Security Considerations for User Profile Sync

User Profile Sync requires credentials for accounts that have read and write access to both the Active Directory and SharePoint User Profile. In order to ensure User Profile Sync is used without compromising security in your domain, please review the security types in the table below and take the appropriate steps based on your environment.

Also see:

IMPORTANT: For the AD to Contacts List sync type, the MOSS 2007 or SharePoint Server 2010/2013 account must belong to a group that has Contributor rights or better. This account must be able to edit the Contacts List in order to update it. You must also check that the permissions on the Contacts List itself allow the MOSS 2007 or SharePoint Server 2010/2013 account user to edit the list. You can check the List Permissions in the List Settings of the Contacts List.

Security Type	Description	Steps
Active Directory (AD) Services Access Account for reading and writing	This account is used to read and update the Active Directory profile data. The AD account must have Read and Write permissions to the AD user objects.	To check if the account has the appropriate permissions: Open the Active Directory Users and Computer console application. Select View and check the Advanced Features. Select a Forest or Organization Unit, right click and select Properties. Select the Security tab (shown above). Make sure that the Access Account you are using has Read and Write permissions to read and update the particular object.
Active Directory (AD) Services Access Account for reading only	This account is used to read the Active Directory profile data. The AD account must have Read permissions to the AD user objects. Write permissions are not required if you are updating SharePoint User Profiles from AD.	To check if the account has the appropriate permissions: Open the Active Directory Users and Computer console application. Select View and check the Advanced Features. Select a Forest or Organization Unit, right click and select Properties. Select the Security tab (shown above). Make sure that the Access Account you are using has Read permissions to read the particular object.
Windows SharePoint Services (WSS) 3 .0 Access Account	This is a WSS 3.0 account that must be a member of the Site Collection Administrators of all Site Collections.	To add the correct rights to a site group: Login with a user who is a member of the Site Collection Administrators. Click on Site Settings on the top level Actions menu of your SharePoint site. Click on Site Collection Administrators in the Users and Groups section. Add either the individual domain user or a domain Security Group. Click OK.
Microsoft Office SharePoint Server (MOSS) 2007 or 2010/2013 Access Account	For the MOSS 2007 SSP Profiles to Active Directory Services sync type, the MOSS 2007 account must belong to a site group that has the right to manage user profiles.	To add the correct rights to a site group: Click on Site Settings on the top level menu of your SharePoint site. Click on Advanced Permissions. Create a New Group. Add users to the group and assign the group a permission level. Click OK. To manage the Shared Services Rights, navigate to the following page within the SharePoint Central Administration: http://YourSharePointCentralAdminSiteName/ssp/admin/_layouts/ManageServicePermissions.aspx Add a user and assign them the “Manage User Profiles” permission. Click Save.