You can configure the Active Directory security permissions either by using the simple configuration or the advanced configuration.
Simple configuration (Recommended)
The simple configuration is for the AD Synchronization account to have general read-write access to your Active Directory.
Some organizations prefer to restrict this account to have the absolute minimum permissions needed.
- The account should be a member of "Domain Users" (this gives read access to entire AD).
- Go to the Group Policy Management Console in Windows.
- Locate the Active Directory Container for your distribution groups. (There may be many depending on your AD structure.)
- Choose the Delegation tab.
- Click Advanced.
- Click Advanced again on the dialog that comes up.
- Click Add, and select the user Sync Account.
- Assign the following right for "This object and all child objects":
- Write All Properties
- If you wish to also write to users' AD profile fields then "write all properties" is also required on any container that stores user accounts.
* Group Policy Management Console is an installable feature on Server 2008 & 2012