Table of Contents


Question: How to set AD permissions more granular than "replicating directory changes" on a source active directory so they can be read by a FIM ADMA?

The scenario is a synchronization between department level "source" Active Directory and an Enterprise Directory in a company.   

We do not want to set the "Replicating Directory Changes" permission as there are certain user attributes we never want to read from, such as home phone number. 

You could create an Extensible Management Agent to use an Active Directory account granted the appropriate property level access to read the information from the directory, but I am hoping for a simpler or more effective approach


Answer: Yes there is a simpler and more effective approach. 

In the registry, locate SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\Parameters. Create a DWORD key called ADMAUseACLSecurity and give it a value of 1. A value of 0, the default, tells the synchronization engine to use DirSync permissions and a value of 1 tells the synchronization engine to use Active Directory ACLs. See also the TechNet article Registry Keys and Configuration.

You need to ensure that you are targeting a Windows Server 2003 Domain Controller or better.

This feature is not supported on Windows Server 2000 Domain Controllers.

This setting is only supported on FIM Update 2 and later.