How to Check Replicate Directory Changes Permission for UPS Account?
Replicate Directory Changes Permission is required for user profile import account in SharePoint. While my other article, How to grant Replicate Directory Changes permission? Walks through the steps to grant replicate directory permission, Now the question is: How to check if a particular account has replicate directory changes permission?
PowerShell Script to check if the User Profile Import account has Replicate Directory Changes Permission:
Import-module activedirectory
$UserProfileAccountName = "Crescent\SP016_UPS"
Function Check-ADUserPermission(
[System.DirectoryServices.DirectoryEntry]$entry,
[string]$user,
[string]$permission)
{
$dse = [ADSI]"LDAP://Rootdse"
$ext = [ADSI]("LDAP://CN=Extended-Rights," + $dse.ConfigurationNamingContext)
$right = $ext.psbase.Children |
? { $_.DisplayName -eq $permission }
if($right -ne $null)
{
$perms = $entry.psbase.ObjectSecurity.Access |
? { $_.IdentityReference -eq $user } |
? { $_.ObjectType -eq [GUID]$right.RightsGuid.Value }
return ($perms -ne $null)
}
else
{
Write-Warning "Permission '$permission' not found."
return $false
}
}
Function Check-ReplicateChanges([string]$userName)
{
# Globals
$replicationPermissionName = "Replicating Directory Changes"
# Main()
$dse = [ADSI]"LDAP://Rootdse"
$entries = @(
[ADSI]("LDAP://" + $dse.defaultNamingContext),
[ADSI]("LDAP://" + $dse.configurationNamingContext));
Write-Host " User '$userName': "
foreach($entry in $entries)
{
$result = Check-ADUserPermission $entry $userName $replicationPermissionName
if($result)
{
Write-Host " has '$replicationPermissionName' permissions on '$($entry.distinguishedName)'" `
}
else
{
Write-Host " does NOT have '$replicationPermissionName' permissions on '$($entry.distinguishedName)'" `
}
}
}
Check-ReplicateChanges $UserProfileAccountName
Disclaimer: I’m not the author of this script! 🙂