The necessary permissions are documented nicely by Microsoft in http://support.microsoft.com/kb/303972/en-us; however, I like scripting because it's repeatable and you're sure that its gets done the right way each time - and also, you can delegate the task of granting the permission to someone else, i.e. the customers directory administrator.
I know that most of this stuff is old news, but I just wanted to share the script that I use at my customers to grant the permission; hopefully this can be useful to others as well.
The syntax for running the script (from a PowerShell prompt as an account holding he appropriate permissions) is something like this if you wanted to grant the permission to the user called SVC-FIM-ADMA -
.\Grant-ReplicatingDirectoryChanges.ps1
-Account SVC-FIM-ADMA
Usually, though, I tend to recommend my customers to create a new domain security group and grant the permission to that group instead. And then just add the MA account that needs the permission to that group. Seems like a more sustainable approach, allowing you to delegating the permissions to another account without having to run the script again. If you want to use this approach, the script will work as well - just give the group name as a parameter instead of a username.
Enjoy and here’s the script (remember to save it as a .ps1 file)
# Grants necessary permissions for AD MA Service Account for
# FIM 2010 or ILM 2007 according to directions in
# http://support.microsoft.com/kb/303972/en-us article
#
# Please note that this script has only been tested on Windows Server 2008 R2
param (
$Account
)
# FIM 2010 or ILM 2007 according to directions in
# http://support.microsoft.com/kb/303972/en-us article
#
# Please note that this script has only been tested on Windows Server 2008 R2
param (
$Account
)
# get domain environment information
$RootDse = [ADSI] "LDAP://RootDSE"
$DefaultNamingContext = $RootDse.defaultNamingContext
$Domain = [ADSI] "LDAP://$DefaultNamingContext"
$DomainNetBIOSName = $Domain.Name.ToString().ToUpper()
$DomainFQDN = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$RootDse = [ADSI] "LDAP://RootDSE"
$DefaultNamingContext = $RootDse.defaultNamingContext
$Domain = [ADSI] "LDAP://$DefaultNamingContext"
$DomainNetBIOSName = $Domain.Name.ToString().ToUpper()
$DomainFQDN = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
# translate to SID (I like this due to it's uniqueness characterictics
$UserPrincipal = New-Object Security.Principal.NTAccount("$DomainNetBIOSName", "$Account")
$SID = $UserPrincipal.Translate([System.Security.Principal.SecurityIdentifier]).Value
$UserPrincipal = New-Object Security.Principal.NTAccount("$DomainNetBIOSName", "$Account")
$SID = $UserPrincipal.Translate([System.Security.Principal.SecurityIdentifier]).Value
DSACLS "$DefaultNamingContext" /G "$($SID):CA;Replicating Directory Changes";
2 comments:
Hmmm ... dsacls "" /G :CA;"Replicating Directory Changes"
Missing permissions? Or please elaborate...
Post a Comment