The User Profile Service Application service account requires Replicate Directory Changes in Active Directory Domain Services on the domain node. The Grant Replicate Directory Changes permission does not enable an account to create, change or delete Active Directory Domain Services object. It enables the account to read Active Directory Domain Services objects and to discover Active Directory Domain Services objects that were changed in the domain.
Below steps should be followed to make this configuration.
- Create Delegate Control
In Windows Server Domain Controller, open Active Directory Users and Computers, right-click the domain and then click Delegate Control.
- Delegation of Control Wizard
Click on Delegate Control and then click Next.
It helps you delegate control of Active Directory objects. You can grant users permission to manage users, groups, computers, organizational units, and other objects stored in Active Directory Domain Services.
- Users or Groups
Here you can add one or more users or groups to whom you want to delegate control.
- Select Users, Computers, or Groups
Type the name of the UPS synchronization account, and then click OK.
- Tasks to Delegate
Select Create a custom task to delegate, and then click Next.
- Active Directory Object Type
Delegation of controls wizard:
This folder, existing objects in this folder, creation of new objects in this folder then
Select General and in the Permissions box, select Replicating Directory Changes and then click Next.
Select the permissions you want to delegate from here.
- Completing the Delegation of Control wizard
Above completes the steps to configure the Permissions of User Profile service account.
If you have any query or want more information on SharePoint 2016 Grant Replicate Directory Changes permission to User Profile service account, contact us today at +1-484-876-1867 or send us a message.