SharePoint Experts, Information Architects, Expert Witness

We provide consulting in a broad array of business and technology from architecture to design to deployment of global systems with a focus on surfacing data in the enterprise. Specialists in Microsoft, we are a premier provider of SharePoint Expertise (including 2016 and Office 365). We also provide Expert Witness/Legal Expert in eDiscovery, source discovery, patent infringement, piracy and more! We also have established SICG DLDS s.a. - our counterpart in Costa Rica that specializes in water systems (http://www.crwatersolutions.com) - Contact me direct: david_sterling@sterling-consulting.com or call 704-873-8846 x704.

Search This Blog

Tuesday, April 5, 2011

Setup of SharePoint User Profiles - cannot synchronize

As you may or may not know, setting up the User Profile Services requires special permissions - specifically for the account that will be used for doing the Synchronization. Most of the installation instructions out there miss this setting.

The symptoms are not always apparent but usually means that no user profiles are imported. The two links you need are here:
·         Microsoft SharePoint Product Group: How to set Replication Directory Changes,
·         KB303972: How to grant the "Replicating Directory Changes" permission for the Microsoft Metadirectory Services ADMA service account,

However, if you need to check if an account has the correct permissions you can use the Powershell script below (Shout out to Andrew "MossHater" for the script):


Just change the $userName variable in the script below and run it.

Output like:

User ‘EXAMPLE\User’:
   
has a 'Replicating Directory Changes' permission on 'DC=example,DC=local'
   
has no a 'Replicating Directory Changes' permission on 'CN=Configuration,DC=example,DC=local'

Check-ADReplicatingChangesPermission.ps1

function Check-ADUserPermission(
   
[System.DirectoryServices.DirectoryEntry]$entry,
   
[string]$user,
   
[string]$permission)
{
   
$dse = [ADSI]"LDAP://Rootdse"
    $ext = [ADSI]("LDAP://CN=Extended-Rights," + $dse.ConfigurationNamingContext)

   
$right = $ext.psbase.Children |
       
? { $_.DisplayName -eq $permission }
   
   
if($right -ne $null)
    {
       
$perms = $entry.psbase.ObjectSecurity.Access |
            ? { $_.IdentityReference -eq $user } |
            ? { $_.ObjectType -eq [GUID]$right.RightsGuid.Value }

       
return ($perms -ne $null)
    }
   
else
    {
       
Write-Warning "Permission '$permission' not found."
        return $false
    }
}


# Globals

$userName = "EXAMPLE\User"
$replicationPermissionName = "Replicating Directory Changes"

# Main()

$dse = [ADSI]"LDAP://Rootdse"

$entries = @(
   
[ADSI]("LDAP://" + $dse.defaultNamingContext),
    [ADSI]("LDAP://" + $dse.configurationNamingContext));

Write-Host "User '$userName': "
foreach($entry in $entries)
{
   
$result = Check-ADUserPermission $entry $userName $replicationPermissionName
   
   
if($result)
    {
       
Write-Host "`thas a '$replicationPermissionName' permission on '$($entry.distinguishedName)'" `
           
-ForegroundColor Green
    }
   
else
    {
       
Write-Host "`thas no a '$replicationPermissionName' permission on '$($entry.distinguishedName)'" `
           
-ForegroundColor Red
    }
}


No comments: