Correct Delegation for FIM and Sharepoint Profile Sync

  • 104 Views
  • Last Post 02 September 2016
Milo posted this 01 September 2016

I have been looking at the delegation of "Replicating Directory Changes" for FIM GALSync and Sharepoint Profile Sync. If I following the MS article https://support.microsoft.com/en-us/kb/303972 to grant this permission to a FIM AD MA, the end result is the account has the delegation at the root of the domain, and it is targetted to "This Object Only". If I follow the documentation for Sharepoint 2013 (https://technet.microsoft.com/en-us/library/hh296982.aspx) I get a similar result, however, the delegation flows throughout the domain as it is targetted to "This Object and all descendant objects". Which is correct? I would assume both delegations to be identical? In fact it should be the same as the one for the Built-In administrators group, in that the delegation is applied to the root of the domain and does not propagate further? Maybe I need more coffee?

Milo

Order By: Standard | Newest | Votes
Milo posted this 02 September 2016

Thanks Jorge. That's what I think is correct too, for both FIM and SharePoint...

ZJORZ posted this 01 September 2016

For FIM/MIM I always use: DSACLS "<DN domain NC>" /G "<security principal>:CA;Replicating Directory Changes" Which translates into “This Object Only” Met vriendelijke groeten / Kind regards, Jorge de Almeida Pinto*: JorgeDeAlmeidaPinto@xxxxxxxxxxxxxxxx(: +31 (0)6 26.26.62.80 Description: Description: Description: Description: Think Green 

show

Close