Does SharePoint 2010 Mess With My Active Directory?
Before the launch SharePoint 2010 was advertised to come with “AD or LDAP writeback” capabilities. SP2010 ships with the the profile synchronization engine from ForeFront Identity Manager (FIM). This is a huge step from the simple profile import functionality of MOSS.
When hearing this, every IT administrator gasps. Will SP2010 mess with my Active Directory? Suspicions arise when SharePoint guys come to visit and ask for “Replicating Directory Changes” permissions in AD.
Also after configuring the synchronization with default setttings, browsing through the profile synchronization log contains some interesting lines hinting automatic export:
But there is no need to worry, as the process is described in TechNet article:
1. “Authenticated users who have Replicate Directory Changes permissions will be granted read-access to AD DS objects.” This is done by the AD administrator and is required also for one-way import.
2. “Additional permissions can be granted using access control lists (ACLs) in AD DS. SharePoint Server 2010 will not write profile data back to AD DS unless Write permission is explicitly set on the account that has Replicate Directory Changes permissions.” This is also done by the AD administrator and is required only for the two-way synchronization.
3. “By default, no user profile property is set to Export. You must explicitly define the user profile properties that you want to export back to the directory service from the user profile store.” This is done by SharePoint administrator and is required only for the two-way synchronization.
The last step is configurable in the profile property settings:
As a summary: SP2010 contains two-way profile synchronization with AD, but it has to be explicity enabled in both AD and SP2010.
Popularity: 44% [?]
[...] I wrote earlier, SharePoint 2010 ships with a profile synchronization engine from ForeFront Identity Manager. After [...]
I’m glad to read this. However, it would be useful to find a more comprehensive description of these permissions, in order to convince AD admins to assign it to a SharePoint account. You’re right, the first thing they say is “I have to check it, because if something wrong happens, AD might be irreversibly corrupted”.
Thanks for the comment! Here is a great and detailed description of what is needed in order for the profile sync to work: http://www.harbar.net/articles/sp2010ups.aspx
MS is telling us the Full version of FIM 2010 is not copatible with SP2010 (as of Today 3/1/2011). True?
So what’s missing from the version of FIM 2010 that SharePoint installed and appears to be using?
We have a simple requirement to allow users to change their own passwords? Will the version of FIM installed with SP2010 allow this, or do we need the full version of FIM 2010 and again, will that install and work with SP2010?
Also, say we keep the above requirement on a seperate serve and only want to do user profile imports (no updating of AD), Can we remove privildeges from our Service account for Replication and Create Child on AD?
And finally, the User profile Sync connection screens are very different, I’m not finding where to add filters. Is there another screen for Imports that’s not the Sync connection screen?
Thanks.
Hi,
is there any way we can use user profile synchronisation with only read rights in AD, i have a local sharepoint in a large international company and the right will be given to me.
please let me know how to import data from LDAP to sp 2010 user profile store
[...] http://www.sharepointblues.com/2010/05/31/does-sharepoint-2010-mess-with-my-active-directory/ This entry was posted in sharepoint and tagged user-profile-service by admin. Bookmark the permalink. [...]