Step By Step Guide to configure the “Replicating directory changes” for SharePoint 2010 and 2013

Step By Step Guide to configure the “Replicating directory changes” for SharePoint 2010 and 2013

This guide is a step by step guide with Screenshots to give the “Replicating Directory changes” rights to the SharePoint user profile account that will be used to synchronize the user profiles.The screenshots were taken in Windows Server 2012, however the steps are identical or  very similar in Windows Server 2008 and 2008 R2.

The Guide

In Active Directory Users and Computers, right-click the domain, and then click Delegate Control.

On the first page of the Delegation of Control Wizard, click next.

On the Users or Groups page, click Add.

Type the name of the synchronization account, and then click OK.

Click Next.

On the Tasks to Delegate page, select create a custom task to delegate, and then click Next.

On the Active Directory Object Type page, select this folder, existing objects in this folder, and creation of new objects in this folder, and then click next.

On the Permissions page, in the Permissions box, select Replicating Directory and then click Next.

Click Finish.

If you need to send the Guide to somebody, or download it for future reference, I also made it in PDF and you can download it here:  Step By Step Guide to configure Replicating Directory Changes
Leave a comment and don’t forget to like the Absolute SharePoint Blog Page   on Facebook and to follow me on Twitter here  for the latest news and technical articles on SharePoint.  I am also a Pluralsight author, and you can view all the courses I created on my author page.
5/5 (2)

Please rate this


This comment has been removed by a blog administrator.

Hey, It’s nice to see such a blog. thanks

What about the other steps from ??? Aren’t those going to be necessary too? Pre-2000 Group, the ADSI edits?

Maurizio Angeli

Other steps are required only in specific conditions, here you can find them:

I don’t have a “Tasks to Delegate” option, instead I have to choose an “Access Template” and I have no idea which template to select. Any help?

That is strange! can you post a screenshot?

I have the screenshot for you but I am unable to post it here. Is there another way I can show you?

do you know why i have no Replicating Directory changes option in permission box when i config delegate control in windows server 2013?

You should have it in windows server 2012 and Windows server 2012 R2.. can you show me screenshots?

Rather than assigning the delegate control to the whole of the site could you do it to a User OU that contains all the current and future User accounts if you are sure that there will not be another OU outside this that will contain user accounts?


Unfortunately the setting is at the Domain level, you can’t give it on a determined OU!


I have 50 farms enterprise wide.
What’s your opinion of sharing the UPA content access identity between farms?
domain admin doesn’t want 50 ACLs at the root.

It should work, the only thing I would worry about is performance. Check out this PDF from MS for sharing it:

Awesome link! Thanks. Where is the performance concern? One account vs. 50 accounts? Seems the laod would be the same regardless of the identity.

The UPA content access account needs are for many disparate custom farms where the My Site host is not even in play. There is no assumption of any relation between any of the farms.

How do we reidentify the account that has been given that permission?

Leave a Reply