Documentation

Active Directory security permissions (7.1.0)

Active Directory security permissions

You can configure the Active Directory security permissions either by using the simple configuration or the advanced configuration.

Simple configuration (Recommended)

The simple configuration is for the AD Synchronization account to have general read-write access to your Active Directory. 

Advanced configuration

Some organizations prefer to restrict this account to have the absolute minimum permissions needed. If your AD Synchronization account is restricted in this way, and you want to use Group Page Synchronization in MS Exchange Mode, then you may need to grant the AD Synchronization account some extra permissions to use this feature. 
  1. The account should be a member of "Domain Users" (this gives read access to entire AD).
  2. Go to the Group Policy Management Console in Windows.
    1. Locate the Active Directory Container for your distribution groups. (There may be many depending on your AD structure.)
    2. Choose the Delegation tab.
    3. Click Advanced.
    4. Click Advanced again on the dialog that comes up.
    5. Click Add, and select the user Sync Account.
    6. Assign the following right for "This object and all child objects":
      1. Write All Properties
  3. If some existing distribution groups are stored in a different container, then to allow automatic Discussion Capture to be configured, "write all properties" is also required on those containers.
  4. If you wish to also write to users' AD profile fields then "write all properties" is also required on any container that stores user accounts.


* Group Policy Management Console is an installable feature on Server 2008 & 2012