Grant Active Directory Domain Services permissions for profile synchronization in SharePoint Server 2013

When you’re provisioning the User Profile Service (UPS), you can synchronize user profile information using the User Profile Synchronization Service. This TechNet articledescribes the steps required for configuring profile synchronization in SharePoint Server 2013.

Synchronization between AD and SharePoint should be done using a domain account, called the synchronization account, i.e. DOMAIN\SP_UserSync.

This synchronization account requires Replicate Directory Change permissions on the domain, in order to interrogate AD about “what has changed since X”, of the partitions being synchronized.

Myths about Replicate Directory Change

There are a few myths I’d like to bust about these permissions:

The Synchronization Account will be able to modify AD!

This is not the case: a holder of the Replicate Directory Change permissions cannot modify or delete data and objects in AD using these permissions.

The Synchronization Account will be able to retrieve passwords!

This is not the case: The holder can read all data for the domain, with the exception of passwords. It should be noted that most of this information is readable by everyone by default.

My sensitive information in AD, such as pay-levels, will be exposed by this!

Only if you want it to: SharePoint doesn’t map custom AD data out-of-the-box. You’ll have to explicitly map and import this data into SharePoint if you want to expose it in user profiles.