User Profile Sync requires credentials for accounts that have read and write access to both the Active Directory and SharePoint User Profile. In order to ensure User Profile Sync is used without compromising security in your domain, please review the security types in the table below and take the appropriate steps based on your environment.
Also see:
IMPORTANT: For the AD to Contacts List sync type, the MOSS 2007 or SharePoint Server 2010/2013 account must belong to a group that has Contributor rights or better. This account must be able to edit the Contacts List in order to update it. You must also check that the permissions on the Contacts List itself allow the MOSS 2007 or SharePoint Server 2010/2013 account user to edit the list. You can check the List Permissions in the List Settings of the Contacts List.
Security Type | Description | Steps |
Active Directory (AD) Services Access Account for reading and writing | This account is used to read and update the Active Directory profile data. The AD account must have Read and Write permissions to the AD user objects. |
To check if the account has the appropriate permissions:
|
Active Directory (AD) Services Access Account for reading only | This account is used to read the Active Directory profile data. The AD account must have Read permissions to the AD user objects. Write permissions are not required if you are updating SharePoint User Profiles from AD. |
To check if the account has the appropriate permissions:
|
Windows SharePoint Services (WSS) 3 .0 Access Account | This is a WSS 3.0 account that must be a member of the Site Collection Administrators of all Site Collections. |
To add the correct rights to a site group:
|
Microsoft Office SharePoint Server (MOSS) 2007 or 2010/2013 Access Account | For the MOSS 2007 SSP Profiles to Active Directory Services sync type, the MOSS 2007 account must belong to a site group that has the right to manage user profiles. |
To add the correct rights to a site group:
|