Permission Issue in FIM

After attempting to update a user profile in SharePoint and you have given replicating changes in AD, you still may come across permissions issues when attempting to update AD for a particular user.

This will show up in the miisclient tool on your application server or whatever server is managing your User Profile Sync. The miisclient is basically a log of what is happening with your sync on both export and import. You can find it here:"C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\UIShell\miisclient.exe" depending on your setup.

When a sync is run and you see "completed-export-errors" on your Export job, have a look at this. You will then see what is causing the issue on the export. You may see a user with "Permissions-Issue" next to it. It is possible that this user account is not getting the delegate permissions in AD.

The reason for this is that anyone who is or has been a member of a protected group such as Domain Admins, will not be able to automatically inherit permissions down. This means that writing to AD from SharePoint will not happen.

In order to release this, you need to go into the user account in question. Click on the "Security" tab. Click on Advanced. Check the box to Allow Inhertiable Permissions.

This will only stay in place for a certain timeframe before resetting itself based on the Protected Groups. You will need to run the sync again to allow the information to be writted to AD within the hour, I suggest.

Another one of my meandering findings! This can get quite tricky if you have a number of people that have been in Protected Groups for whatever reasons. There are ways around taking this "Reset" off but that's another problem for another day and I didn't have to do it in my environment.