Checking/Ensure Replication Directory Changes for account by PowerShell


Following script is not mine and it was copied from –

This script was really so useful to check whether a user profile synchronization account is correctly configured.

This was tested at Structural Projects Group after DirSync their on prem AD accounts with Office 365 hosted AD.

Note:  A trust need to be created between two ADs as Bi-Directional.

#Save to script a file named CheckRDC.ps1
usage syntax:
open Sharepoint PowerShell Console
PS> .\CheckRDC.ps1 “DOMAIN\username”


The above ensures that SP_UPS has replication permission enabled on both side of the AD. Smile

param( [string] $userName="") function Check-ADUserPermission( [System.DirectoryServices.DirectoryEntry]$entry, [string]$user, [string]$permission) { $dse = [ADSI]"LDAP://Rootdse" $ext = [ADSI]("LDAP://CN=Extended-Rights," + $dse.ConfigurationNamingContext) $right = $ext.psbase.Children | ? { $_.DisplayName -eq $permission } if($right -ne $null) { $perms = $entry.psbase.ObjectSecurity.Access | ? { $_.IdentityReference -eq $user } | ? { $_.ObjectType -eq [GUID]$right.RightsGuid.Value } return ($perms -ne $null) } else { Write-Warning "Permission '$permission' not found." return $false } } # Globals $replicationPermissionName = "Replicating Directory Changes" # Main() $dse = [ADSI]"LDAP://Rootdse" $entries = @( [ADSI]("LDAP://" + $dse.defaultNamingContext), [ADSI]("LDAP://" + $dse.configurationNamingContext)); Write-Host "User '$userName': " foreach($entry in $entries) { $result = Check-ADUserPermission $entry $userName $replicationPermissionName if($result) { Write-Host "`thas a '$replicationPermissionName' permission on '$($entry.distinguishedName)'" ` -ForegroundColor Green } else { Write-Host "`thas no a '$replicationPermissionName' permission on '$($entry.distinguishedName)'" ` -ForegroundColor Red } }


for more on Deploy Office 365 Directory Synchronization (DirSync) in Microsoft Azure –