Our current situation:
- our farm contains two DCs, one SP 2010 and one EX 2010 server
- the SharePoint is running fine
- the User-Profile-Synchronization-service is up and running, AD-imports are done well
What we'd like to do:
- export user-object-data into the AD (f.e. thumbnailPhoto)
What we've done:
- we added all permission-requirements to the syncing system-user-account (write objects, create objects, replicate directory and pre-win2000-access)
What happens:
The export of objects fails on admin-accounts. An investigation with the "Synchronization Service Manager on SP" (miisclient.exe) shows a "completed-export-err" during the "DS_EXPORT". A dig in tells us "Error: permission-issue", the permissions are not sufficient.
What do we need to do, to set the AD-permissions of the sync-account up, to be able to write attributes of our administrative-user-accounts?
Best Answer
For now we decided to solve the "problem" with a workaround, by adding extra user-accounts for each administrator.
Why we're doing that? At first, i'd like to pint out, that i have some pain with adding extra administrative permissions to the export-service-account. It seems to be a bad idea to grant this account such great power over the active-directory, to even manipulate admin-accounts in general. Another way could have been to adjust the "administrative flags" which seem to prohibit changes on admin-objects in general (unless an admin is the manipulator). I guess this also a bad idea, since this would grant the service full power to admin-accounts too and we might affect additional services, which rely on these flags for proper functionality.
Since we made this decision now we have to migrate the farm-status to the "new" situation. This is not that trivial, that's why i'd like to share our current workflow, for the case somebody has to do the same:
Creating additional user-accounts for an admin in a SharePoint/Exchange-Farm (if you were working with administrative accounts before)
This solution aims at transferring the admin-username to a new and normal user-object.
adminCount
being greater or similar to 1.