How to sync SEE and AD in 2008 witn a non-domain admin account.


Article ID: 153097


Updated On:


Endpoint Encryption


How to configure a 2008 AD DS server to allow SEE Synchronization using a non-domain admin account?


Perform the following from the 2008 Domain server:

  1. Create a domain user for SEE AD synchronization.
  2. Open a command prompt and enter the following commands
  3. dsacls.exe "CN=Deleted Objects,dc=your-org,dc=com" /takeownership
  4. dsacls.exe "CN=Deleted Objects,dc=your-org,dc=com" /G "your-org\adsyncuser":LCRP

Be sure to replace the dc=your-org,dc=com entry with the distinguished name of your own domain, and replace the your-org and adsyncuser entry with the domain name and user name of your own Active Directory synchronization account.


Having modified the Active Directory synchronization account, you can now proceed to the Management Server installation, and enter this account in the Directory Service Synchronization page of the Management Server InstallShield Wizard.