Correct Delegation for FIM and Sharepoint Profile Sync

  • Last Post 02 September 2016
Milo posted this 01 September 2016

I have been looking at the delegation of "Replicating Directory Changes" for FIM GALSync and Sharepoint Profile Sync. If I following the MS article to grant this permission to a FIM AD MA, the end result is the account has the delegation at the root of the domain, and it is targetted to "This Object Only". If I follow the documentation for Sharepoint 2013 ( I get a similar result, however, the delegation flows throughout the domain as it is targetted to "This Object and all descendant objects". Which is correct? I would assume both delegations to be identical? In fact it should be the same as the one for the Built-In administrators group, in that the delegation is applied to the root of the domain and does not propagate further? Maybe I need more coffee?


Order By: Standard | Newest | Votes
ZJORZ posted this 01 September 2016

For FIM/MIM I always use: DSACLS "<DN domain NC>" /G "<security principal>:CA;Replicating Directory Changes" Which translates into “This Object Only” Met vriendelijke groeten / Kind regards, Jorge de Almeida Pinto*: JorgeDeAlmeidaPinto@xxxxxxxxxxxxxxxx(: +31 (0)6 Description: Description: Description: Description: Think Green 


Milo posted this 02 September 2016

Thanks Jorge. That's what I think is correct too, for both FIM and SharePoint...