SharePoint Experts, Information Architects, Expert Witness

SICG provides a broad array of business and technology consulting from architecture to design to deployment of global systems with a focus on surfacing data in the enterprise. We focus on the "How", not just the possible. Contact me direct: or call 704-873-8846 x704.

Search This Blog

Tuesday, April 5, 2011

Setup of SharePoint User Profiles - cannot synchronize

As you may or may not know, setting up the User Profile Services requires special permissions - specifically for the account that will be used for doing the Synchronization. Most of the installation instructions out there miss this setting.

The symptoms are not always apparent but usually means that no user profiles are imported. The two links you need are here:
·         Microsoft SharePoint Product Group: How to set Replication Directory Changes,
·         KB303972: How to grant the "Replicating Directory Changes" permission for the Microsoft Metadirectory Services ADMA service account,

However, if you need to check if an account has the correct permissions you can use the Powershell script below (Shout out to Andrew "MossHater" for the script):

Just change the $userName variable in the script below and run it.

Output like:

User ‘EXAMPLE\User’:
has a 'Replicating Directory Changes' permission on 'DC=example,DC=local'
has no a 'Replicating Directory Changes' permission on 'CN=Configuration,DC=example,DC=local'


function Check-ADUserPermission(
$dse = [ADSI]"LDAP://Rootdse"
    $ext = [ADSI]("LDAP://CN=Extended-Rights," + $dse.ConfigurationNamingContext)

$right = $ext.psbase.Children |
? { $_.DisplayName -eq $permission }
if($right -ne $null)
$perms = $entry.psbase.ObjectSecurity.Access |
            ? { $_.IdentityReference -eq $user } |
            ? { $_.ObjectType -eq [GUID]$right.RightsGuid.Value }

return ($perms -ne $null)
Write-Warning "Permission '$permission' not found."
        return $false

# Globals

$userName = "EXAMPLE\User"
$replicationPermissionName = "Replicating Directory Changes"

# Main()

$dse = [ADSI]"LDAP://Rootdse"

$entries = @(
[ADSI]("LDAP://" + $dse.defaultNamingContext),
    [ADSI]("LDAP://" + $dse.configurationNamingContext));

Write-Host "User '$userName': "
foreach($entry in $entries)
$result = Check-ADUserPermission $entry $userName $replicationPermissionName
Write-Host "`thas a '$replicationPermissionName' permission on '$($entry.distinguishedName)'" `
-ForegroundColor Green
Write-Host "`thas no a '$replicationPermissionName' permission on '$($entry.distinguishedName)'" `
-ForegroundColor Red

No comments: