A very common question in support concerning GalSync is what are the permissions needed for the GalSync User Account to make GalSync work. I have documented this information below to help understand what is needed for GalSync to work.
The GalSync User account is the account specified on the “Connect to Active Directory Forest” tab in the GalSync Management Agent Properties.
Contents
Provisioning to Exchange 2007. 1
Provisioning to Exchange 2010. 1
Multiple Domain Controllers. 2
Permissions required for Source Container(s). 2
Permissions required for Target Container(s). 3
Additional Information. 3
Provisioning to Exchange 2007
The GalSync User must be a part of the Exchange Recipient Administrators group. The GalSync user must be a part of this group, in order to run the Microsoft Exchange PowerShell CmdLet Update-Recipient.
To run the Update-Recipient cmdlet, the account you use must be delegated the following:
For more information about permissions, delegating roles, and the rights that are required to administer Exchange 2007, see Permission Considerations.
The Update-Recipient PowerShell CmdLet updates an exported mail-enabled contact object so that it can be seen in the GAL.
Software Requirements
è You must install Windows PowerShell v1.0
è You must have the Microsoft Exchange Server 2007 Management Tools Service Pack 1 or later (preferred Service Pack 3) installed on the Synchronization Service Engine machine).
The GalSync User must be a part of the Organization Management Exchange Security Group. Again, the GalSync user must be a part of this group, in order to work with the Microsoft Exchange PowerShell CmdLet Update-Recipient. Please note the requirement for Organization Management is an Exchange 2010 Required permission. In order to Test PowerShell, or view the settings of the PowerShell VDIR in Microsoft Exchange 2010, you must be part of the Organization Management Exchange Security Group. More information click here.
Provisioning to Exchange 2010, we now utilize WinRM and PowerShell v2.0 to update the mail-enabled contact objects that we export so that they can be seen in the GAL.
In order for us to remotely call the Update-Recipient CmdLet, we need to know where the Microsoft Exchange 2010 Client Access Server is located. Review this article to help locate the Exchange 2010 Client Access Server.
è Windows PowerShell v2.0 and WinRM (download knowledge base article)
If you have multiple domain controllers in the forest that you are working with in the GalSync solution, then you need to ensure that the GalSync User account has the Replicate Directory Changes permissions.
If the GalSync User account does not have these permissions, then you will receive connection problems when creating a management agent, or when attempting to execute an import or an export to the forest in question.
How to grant “Replicating Directory Changes” permission for the Microsoft Metadirectory Services ADMA account
A source container, are the containers (Organizational Units) to where the Mail-Box Enabled User object is located, or the Authoritative Mail-Enabled Contact Object. GalSync writes an x500 address back to the source object for reply-ability purposes. The GalSync User Account will need “Write ProxyAddresses” on the source objects. Please find below the steps to grant “Write ProxyAddresses” permissions.
*Note: We will use ADSIEDIT in order to make these changes. ADSIEDIT is part of the Windows Support Tools. You can find them on the Windows Server Setup CD under \support\tools, or you can download them from here. Windows Server 2008, they are a feature that you can install.*
*NOTE: This permission will be applied to every child object whose “Allow inheritable permissions from the parent to propagate to this object and all child objects” option is selected. This is located in the user’s Advanced Security property sheet. Any user that does not have this selected will not have the permissions granted to it.
In a GalSync solution, the Synchronization Service Engine uses the GalSync user account to create a mail-enabled contact object. You could give the GalSync User account Full Control to this container (Organizational Unit). However, if you need to control permissions, you can set the following permissions to allow GalSync to work successfully.
GalSync Resource Wiki
Tim Macaulay edited Revision 5. Comment: added a link to exchange documentation that talks about the organization management
Jeff Ingalls [MSFT] edited Revision 4. Comment: Updated Exchange 2010 security group name
Tim Macaulay edited Revision 2. Comment: added a note with a snippet from the Update-Recipient Page
Good article Tim.