Setting “Special Permissions” on the Active Directory Sync Container2019-04-10 10:33:36
Active Directory UnitySync
Recent versions of Active Directory are becoming more reliant on enhanced access for the functions required to sync.
To avoid any permisssions issues at sync time, we recommend that you give your Destination login account Domain Admin credentials. This is the easiest and most reliable way to ensure you do not encounter permissions based errors when attempting to sync. Please see Domain Admin required for Destination Login for more information.
If you are unable to provide Domain Admin access to your Destination login, there is an alternative solution to prevent issues writing to the Destination Sync Container. Apply ‘Special Permissions’ on the OU per the instructions provided here to allow the sync to process Adds, Mods, Deletes of objects and structure in the designated Sync Container.
NOTE: *When setting up Special Permissions on the sync container, you must select Full Control and be sure to specify This object and all child objects. This setting is sometimes forgotten and results in errors on Modify.
Applying Special Permissions
- In Active Directory Users & Computers, Click ‘View’ and click ‘Advanced Features’. This allows you to see the Security Options.
- Highlight your sync container, Right Click and Select Properties.
- Click the Security tab.
- Add the UnitySync account to the Access Control List and give it ‘Full Control’.
- Click on Advanced button. Select the UnitySync account and click View/Edit.
- Choose - Apply onto: This object and all children objects
- Click OK.