--- title: Active Directory sync user account description: The Sync User created for Active Directory (AD) is added to the cn=Administrators branch and is given most of a root user's permissions. If this account cannot be secured and there is a need to configure the permissions required by the Sync User, the following are required to perform synchronization tasks. component: pingdirectory version: 11.0 page_id: pingdirectory:pingdatasync_server_administration_guide:pd_sync_active_dir_sync_user_acct canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/pingdatasync_server_administration_guide/pd_sync_active_dir_sync_user_acct.html revdate: September 13, 2023 --- # Active Directory sync user account The Sync User created for Active Directory (AD) *(tooltip: \
\

A directory service for Windows domain networks, included in most Windows Server operation systems.\

\
)* is added to the `cn=Administrators` branch and is given most of a root user's permissions. If this account cannot be secured and there is a need to configure the permissions required by the Sync User, the following are required to perform synchronization tasks. As a Sync Source, these permissions are needed: * List contents * Read all properties * Read permissions Deleted items are a special case. For the PingDataSync server to see deleted entries, the user account must have sufficient access to `cn=Deleted Objects,`. Giving access to that distinguished name (DN) *(tooltip: \
\

A name uniquely identifying an object within the hierarchy of a directory tree.\

\
)* requires using the `dsacls` tool, such as: ``` # Take ownership may be required to make the needed changes. dsacls "CN=Deleted Objects,DC=example,DC=com" /takeOwnership ``` ``` # Give the Sync User generic read permission to the domain. dsacls "CN=Deleted Objects,DC=example,DC=com" /G "example\SyncUser":GR ``` ``` # List the permission for the domain. dsacls "CN=Deleted Objects,DC=example,DC=com" ``` To revoke all permissions from the Sync User, run the following `dsacls` command: ``` dsacls "CN=Deleted Objects,DC=example,DC=com" /R "example\SyncUser" ``` If Active Directory is used as a destination for synchronization, the Sync User account should not be changed.