Hi guys, quick question.
The account used for AD Import in UPA, does he need to bee a member of the users group in AD?
I have an account that is in the service group in AD, a service account with replicate direcotry permission, but when i enter the account and pass and press to populate container i get invalid credentials. I know that the credentials are correct.
When I enter one of the SP users insted i can populate the container but the sync will not performe, because the users does not have replicate directory permission.
So, why cant i recognize a AD service account?
Hi,
Think I misunderstood, didn’t realise it wasn’t even validating the credentials. I just thought it wasn’t populating the containers, so thought permissions.
I would also only ever use a service account that is only a domain user for services and the like as I am stickler when it comes to best practice 🙂 Even though you cannot adhere to it when it comes to the UPSA in terms of starting the User Profile Synchronisation Service or at least you couldn’t in 2010 and when I tried in a test evironment with SharePoint 2013 but let’s not get into that.
Anyway to cut a long story short I am glad you got it sorted 🙂
Thanks guys, i got it to work.
The administrator who provided me with the credentials didnt do his job very well. He gave me some wronge informations.Â
Sorry for bothering you with this. But nice to know that the user does not need to be a SP user, just in the domain.
The sync is running now…
Hello,
The user does not need to be SharePoint user. It needs to be domain user.
Check this link http://technet.microsoft.com/en-us/library/hh296982(v=office.15).aspx
Does your  NETBIOS is different from your  fully-qualified domain name ? If it so you´ll need to run the following command as well.
$upsa = Get-SPServiceApplication –Id /span>GUID of User Profile Service Application> $upsa.NetBIOSDomainNamesEnabled. =$true.
That really needs to be done before the creation of connection with AD.
Good luck
Hi Henry
I am sure that I will be able to performe a correct synchronization if I do add the permissions for one of my ordinary users. But I need to use a specified user that is a member of a Service Users group under the Administration group in AD.
My difficulties lies in why does this user not get recognized when setting up the Synchronization connection. The error message is Credentials invalid, but they are not.
How come there is a difference in the users in the ordinary Users group and the users in a Service Users group under the Administration group.
My question is maybe, does the account that is running the synch need to be a SharePoint user ?
Hi,
It looks like you have already done the below but I would double check as it certainly seems to be permission related. Also double check by going into the security tab in ADÂ and ensure that it is applied to all child objects.
For me this is because the account you are using to sync with has not been delegated rights within AD. So you could either rigth click the domain, delgate and choose the required permissions such as replicate driectory changes. Or I think you could get away with just doing it on the OU that you need to import from.
Also remember that should you ever need to export from SharePoint to AD you will need to give the sync account further permissions.
Thanks
Â
Henry
