Question: How to set AD permissions more granular than "replicating directory changes" on a source active directory so they can be read by a FIM ADMA?

Scenario is a synchronization between department level "source" Active Directory and an Enterprise Directory in a my company.   

We do not want to set the "Replicating Directory Changes" permission as there are certain user attributes we never want to read from, such as home phone number. 

You could create an Extensible Management Agent to use an Active Directory account granted the appropriate property level access to read the information from the directory, but I am hoping for a simpler or more effective approach


Answer: Yes there is a simpler and more affective approach. 

Set the registry key ADMAUseACLSecurity documented here.  It tells the Active Directory Management Agent to not require the DIRSYNC permissions and instead use normal Active Directory ACLs for the account.

You need to ensure that you are targeting a Windows Server 2003 Domain Controller or better.

This feature is not supported on Windows Server 2000 Domain Controllers.

This setting is only supported on FIM Update 2 and later.


Registry Keys and Configuration File Settings in FIM 2010