A very common question in support concerning GalSync is what are the permissions needed for the GalSync User Account to make GalSync work. I have documented
this information below to help understand what is needed for GalSync to work.
The GalSync User account is the account specified on the “Connect to Active Directory Forest” tab in the GalSync Management Agent Properties.
Provisioning to Exchange 2007.
Provisioning to Exchange 2010.
Multiple Domain Controllers.
Permissions required for Source Container(s).
Permissions required for Target Container(s).
Provisioning to Exchange 2007
The GalSync User must be a part of the
Exchange Recipient Administrators group. The GalSync user must be a part of this group, in order to run the Microsoft Exchange PowerShell CmdLet
To run the Update-Recipient cmdlet, the account you use must be delegated the following:
For more information about permissions, delegating roles, and the rights that are required to administer Exchange 2007, see
The Update-Recipient PowerShell CmdLet updates an exported mail-enabled contact object so that it can be seen in the GAL.
è You must install Windows PowerShell v1.0
è You must have the Microsoft Exchange Server 2007 Management Tools Service Pack 1 or later (preferred Service Pack 3) installed on the Synchronization Service Engine machine).
The GalSync User must be a part of the
Organization Management Exchange Security Group. Again, the GalSync user must be a part of this group, in order to work with the Microsoft Exchange PowerShell CmdLet
Please note the requirement for Organization Management is an Exchange 2010 Required permission. In order to Test PowerShell, or view the settings of the PowerShell VDIR in Microsoft Exchange 2010, you must be part of the Organization Management Exchange Security
Group. More information click
Provisioning to Exchange 2010, we now utilize WinRM and PowerShell v2.0 to update the mail-enabled contact objects that we export so that they can be seen in the GAL.
In order for us to remotely call the Update-Recipient CmdLet, we need to know where the Microsoft Exchange 2010 Client Access Server is located. Review this
article to help locate the Exchange 2010 Client
è Windows PowerShell v2.0 and WinRM (download
knowledge base article)
If you have multiple domain controllers in the forest that you are working with in the GalSync solution, then you need to ensure that the GalSync User account has the Replicate Directory Changes
If the GalSync User account does not have these permissions, then you will receive connection problems when creating a management agent, or when attempting to execute an import or an export to
the forest in question.
How to grant “Replicating Directory Changes” permission for the Microsoft Metadirectory Services
A source container, are the containers (Organizational Units) to where the Mail-Box Enabled User object is located, or the Authoritative Mail-Enabled Contact Object. GalSync writes an x500 address
back to the source object for reply-ability purposes. The GalSync User Account will need “Write ProxyAddresses” on the source objects. Please find below the steps to grant “Write ProxyAddresses” permissions.
*Note: We will use ADSIEDIT in order to make these changes. ADSIEDIT is part of the Windows Support Tools. You can find them on the Windows Server Setup CD under \support\tools, or you can download
them from here. Windows Server 2008, they
are a feature that you can install.*
This permission will be applied to every child object whose “Allow inheritable permissions from the parent to propagate to this object and all
option is selected. This is located in the user’s Advanced Security property sheet. Any user that does not have this selected will not have the permissions
granted to it.
In a GalSync solution, the Synchronization Service Engine uses the GalSync user account to create a mail-enabled contact object. You could give the GalSync User account Full Control to this container
(Organizational Unit). However, if you need to control permissions, you can set the following permissions to allow GalSync to work successfully.
Good article Tim.