alternate option for Replicate directory changes permission - sharepoint user profile sync

  • 271 Views
  • Last Post 5 weeks ago
Bharathian posted this 5 weeks ago

Hi all,   We have few applications in SharePoint which has user profile sync configuration is required for which they have asked the replicate directory changes permission in AD.

  Pl suggest, is there any other alternative way where we can avoid giving this permission. Or is there any way we can mitigate this risks. I believe with this permission, they can export all your AD user accounts with basic attributes.   Regards,   Bharathi    
Sensitivity: LNT Construction Internal Use

L&T-Construction   This Message and its contents is intended solely for the addressee and is proprietary. Information in this mail is for L&T Business Usage only. Any Use to other than the addressee is misuse and infringement to Proprietorship of L&T Construction. If you are not the addressee please return the mail to the sender.
L&T Construction.
 

Order By: Standard | Newest | Votes
blizzard_mikec posted this 5 weeks ago

















There’s no risk to giving Replicate Directory Changes because the information that they can get is information you can dump with a regular user account via Get-ADUser.




There are 3 total permissions.




Replicate Directory Changes

Replicate Directory Changes in Filtered Set

Replicate Directory Changes All




It ONLY needs the first permission. DO NOT give it the others, ESPECIALLY do not give it it the All permission. That would be the bad one.




It does not need “All”. Not in any circumstance.




And for those that are reading, audit your environment and strip it away if it’s delegated out to anything.




About the only accounts that may need “All” here are authentication sync service accounts, such as your AzureAD Connect user or an Okta user.




And it only needs it if you are syncing passwords to cloud services.




-Mike Cramer






Get Outlook for iOS








show

daemonr00t posted this 5 weeks ago

Well, to be honest the directory was made to be consulted, its nature is to provide info so if you do a query with a standard user (nothing fancy in regards to permissions) then you can dump the whole directory if you want. Try doing adfind -default Bottom line, for your specific concern, anyone can do that. Now, I am not Sharepoint savvy but I understand they need that as the products dumps the directory into its own internal database, that way it leant have to be bothering the controllers and also minimizes the dependency on AD Cheers,

~Danny
Sent from my iPhone
On Sep 19, 2018, at 6:42 AM, Bharathi.AN <bharathi@xxxxxxxxxxxxxxxx> wrote:

Hi all,   We have few applications in SharePoint which has user profile sync configuration is required for which they have asked the replicate directory changes permission in AD.

  Pl suggest, is there any other alternative way where we can avoid giving this permission. Or is there any way we can mitigate this risks. I believe with this permission, they can export all your AD user accounts with basic attributes.   Regards,   Bharathi    
Sensitivity: LNT Construction Internal Use

L&T-Construction   This Message and its contents is intended solely for the addressee and is proprietary. Information in this mail is for L&T Business Usage only. Any Use to other than the addressee is misuse and infringement to Proprietorship of L&T Construction. If you are not the addressee please return the mail to the sender.
L&T Construction.
 

Bharathian posted this 5 weeks ago

Hi Danny & Mike,

 

Thanks for your inputs and clarification.



 

We have also got the same permission requirement from the trusted domain (which belongs to our parent company), I was wondering that those who has access to

the imported dumb, can leak this information. How do you handle these cases, are you asking them to sign a NDA, what is the general practice around this.



 

And can I make any list of users to be restricted from this generic discovery like user accounts which has domain admins or enterprise admins.

 



Regards,

 

Bharathi

IT Infrastructure | Information Systems Department | L&T Construction

 



 


Sensitivity: LNT Construction Internal Use

show

daemonr00t posted this 5 weeks ago

Well poking around with ACLs might end up bad, also bear in mind that group membership is written down on the

group objects and it just reflects on the user object (search for BackLink attributes)

Now if you don’t trust them then why opening the door to them? Remember you can scope things a bit, do SIDFilter or perhaps ADFS instead of a full trust.

Plus the human factor will always be there…

Here’s a great article that covers much of this

https://www.itprotoday.com/windows-8/trust-or-not-trust






Cheers,




~danny




Sent from Windows Mail

show

Close