HC ADSync: How to Delegate Permissions to simple Active Directory User

HC ADSync Tool
Question: How to Delegate Permissions to Simple Active Directory User?
 
Answer:

While configuring the AD Connect Sync, generally the credentials of the local Active Directory domain\admin suffice. However, in some cases, organizations prefer to connect through the credentials of a less privileged account. The article explains how to delegate permissions to a simple AD user that has no administrative privileges to be used in ADSync connectivity. 

  1. The user with privileges on a certain OU can provide his credentials in Local AD Settings here

     
  2. The specific user has no administrator privileges and it is simple AD user


     
  3. The OU which is added in the Local AD Setting need to have delegate permissions for the user showing in above Point 2


     
  4. To delegate users actual control over a certain OU follow the procedure below, open Active Directory, expand the root OU and navigate to the OU in question. Right click the OU to delegate control over it


     
  5. Select the specific user you want to provide control over the OU


     
  6. Select the check boxes that is showing in the screenshots

 
 
That’s it! You have successfully delegated control to the simple AD User.

*** The above steps should be sufficient to sync users, including domain admins. However, if you receive an "Access denied" error when attempting to sync domain admin users, you should run the ADSync service account with domain admin privileges.
 
Note: After delegation control, when you remove a local user then it will not automatically remove from Cloud DC (in case you have enabled the option Delete Object in AD Sync utility > Sync Services )
 
Reason: Simple Local AD User [non administrator] does not have privileges to view/get deleted object containers. By default, only the domain admin level user has privileges on deleted object containers in the AD.
To give permission on deleted object container you have to run this command in your local DC. For changes to take effect, you have to reboot the DC. 
 
Open the power shell command  using run as administrator and execute the below command 

dsacls "CN=Deleted Objects,DC=ad10,DC=lab03,DC=com" /g ad10\hcsynctest:LCRP
*replace red line text with your actual DC record. 
 
 
Article ID: 284, , Modified: 7/23/2024 at 2:50 AM

Was this article helpful?

Share this article