Before the launch SharePoint 2010 was advertised to come with “AD or LDAP writeback” capabilities. SP2010 ships with the the profile synchronization engine from ForeFront Identity Manager (FIM). This is a huge step from the simple profile import functionality of MOSS.

When hearing this, every IT administrator gasps. Will SP2010 mess with my Active Directory?  Suspicions arise when SharePoint guys come to visit and ask for “Replicating Directory Changes” permissions in AD.

Also after configuring the synchronization with default setttings, browsing through the profile synchronization log contains some interesting lines hinting automatic export:

But there is no need to worry, as the process is described in TechNet article:

1. “Authenticated users who have Replicate Directory Changes permissions will be granted read-access to AD DS objects.”  This is done by the AD administrator and is required also for one-way import.

2. “Additional permissions can be granted using access control lists (ACLs) in AD DS. SharePoint Server 2010 will not write profile data back to AD DS unless Write permission is explicitly set on the account that has Replicate Directory Changes permissions.” This is also done by the AD administrator and is required only for the two-way synchronization.

3. “By default, no user profile property is set to Export. You must explicitly define the user profile properties that you want to export back to the directory service from the user profile store.” This is done by SharePoint administrator and is required only for the two-way synchronization.

The last step is configurable in the profile property settings:

As a summary: SP2010 contains two-way profile synchronization with AD, but it has to be explicity enabled in both AD and SP2010.

Popularity: 63% [?]