The Sync User created for Active Directory (AD)Active Directory (AD)AD A directory service for Windows domain networks, included in most Windows Server operation systems. is added to the cn=Administrators branch and is given most of a root user's permissions. If this account cannot be secured and there is a need to configure the permissions required by the Sync User, the following are required to perform synchronization tasks.

As a Sync Source, these permissions are needed:
  • List contents
  • Read all properties
  • Read permissions
Deleted items are a special case. For the PingDataSync server to see deleted entries, the user account must have sufficient access to cn=Deleted Objects,<domain name>. Giving access to that distinguished name (DN)distinguished name (DN)DN A name uniquely identifying an object within the hierarchy of a directory tree. requires using the dsacls tool, such as: 
# Take ownership may be required to make the needed changes.
dsacls "CN=Deleted Objects,DC=example,DC=com" /takeOwnership
# Give the Sync User generic read permission to the domain.
dsacls "CN=Deleted Objects,DC=example,DC=com" /G "example\SyncUser":GR
# List the permission for the domain.
dsacls "CN=Deleted Objects,DC=example,DC=com"

To revoke all permissions from the Sync User, run the following dsacls command: 

dsacls "CN=Deleted Objects,DC=example,DC=com" /R "example\SyncUser"

If Active Directory is used as a destination for synchronization, the Sync User account should not be changed.