When installing the AD Connector, you can have the wizard create the AD accounts for you (Express setup) or you can create the accounts by your self. If you choose to create the account yourself, there are several permission you must manually give to this account else errors will occur for tasks like password reset and directory synchronization. For the account to be used by AD Connect to communicate with your forest, the following rights should be given to the account in forest
Permission | Used for |
Replicate Directory Changes
Replicate Directory Changes All |
Password sync |
Read/Write all properties User | Import and Exchange hybrid |
Read/Write all properties iNetOrgPerson | Import and Exchange hybrid |
Read/Write all properties Group | Import and Exchange hybrid |
Read/Write all properties Contact | Import and Exchange hybrid |
Reset password | Preparation for enabling password writeback |
Go to ADUC and use the delegate control wizard to assign the permissions. Do it from the top container.
Privileged and Service Accounts
For service accounts and other privileged accounts (like Admin accounts) see this post. You will get password sync and directory synchronization failures with these accounts unless you do what is stated in the post. It should not be a big deal if it is an environment where AD account best practice is done. That is Administrators have 2 AD accounts, an Admin account and a regular account. Privileged access in AD is only given to the Admin account. But if you have an environment where AD admins have only one account which they use for regular activities like email etc and the same account also has AD privileged access then the AD Connect failures will be of concern.
Assign the rights stated in the post to the AD DS account from the security tab of the template object in the System OU.