You need to apply all of these
settings or your User Profile Service won’t work. To be able to complete this
section, you will need full access to the Active Directory to perform AD-Forest
based permission settings using the
adsiedit tool
Step 1.
Create Service Accounts in Active Directory.
We will need
two accounts, one for the UPS application pool (we will call this
sps_ups_pool) and one for the
synchronization between SharePoint and Active Directory (we will call this
sps_ups_sync).
These
accounts should only have domain user rights (don’t listen to people stating you
need local admin or worse – domain admin rights for these accounts). Also, these
accounts need to have two flags enabled in AD: User cannot change
password and Password never
expires.
Some SharePoint resources state that you should not
check these options since Managed Accounts in SharePoint handle password changes
etc. However this is incorrect, the User Profile Service does not work fully
with the Managed Accounts and I have found that using them would causes
headaches each time your Active Directory policies demand the service account to
change the password.
<><><><><><>
<><><><><><><><>
<>
<>
<><><><><><>
<><> |
<><>
<><><><>
<>
<>
<><><><><><>
<><>| Account properties window
with two important flags enabled. |
<><>
<><><><>
<><>
Step 2 : Check The
Farm Administrator Account Permissions
To successfully provision
the User Profile Service, the farm admin account needs to be local administrator
on all the SharePoint 2010 servers. You should check what account is your farm
admin and give that user local admin rights –
remember to remove these
permissions after you finish this tutorial and verify that UPS is
provisioned.
To identify your Farm Admin account, go to Central Administration –
Security – Configure Service
accounts option and select
Farm Account from the menu.
<><><><><><>
<><><><><><><><>
<>
<>
<><><><><><>
<><> |
<><>
<><><><>
<>
<>
<><><><><><>
<><>| Farm Account credentials
configuration in Central
Administration |
<><>
<><><><>
<><>
As you can see, my farm
admin account is ad\spssetup – so I will have to verify that this user belongs
to the local administrators group on every SharePoint server in my farm before
going forward with the tutorial.
Step
3 : Setup Active Directory Rights For
The sps_ups_sync Account.
Now the most important part of the
setup, and one which often causes issues when improperly configured.
Assign Replicating Directory Changes permission to
sps_ups_sync account
Login to your AD Server and open up
Active Directory Users and
Computers console. Now right-click the Active Directory Server
name and choose the Delegate Control option.
<><><><><><>
<><><><><><><><>
<>
<>
<><><><><><>
<><> |
<><>
<><><><>
<>
<>
<><><><><><>
<><>| Active Directory Users and
Computers console |
<><>
<><><><>
<><>
On the informational screen
click the Next button. Now you
need to choose the account for delegation, click on the Add button and find the
sps_ups_sync
account.
<><><><><><>
<><><><><><><><>
<>
<>
<><><><><><>
<><> |
<><>
<><><><>
<>
<>
<><><><><><>
<><>| Delegation Control window
with sps_ups_sync account added |
<><>
<><><><>
<><>
On the next setup
screen, select the Create a custom task to
delegate option and click next.
<><><><><><>
<><><><><><><><>
<>
<>
<><><><><><>
<><> |
<><>
<><><><>
<>
<>
<><><><><><>
<><>| Custom task delegation
selected |
<><>
<><><><>
<><>
On the
Active Directory Object Type window make sure that the
This folder, existing objects in this folder,
and creation of new objects in this folder option is selected
and click Next.
<><><><><><>
<><><><><><><><>
<>
<>
<><><><><><>
<><> |
<><>
<><><><>
<>
<>
<><><><><><>
<><>| Active Directory Object Type
configuration |
<><>
<><><><>
<><>
Next we should see the permissions
setup window. You need to find the Replicating
Directory Changes permission type. Do this with care since there
are several other similar names. Also make sure that the General Checkbox is selected. The Property-Specific and Creation/Deletion of specific child objects
should be unchecked.
<><><><><><>
<><><><><><><><>
<>
<>
<><><><><><>
<><> |
<><>
<><><><>
<>
<>
<><><><><><>
<><>| Permissions window with the
Replicate Directory Changes permission type
selected |
<><>
<><><><>
<><>
Now ensure that the proper permission is
selected (verify with the screen above) and click Next. On the summary screen, just
click Finish.
Now we
need to add the same sps_ups_sync account to the AD Configuration
container with the same permission set. To do this, press Windows
+ R buttons and type in: adsiedit.msc
If you do not have adsiedit (which is part of
Windows Support tools),
In Adsiedit expand the Configuration
tree node, right click on the CN=Configuration… container and select the
Properties option.
<><><><><><>
<><><><><><><><>
<>
<>
<><><><><><>
<><> |
<><>
<><><><>
<>
<>
<><><><><><>
<><>| Adsiedit window with
CN=Configuration container properties just being
selected |
<><>
<><><><>
<><>
Next, go to the Security tab and click Add. If you have this
button grayed-out, you probably need to change the ownership of this container.
To do this, click the Advanced
button, select the ownership tab and change the owner of this
container to the administrators group or your current user. After changing the
permission revert to the original owner if possible to prevent possible issues
with system permissions to this container.
When you’ve clicked the Add button
in the Security tab – you should add your synchronization account.
<><><><><><>
<><><><><><><><>
<>
<>
<><><><><><>
<><> |
<><>
<><><><>
<>
<>
<><><><><><>
<><>| AdsiEdit Security Tab on
Cn=Configuration main container |
<><>
<><><><>
<><>
In the
Permissions for Administrators
section below the accounts list, find the
Replicating Directory Changes and check the
Allow option for our newly
added sps_ups_sync account and
click Apply.
<><><><><><>
<><><><><><><><>
<>
<>
<><><><><><>
<><> |
<><>
<><><><>
<>
<>
<><><><><><>
<><>| Synchronization account
permissions – Replicate Directory Changes
checked. |
<><>
<><><><>
<><>
You can close the Active Directory Users
and Computers windows now and log off from the Active Directory Server. The
permission configuration setup is completed.
No comments:
Post a Comment