This account is specified as part of step 3 above which is during the creation of a Sync connection.The permission requirements depend on the following: This is the easiest scenario and nothing must be done other than granting directory changes permission to each import domain NC.The Directory Sync account needs the following: · Replicate directory changes permission to each import domain NC The following article describes how to set this: How to grant the "Replicating Directory Changes" permission for the Microsoft Metadirectory Services ADMA service account This is not the easiest scenario and requires some explanation.
The Pre-Window 2k compatibility group has access to read this attribute.
Power Shell can be used to drop the UPA into a variable and set this property to true. Note: This will output every service application specifically the User Profile Service Application 2.) $var = Get-SPService Application –Identity 00a380ed-2e99-4de3-ae22-dbe8c1b03bab Note: the identity is the GUID associated with the User Profile Service Application which was retrieved and copied from running the Get-SPService Application cmdlet 3.) $var.
Net Bios Domain Names Enabled Note: if this is true then it’s enabled and you can skip directly to step 7 4.) $var.
For the remainder of this blog, I’ll refer User Profile Service Application as “UPA”.
The basic steps to completely provision a UPA: 1.) Provision a UPA either through the Farm Configuration Wizard or from Manage Service Application page within Central Administrator.