Home > Work > SharePoint 2010 AD update failing.

SharePoint 2010 AD update failing.

Getting the AD update feature working in SharePoint 2010 / 2013 can be a challenge as you need to ensure the the permissions you set on the synchronization account are exactly correct as per the following TechNet article.


Even following these to the letter you can still come across problems as I recently discovered.

I was asked to take a look at client system where the AD update for the telephone number was failing, checking in SharePoint I could see that attribute was set to ‘Export’



but the Telephone number for a ‘Test User’ was not being set, checking in the FIM client tool we could see a permissions error for the object update.


Rechecking the permissions that the AD sync account has showed that the update permission had been removed from the AD object and AD Inheritance had been removed.

After some serious investigation by a colleague ( Big Respect to Chris V ), we discovered an AD feature called “Protected Groups” whereby if you are a member of a specific AD group such as Administrators, Account Operators, Server Operators etc the following could happen.

  • Delegated permissions are not available to all users in an organizational unit.
  • Inheritance is automatically disabled on some user accounts approximately one time an hour
  • Users who previously had delegated permissions, no longer have them.


    As soon as we tested the AD feature for a ‘normal’ user it worked as exactly as expected , so a nice little ‘feature’ to watch out for that is not documented from the SharePoint side.


    Happy SharePointing

    Categories: Work
    1. No comments yet.
    1. No trackbacks yet.

    Leave a Reply

    Please log in using one of these methods to post your comment:

    WordPress.com Logo

    You are commenting using your WordPress.com account. Log Out /  Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out /  Change )

    Connecting to %s

    %d bloggers like this: