Setting “Special Permissions” on the Active Directory Sync Container
Created: 2012-04-20 08:09:59Modified: 2024-03-22 16:00:24
Tags: Active Directory UnitySync
Recent versions of Active Directory are becoming more reliant on enhanced access for the functions required to sync.
To avoid any permisssions issues at sync time, we recommend that you give your Destination login account Domain Admin credentials. This is the easiest and most reliable way to ensure you do not encounter permissions based errors when attempting to sync. Please see Domain Admin required for Destination Login for more information.
To use a Non Domain Admin you may apply ‘Special Permissions’ on the Sync OU. This will allow the sync to perform Adds, Mods, Deletes of objects and structure ONLY in the Sync OU.
Applying Special Permissions
Choose a Non-Admin User as your Sync account.
For this Sync User, permit “Read Only” access to the root of the destination domain. (This is necessary for bi-directional syncs as well as Join connections).
In Active Directory Users & Computers, Click ‘View’ and click ‘Advanced Features’. This allows you to see the Security Options.
Right Click the Sync OU and Select Properties.
Click the Security tab.
Click Advanced.
Click Add and select your Sync user account.
In the Allow list, check Full Control
Click Advanced.
Select the UnitySync account and click Edit.
Click Applies To and select “This object and all descendant objects”.
Click OK.
Click OK.
Click OK a third time.
Special Permissions have now been applied to your Sync User account. This User can read the entire domain but write ONLY to the selected Sync OU.
On your next sync run, confirm successful Add, Mod and/or Deletes. This indicates your Special Permissions are set up correctly.
Final Note (for the UnitySync Admin): When using a Non Admin account, a few changes must be made to your connection to allow syncing of legacyexchangedn and showinaddressbook. Please see Non Admin vs Domain Admin for syncing to destination AD for further instructions.