So, as you know, we need ‘Replicating Directory Changes’ permissions for correct work of a User Profiles synchronization (ForeFront Identity Manager).
How to set these permission you can read some other articles:
- Microsoft SharePoint Product Group: How to set Replication Directory Changes,
- KB303972: How to grant the "Replicating Directory Changes" permission for the Microsoft Metadirectory Services ADMA service account,
But how to check that these permission was granted for some user? Of course, we can accomplish this task via PowerShell.
Just change the $userName variable in the script below and run it.
Output like:
User ‘EXAMPLE\User’:
has a 'Replicating Directory Changes' permission on 'DC=example,DC=local'
has no a 'Replicating Directory Changes' permission on 'CN=Configuration,DC=example,DC=local'
Check-ADReplicatingChangesPermission.ps1
function Check-ADUserPermission(
[System.DirectoryServices.DirectoryEntry]$entry,
[string]$user,
[string]$permission)
{
$dse = [ADSI]"LDAP://Rootdse"
$ext = [ADSI]("LDAP://CN=Extended-Rights," + $dse.ConfigurationNamingContext)
$right = $ext.psbase.Children |
? { $_.DisplayName -eq $permission }
if($right -ne $null)
{
$perms = $entry.psbase.ObjectSecurity.Access |
? { $_.IdentityReference -eq $user } |
? { $_.ObjectType -eq [GUID]$right.RightsGuid.Value }
return ($perms -ne $null)
}
else
{
Write-Warning "Permission '$permission' not found."
return $false
}
}
# Globals
$userName = "EXAMPLE\User"
$replicationPermissionName = "Replicating Directory Changes"
# Main()
$dse = [ADSI]"LDAP://Rootdse"
$entries = @(
[ADSI]("LDAP://" + $dse.defaultNamingContext),
[ADSI]("LDAP://" + $dse.configurationNamingContext));
Write-Host "User '$userName': "
foreach($entry in $entries)
{
$result = Check-ADUserPermission $entry $userName $replicationPermissionName
if($result)
{
Write-Host "`thas a '$replicationPermissionName' permission on '$($entry.distinguishedName)'" `
-ForegroundColor Green
}
else
{
Write-Host "`thas no a '$replicationPermissionName' permission on '$($entry.distinguishedName)'" `
-ForegroundColor Red
}
}
[System.DirectoryServices.DirectoryEntry]$entry,
[string]$user,
[string]$permission)
{
$dse = [ADSI]"LDAP://Rootdse"
$ext = [ADSI]("LDAP://CN=Extended-Rights," + $dse.ConfigurationNamingContext)
$right = $ext.psbase.Children |
? { $_.DisplayName -eq $permission }
if($right -ne $null)
{
$perms = $entry.psbase.ObjectSecurity.Access |
? { $_.IdentityReference -eq $user } |
? { $_.ObjectType -eq [GUID]$right.RightsGuid.Value }
return ($perms -ne $null)
}
else
{
Write-Warning "Permission '$permission' not found."
return $false
}
}
# Globals
$userName = "EXAMPLE\User"
$replicationPermissionName = "Replicating Directory Changes"
# Main()
$dse = [ADSI]"LDAP://Rootdse"
$entries = @(
[ADSI]("LDAP://" + $dse.defaultNamingContext),
[ADSI]("LDAP://" + $dse.configurationNamingContext));
Write-Host "User '$userName': "
foreach($entry in $entries)
{
$result = Check-ADUserPermission $entry $userName $replicationPermissionName
if($result)
{
Write-Host "`thas a '$replicationPermissionName' permission on '$($entry.distinguishedName)'" `
-ForegroundColor Green
}
else
{
Write-Host "`thas no a '$replicationPermissionName' permission on '$($entry.distinguishedName)'" `
-ForegroundColor Red
}
}
And, of course, I hate it!
Sincerely yours,
Andrew MossHater.
