Knowledgebase
Setting special permissions for updating only specific attributes in a Join Connection to AD/Ex200x
Category:Active Directory
Last Updated:2011-08-03
Download PDF version
When using a UnitySync Join connection to update only specific destination attributes, you may wish to consider fine tuning permissions for the UnitySync login account, so that it only has write permissions to those specific attributes. This can be done in AD as follows:
- Create a login account on the destination directory (i.e. SSUser)
- In AD Users and Computers, turn on Advanced Features.
- Right click on Container where you want to set permissions.
- Select Permissions.
- Click Security tab.
- Click Advanced.
- Click Add.
- Select the UnitySync account and click OK.
- On the Permissions Entry window, click the Properties tab.
- On the Apply To: menu, select User Objects.
- Click to give Write access to each of the Join’s Mod Attribs. (See below note.)
In v3 the Mod Attribs (required) are specified on the Join Properties tab.
In v4, the Mod Attribs are specified on the Destination tab... In v4, this may be blank in a pure Join connection. If Mod Attribs is blank,, all attributes mapped in the default or custom map file are considered to be Mod Attribs. (Mod Attrib refers to an attribute that will be modified at sync time.)
- Click OK, OK, OK to save and exit.
Note: Not all attributes are available in the User Objects list by default. If the attribute you need is not available, you may use the below information to configure your DSSEC.DAT file to make them available.
The file %WINDIR%\System32\DSSEC.DAT contains the filter settings. Using "lockoutTime" attribute as an example, this article describes how to make an attribute available. This process can be applied to any attribute.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q294952