Active Directory Rights for Synchronization Account
Below is a listing of the Active Directory permissions required by the account used for synchronization. See Configuring Active Directory for more on selecting this account.
Recommended Permissions
Object Tab
This object and all descendant objects:
- List contents
- Read all properties
Minimum Required Permissions
These all require ADSI Edit - Allow (Active Directory Service Interfaces Editor) permission.
Object Tab
This object and all descendant objects:
- List contents
Properties Tab
This object and all descendant objects:
- Read objectClass
Descendant User objects:
- Read Display Name
- Read Distinguished Name
- Read E-mail-Address
- Read objectGUID
- Read Logon Name
- Read Logon Name (pre-Windows 2000)
Descendant Group objects:
- Read displayName
- Read Distinguished Name
- Read Group name (pre-Windows 2000)
- Read groupAttributes
- Read memberOf
- Read Members
- Read objectGUID