In this article, I will explain What’re the required SharePoint 2016 User Profile Synchronization Account Permissions in Active Directory.
You might also like to read SharePoint User Profile Synchronization Service Stuck on Starting
Before going to configuring the User Profile Synchronization Service (UPSS), you should first assign Replicate Directory Changes permission In Active Directory for the User Profile Synchronization service account that will be used to run it.
The Replicate Directory Changes permission enables the synchronization account to
- Read AD DS objects.
- Discover AD DS objects that have been changed in the domain.
- Does not enable an account to create, modify or delete AD DS objects.
Grant User Profile Synchronization Service Account a Replicate Directory Changes permission
- On the domain controller server, click Start,
- Search for Active Directory Users and Computers and run it as administrator.
- In Active Directory Users and Computers, right-click the domain, and then click Delegate Control.
- On the first page of the Delegation of Control Wizard, click Next.
- On the Users or Groups page, click Add then Type the name of the synchronization account, and then click OK then click Next.
- On the Tasks to Delegate page, select Create a custom task to delegate, and then click Next.
- On the Active Directory Object Type page, select This folder, existing objects in this folder, and creation of new objects in this folder, and then click Next.
- On the Permissions page, in the Permissions box, select Replicating Directory Changes and then click Next.
- Click Finish.
To be able the user profile synchronization service to read user from the active directory, you must Grant User Profile Synchronization Service Account a Replicate Directory Changes permission.
- SharePoint 2016.
- SharePoint 2013.
- SharePoint 2010.