“Replicating Directory Permissions” to the User Profile Synchronisation account


Self Note:

To create SharePoint managed service accounts see – https://consultantpoint.wordpress.com/2017/06/07/sharepoint-server-service-accounts-populating-in-active-directory/

Steps to add “Replicating Directory Permissions” to the User Profile Synchronisation account

1> Open “Active Directory Users and Computers”.  Right click on the domain name in the management console and select “Delegate Control…”

image

image

2.> On the “Delegation Control Wizard” click “Next” > On the “Users or Groups” screen used to delegate control.  Click “Add” and add your User Profile Sync account.  Click “Next”.

image

3.> On the “Tasks to Delegate” screen select the option “Create a custom task to delegate” > “Next”.

image

4.> On the “Active Directory Object Type” screen accept the default settings and click “Next”.

image

5.> On the “Permissions” screen check the box to allow “Replicate Directory Changes” and Click “Next”.  The last screen is for review and select “Finish”

To verify that this account got the right settings, run the following script:

import-module ActiveDirectory

# Functions to check AD Accounts has permissions  - I need to change Tobias Lekman's script to work for my environments - this is based on his script
function Check-ADUserPermission(
    [System.DirectoryServices.DirectoryEntry]$entry,
    [string]$user,
    [string]$permission)
{
    $dse = [ADSI]"LDAP://Rootdse"
    $ext = [ADSI]("LDAP://CN=Extended-Rights," + $dse.ConfigurationNamingContext)
	$domain =$env:USERDOMAIN

    $right = $ext.psbase.Children |
        ? { $_.DisplayName -eq $permission }

    if($right -ne $null)
    {
		$mvar = $entry.psbase.ObjectSecurity.Access;
		$objUser = New-Object System.Security.Principal.NTAccount($domain, $user)
        $perms = $entry.psbase.ObjectSecurity.Access |
            ? { $_.IdentityReference.Value.ToLower() -eq $env:USERDOMAIN.ToLower() + "\" + $user.ToLower() } |
            ? { $_.ObjectType -eq [GUID]$right.RightsGuid.Value }

        return ($perms -ne $null)
    }
    else
    {
        Write-Warning "Permission '$permission' not found."
        return $false
    }
}

# Functions to check AD Accounts has Replicating Directory Changes permissions  - based Tobias Lekman's script  http://lekman.codeplex.com/releases/view/65930
function Check-ReplicateChanges([string]$userName)
{
	$replicationPermissionName = "Replicating Directory Changes"
	$dse = [ADSI]"LDAP://Rootdse"
    $entries = @(
        [ADSI]("LDAP://" + $dse.defaultNamingContext),
        [ADSI]("LDAP://" + $dse.configurationNamingContext));
    Write-Host -ForegroundColor Blue " User '$userName': "
    foreach($entry in $entries)
    {
        $result = Check-ADUserPermission $entry $userName $replicationPermissionName
        if($result)
        {
            Write-Host "   has '$replicationPermissionName' permissions on '$($entry.distinguishedName)'" `
                -ForegroundColor Green
        }
        else
        {
            Write-Host "   does NOT have '$replicationPermissionName' permissions on '$($entry.distinguishedName)'" `
                -ForegroundColor Red
			# check if the user is a domain admin
			$user = New-Object System.Security.Principal.WindowsIdentity($userName)
			$WindowsPrincipal = New-Object System.Security.Principal.WindowsPrincipal($User)
			if($WindowsPrincipal.IsInRole("Administrators"))
			{   Write-Host "   is a Domain Administrator" -ForegroundColor Green }
			else
			{
				Write-Host "   add 'replication permissions' or a work around (less secure) is to add the User Profile Sync account as a local admin " -ForegroundColor Red
				Write-Host "   see http://blog.sharepointsite.co.uk/2012/11/powershell-to-create-user-accounts-for.html for instructions to setup accounts and replication" -ForegroundColor Red
			} 			

        }
    }
}

cls 

Check-ReplicateChanges("SP_ProfileSync")

image

The required path is working just fine, so I am not going to bother much about the rest of the path.