If you have ever had to set up the User Profile Synchronization Service Connection to Active Directory, then you know that there needs to be a service account that either has Replicate Directory Changes Permission on the domain or on the various containers and OU’s. I really can’t think of why you would not just allow the svc account the replicate directory permission on the entire domain, but you can get granular if you wanted too. Besides, you can specify the OU’s and containers to sync when creating the sync connection.
Here is the code you can run to check if the svc account has Replicate Directory Changes
param( [string] $userName="")
function Check-ADUserPermission(
[System.DirectoryServices.DirectoryEntry]$entry,
[string]$user,
[string]$permission)
{
$dse = [ADSI]"LDAP://Rootdse"
$ext = [ADSI]("LDAP://CN=Extended-Rights," + $dse.ConfigurationNamingContext)
$right = $ext.psbase.Children |
? { $_.DisplayName -eq $permission }
if($right -ne $null)
{
$perms = $entry.psbase.ObjectSecurity.Access |
? { $_.IdentityReference -eq $user } |
? { $_.ObjectType -eq [GUID]$right.RightsGuid.Value }
return ($perms -ne $null)
}
else
{
Write-Warning "Permission '$permission' not found."
return $false
}
}
# Globals
$replicationPermissionName = "Replicating Directory Changes"
# Main()
$dse = [ADSI]"LDAP://Rootdse"
$entries = @(
[ADSI]("LDAP://" + $dse.defaultNamingContext),
[ADSI]("LDAP://" + $dse.configurationNamingContext));
Write-Host "User '$userName': "
foreach($entry in $entries)
{
$result = Check-ADUserPermission $entry $userName $replicationPermissionName
if($result)
{
Write-Host "`thas a '$replicationPermissionName' permission on '$($entry.distinguishedName)'" `
-ForegroundColor Green
}
else
{
Write-Host "`thas no a '$replicationPermissionName' permission on '$($entry.distinguishedName)'" `
-ForegroundColor Red
}
}
Save that into a PS1 and then call it like this from an administrative PowerShell Session
.\CheckRDC.ps1 “domain\UserName”
e.g.
.\CheckRDC.ps1 “contoso\SP_UPS”
You must be logged in to post a comment.