Directory Wizards Inc.

Solutions For Your Directory Needs

• Products
• Support
• Knowledgebase
• Blog
• About
• Home

RSS feed

Categories

• Active Directory
• ADAM
• Address Manipulation
• Exchange 200x
• Exchange 5.5
• Exclusions
• General
• Group as Group Sync
• Groupwise
• LDAP SSL
• LDIF
• Licensing & Keys
• Lotus Notes / Domino
• Map Files
• Master/Spoke
• Netscape
• ODBC
• Oracle
• Outlook
• Postini
• Profiler
• SharePoint
• Troubleshooting
• Whitepapers
• Windows 2000

Knowledgebase

Setting "Special Permissions" on the AD Sync container

Category:Active Directory

Last Updated:2010-01-27

Download PDF version

To avoid any permisssions issues at sync time, you may choose to make your Sync login account a Domain Admin.  Alternatively, you may make the login account a Domain User and apply 'Special Permissions' on the Sync container to allow the sync to process Adds, Mods, Deletes of objects and structure in the sync container.

When setting up Special Permissions on the sync container, you must select Full Control and be sure to specify ’This object and all child objects’. ** This is the setting that is sometimes forgotten and results in errors on Modify. **

The below instructions explain exactly how to do this.

Applying Special Permissions

1. In AD Users & Computers, Click 'View' and click 'Advanced Features'. This allows you to see the Security Options.
2. Highlight your sync container, Right Click and Select Properties. Click the Security tab.
3. Add the Simplesync account to the Access Control List and give it 'Full Control'.
4. Click on Advanced button. Select the SimpleSync account and click View/Edit.
   Choose: Apply onto: This object and all children objects
5. Click OK.

© 2010 Directory Wizards Inc.