Active directory sharepoint user validating
FIM automatically gets installed when Share Point 2010 is installed. It is the same account that runs both FIM services.One of the UPA SQL databases is called the Sync database by default. This account requires the following permissions for provisioning: · Farm Account (timer service account) · Local Admin (for duration of sync provisioning) · Logged on as the account during provisioning · Member of Pre-Windows 2k compatibility group Question: Q.
This account requires specific permissions to a directory server in order to read and “sometimes” write to a directory.This account is specified as part of step 3 above which is during the creation of a Sync connection.The permission requirements depend on the following: This is the easiest scenario and nothing must be done other than granting directory changes permission to each import domain NC.Yes, this means you cannot use an existing sync connection and expect it to work. Expand Configuration object and (right click properties) on the configuration container which should be in a DN format like the following: CN=Configuration, DC=Contoso, DC=com 5.Create a new sync connection via the UI: Central Admin\Application Management\Manage Service Applications\User Profile Service Application\Configure Synchronization Connections Grant Replicate Directory Changes perms to each import Domain NC and Config NC For the Domain NC: Utilize the same step described in the “Permission requirements: Domain netbios name is the same as the FQDN of the domain” section. Select Security tab and hit add the Dir Sync account and grant Replicate Directory Changes (This object only) For Example, Bill is my dir sync account: 6. My AD administrator refuses to grant replicating directory changes permission to the Configuration Container without an explanation. This is a read only permission and will not write to the Configuration NC. My AD administrator refused to grant the dir sync account replicating directory changes permission against Configuration NC.Click OK Note: The account used to access the Configuration NC via ADSI Edit must be a member of Enterprise Administrators group to perform this operation. Also, the dir sync account requires this permission to the Config NC because that’s where Domain Net Bios names are stored. The dir sync account was only granted replicating directory changes permission on the domain NC. It’s not that it won’t work if appropriate permissions are missing on the Config NC. Go to Central Admin\Application Management\Manage Service Applications\User Profile Service Application Management page\Manage User Profiles and search by the netbios name of the domain name and ensure all user profiles appear.
This appears to work okay and I can view all my users profiles in Share Point after a full sync? The problem is that it will be an undesirable result in that the SAM account name will show up with the first portion of the FQDN as the domain name instead of the netbios domain name of the domain. How can I validate that the permission was properly set on the Config NC for the dir sync account after a full sync? This question assumes that the questioner doesn’t have access to AD/ADSI edit to validate the dir sync account has appropriate permissions. This is a major improvement to Share Point 2010 sync in that now changes can go both ways.
I’ll cover some basics including components involved and improvements made in this area (User Profile Synchronization).
The user profile service application contains several new and existing features from previous Share Point build.
In a multi domain scenario where a root domain and child domain exists.
If users reside solely in the child domain, then the only requirement is to grant the dir sync account replicate directory changes permission on the child domain NC.
The dir sync account requires “no” permission within the root domain in order to successfully sync to\from the child domain.