permissions for profile synchronization” procedural reference article.
This is the official documentation on MSDN in regards to the replicate directory changes extended right on AD schema.
According to the MSDN blog post above, the profile synchronization service leverages FIM to query for attribute changes within the directory service (in this case, AD DS). This KB article provides additional information about the rights required to poll these changes.
There are official articles by Microsoft and few sources such as this KB article, excellent blog post on harbar.net and this MSDN blog post maintained by microsoft employee which states that replcate directory changes does not mean write access to the directory. To further prove this, Active Directory auditing exercise can be conducted. Here is a step-by-step guide on how to perform this.
First class resource
This official article on how to configure profile synchronization service is a first-class resource provided by Microsoft.