This is more of an informational type wiki page, rather than a troubleshooting wiki page. We have received the below question:
How to set AD permissions more granular than "replicating directory changes" on a source active directory so they can be read by a FIM ADMA?
Scenario is a synchronization between department level "source" Active Directory and an Enterprise Directory in a my company. We do not want to set the "Replicating Directory Changes" permission as there are certain user
attributes we never want to read from, such as home phone number. I know I could create an Extensible Management Agent to use an Active Directory account granted the appropriate property level access to read the information from the directory, but I am hoping
for a simpler or more effective approach
Answer: Yes there is a simpler and more affective approach.
Set the registry key ADMAUseACLSecurity documented
here. It tells the Active Directory Management Agent to not require the DIRSYNC permissions and instead use normal Active Directory ACLs for the account.
You need to ensure that you are targeting a Windows Server 2003 Domain Controller or better.
This feature is not supported on Windows Server 2000 Domain Controllers.
This setting is only supported on FIM Update 2 and later.
FYI there is a typo it should be ADMAUseACLSecurity not ADMAUserACLSecurity