So, as you know, we need ‘Replicating Directory Changes’ permissions for correct work of a User Profiles synchronization (ForeFront Identity Manager).
How to set these permission you can read some other articles:
- Microsoft SharePoint Product Group: How to set Replication Directory Changes,
- KB303972: How to grant the "Replicating Directory Changes" permission for the Microsoft Metadirectory Services ADMA service account,
But how to check that these permission was granted for some user? Of course, we can accomplish this task via PowerShell.
Just change the $userName variable in the script below and run it.
Output like:
User ‘EXAMPLE\User’:
has a 'Replicating Directory Changes' permission on 'DC=example,DC=local'
has no a 'Replicating Directory Changes' permission on 'CN=Configuration,DC=example,DC=local'
Check-ADReplicatingChangesPermission.ps1
function Check-ADUserPermission(
[System.DirectoryServices.DirectoryEntry]$entry,
[string]$user,
[string]$permission)
{
$dse = [ADSI]"LDAP://Rootdse"
$ext = [ADSI]("LDAP://CN=Extended-Rights," + $dse.ConfigurationNamingContext)
$right = $ext.psbase.Children |
? { $_.DisplayName -eq $permission }
if($right -ne $null)
{
$perms = $entry.psbase.ObjectSecurity.Access |
? { $_.IdentityReference -eq $user } |
? { $_.ObjectType -eq [GUID]$right.RightsGuid.Value }
return ($perms -ne $null)
}
else
{
Write-Warning "Permission '$permission' not found."
return $false
}
}
# Globals
$userName = "EXAMPLE\User"
$replicationPermissionName = "Replicating Directory Changes"
# Main()
$dse = [ADSI]"LDAP://Rootdse"
$entries = @(
[ADSI]("LDAP://" + $dse.defaultNamingContext),
[ADSI]("LDAP://" + $dse.configurationNamingContext));
Write-Host "User '$userName': "
foreach($entry in $entries)
{
$result = Check-ADUserPermission $entry $userName $replicationPermissionName
if($result)
{
Write-Host "`thas a '$replicationPermissionName' permission on '$($entry.distinguishedName)'" `
-ForegroundColor Green
}
else
{
Write-Host "`thas no a '$replicationPermissionName' permission on '$($entry.distinguishedName)'" `
-ForegroundColor Red
}
}
[System.DirectoryServices.DirectoryEntry]$entry,
[string]$user,
[string]$permission)
{
$dse = [ADSI]"LDAP://Rootdse"
$ext = [ADSI]("LDAP://CN=Extended-Rights," + $dse.ConfigurationNamingContext)
$right = $ext.psbase.Children |
? { $_.DisplayName -eq $permission }
if($right -ne $null)
{
$perms = $entry.psbase.ObjectSecurity.Access |
? { $_.IdentityReference -eq $user } |
? { $_.ObjectType -eq [GUID]$right.RightsGuid.Value }
return ($perms -ne $null)
}
else
{
Write-Warning "Permission '$permission' not found."
return $false
}
}
# Globals
$userName = "EXAMPLE\User"
$replicationPermissionName = "Replicating Directory Changes"
# Main()
$dse = [ADSI]"LDAP://Rootdse"
$entries = @(
[ADSI]("LDAP://" + $dse.defaultNamingContext),
[ADSI]("LDAP://" + $dse.configurationNamingContext));
Write-Host "User '$userName': "
foreach($entry in $entries)
{
$result = Check-ADUserPermission $entry $userName $replicationPermissionName
if($result)
{
Write-Host "`thas a '$replicationPermissionName' permission on '$($entry.distinguishedName)'" `
-ForegroundColor Green
}
else
{
Write-Host "`thas no a '$replicationPermissionName' permission on '$($entry.distinguishedName)'" `
-ForegroundColor Red
}
}
And, of course, I hate it!
Sincerely yours,
Andrew MossHater.
That's a great script, thank you for sharing
ReplyDeleteWhen I run the command script I get both outputs:
ReplyDeletehas a 'Replicating Directory Changes' permission on 'DC=abc,DC=com'
has no a 'Replicating Directory Changes' permission on 'CN=Configuration,DC=abc,DC=com'
What is the impact of not having or having the "Replicate Directory Changes" permission on the Configuration common name layer of AD?
We need one of these to check Replicating Directory Changes from a trusted domain
ReplyDelete