Page created: 22 Jul 2020 |
Page updated: 1 Feb 2021
The Sync User created for Active Directory is added to the
cn=Administrators branch and is given most of a root user's
permissions. If this account cannot be secured and there is a need to configure the
permissions required by the Sync User, the following are required to perform
As a Sync Source, these permissions are needed:
- List contents
- Read all properties
- Read permissions
Deleted items are a special case. For the Sync Server to see deleted entries, the user account must have sufficient access to
cn=Deleted Objects,<domain name>. Giving access to that DN requires using the dsacls tool, such as:
# Take ownership may be required to make the needed changes. dsacls "CN=Deleted Objects,DC=example,DC=com" /takeOwnership
# Give the Sync User generic read permission to the domain. dsacls "CN=Deleted Objects,DC=example,DC=com" /G "example\SyncUser":GR
# List the permission for the domain. dsacls "CN=Deleted Objects,DC=example,DC=com"
To revoke all permissions from the Sync User, run the following dsacls command:
dsacls "CN=Deleted Objects,DC=example,DC=com" /R "example\SyncUser"
If Active Directory is used as a destination for synchronization, the Sync User account should not be changed.