In this article, I will explain How to
Set the User Profile Synchronization Service Account Permission in Active Directory.
The required Service Account Permission for User Profile Synchronization Service In AD.
Before going to configuring the User Profile Synchronization Service (UPSS), you should first assign Replicate Directory Changes permission In Active Directory for its service account that will be used to run it.
What’s the Replicate Directory Changes Permission?
The Replicate Directory Changes permission enables the synchronization account to
- Read AD DS objects.
- Discover AD DS objects that have been changed in the domain.
- Does not enable an account to create, modify or delete AD DS objects.
Grant a Replicate Directory Changes permission to an account on windows server 2012 Active Directory
- On the domain controller server, click Start,
- Search for Active Directory Users and Computers and run it as administrator.
- In Active Directory Users and Computers, right-click the domain, and then click Delegate Control.
- On the first page of the Delegation of Control Wizard, click Next.
- On the Users or Groups page, click Add then Type the name of the synchronization account, and then click OK then click Next.
- On the Tasks to Delegate page, select Create a custom task to delegate, and then click Next.
- On the Active Directory Object Type page, select This folder, existing objects in this folder, and creation of new objects in this folder, and then click Next.
- On the Permissions page, in the Permissions box, select Replicating Directory Changes and then click Next.
- Click Finish.
- SharePoint 2016.
- SharePoint 2013.
- SharePoint 2010.