Delegate rights for AD Sync Account

Active Directory synchronization allows Intranet site administrators to integrate an AD employee directory with the Intranet employee directory.

It is not uncommon for system administrators to request insight on how to provide AD synchronization privileges without giving up full domain administrative rights to a user. In the case of AD synchronization, a user requires read object and read object properties rights relevant to the objects being pulled into the Intranet site. The tutorial, below, will describe the process for appropriate rights delegation in further detail.

Furthermore, for clean AD synchronization to occur, relevant users require List Content and Read Property rights to the Deleted Objects Container. Otherwise, the removal of AD users will not trigger the removal of corresponding Intranet site users. For more information on providing a user with rights to the Deleted Objects Container, view the following Microsoft KB article:

The following procedure will help guide system administrators through the process of delegating read object and read object properties rights to a desired user account [Windows 2k3]:

Delegating Read Object and Read All Object Properties Rights

  1. Open Active Directory Users and Computers from Administrative Tools
  2. Right-click the appropriate domain
  3. Click Delegate Control...

  4. Press Next to skip the introduction
  5. Click Add...
  6. Specify the desired user object(s) and click OK

  7. Click Next
  8. Select the Create a custom task to delegate option

    Note: Delegating common tasks is not sufficient because common tasks do not include the ability to provide explicit read and read properties rights to AD objects.

  9. Click Next
  10. Leave the default This folder, existing objects in this folder, and creation of new objects in this folder option selected

    Note: Leaving the default option selected in step 10, delegates permissions at the folder level and allows for full AD synchronization to occur.

  11. Select the check boxes corresponding to the Read and Read All Properties options

    Note: Selection of permissions being delegated occurs at step 11.
  12. Click Next
  13. Review the final configurations for the delegated permissions
  14. Click Finish

Upon the completion of the steps, listed above, system administrators should have successfully implemented read/read all properties rights for a desired user. With the mentioned rights, users should be able to provide a full AD synchronization with an Intranet Connections application.

Referenced by:

Have more questions? Submit a request


Article is closed for comments.