HC ADSync: How to Delegate Permissions to simple Active Directory User

Question: How to Delegate Permissions to simple Active Directory User ?

While configuring the AD Connect Sync, generally the credentials of the local Active Directory domain\admin suffice. However in some cases organizations prefer to connect through the credentials of a less privileged account. The article explains how to delegate permissions to a simple AD user that has no administrative privileges to be used in ADSync connectivity. 

  1. The user with privileges on a certain OU can provide his credentials in Local AD Settings here

  2. The specific user has no administrator privileges and it is simple AD user

  3. The OU which is added in the Local AD Setting need to have delegate permissions for the user showing in above Point 2

  4. To delegate users actual control over a certain OU follow the procedure below, open Active Directory, expand the root OU and navigate to the OU in question. Right click the OU to delegate control over it

  5. Select the specific user you want to provide control over the OU

  6. Select the check boxes that is showing in the screenshots

That’s it! You have successfully delegated control to the simple AD User.
Note: After delegation control, when you remove a local user then it will not automatically remove from Cloud DC (in case you have enabled option Delete Object in AD Sync utility > Sync Services )
Reason: Simple Local AD User [non administrator]  do not have privileges to view/get deleted object container. By default only the domain admin level user have privileges on deleted object container in the AD.
To give permission on deleted object container you have to run this command in your local DC. For changes to take effect you have to reboot the DC. 
Open power shell command  using run as administrator and execute below command 

dsacls "CN=Deleted Objects,DC=ad10,DC=lab03,DC=com" /g ad10\hcsynctest:LCRP
*replace red line text with your actual DC record.