Grant Permissions for SharePoint User Profile Service Accounts – Replicate Directory Changes

On By Manoj V KarunarathneIn SharePoint 2010, SharePoint 2013, SharePoint Server

If you have Installed SharePoint Server with Active Directory Authentication, one of the greatest benefit is that you will get a central place for all your objects management such as Users/Addresses/Records etc.. In SharePoint it’s cool feature that you can simply synchronize all AD Users in to SharePoint and manage them centrally from AD but can be also synchronized those changes in to SharePoint User Profile application where everything kept up to date. For this you have to get the User profile Service application created. This post I’m writing because it is not only to create the service application but you have to delegate some level of permission to User Profile Service application Account (Identity) in order to replicate all the changes from AD. SharePoint will have the service application but If you have not done this delegation, service application won’t be able to replicate objects/changes from AD.

So let’s start this and make our UPS guy functional. For the whole thing you will need to deal with AD only as nothing to be done from SharePoint if you have already created service application and created service connection to you AD.

    1. Launch the Active Directory Users and Computers. Right click on your domain and Click "Delegate Control"

    clip_image001

    1. It will open up below windows and simply hit Next to proceed.

    clip_image002

    1. Add Relevant Service Accounts

    clip_image003

    1. Choose "Create Custom Task to Delegate" at below window

    clip_image004

    1. Choose "This Folder, Existing objects in this folder, and creation of new objects in this folder" (option 1) in below window.

    clip_image005

    1. Under General Category Select "Replicate Directory Changes" and hit Next

    clip_image006

    1. Click "Finish" to complete

    clip_image007

    1. Now launch the ADSI in edit mode by typing "adsiedit.msc" at "Run" as shown below

    clip_image008

    1. It will open up below Interface and from there expand the Configuration and right click on Configuration container and go to properties as shown

    clip_image009

    1. Direct to Security Tab from there and add the service accounts with Replicate Directory Changes Permission Level

    clip_image010

    1. Click Ok to close the window and close the ADSI to complete.

3 thoughts on “Grant Permissions for SharePoint User Profile Service Accounts – Replicate Directory Changes

  1. Pingback: UPA Sync permission – Rex's Note

  2. Pingback: UPS Sync – Rex's Note

  3. Pingback: Installing and configuring SharePoint 2016 on-prem (with a combination of PowerShell and Configuration Wizards) – A random blog from a sysadmin

Leave a comment