Writing Back to Active Directory
One-way synchronization from Active Directory
to SharePoint is fine, but better is the ability to allow users to
update their profile in SharePoint and update the changes back to
Active Directory. Two-way User Profile Synchronization defines true
user-profile synchronization as opposed to isolated import, which
assumed that Active Directory (or the LDAP server) was the single-point
authority for all profile data. The following steps configure Active
Directory and SharePoint to allow write back of profile changes to
Active Directory.
To allow write back to Active Directory, your DOMAIN\spups sync account requires additional directory permissions—Create Child Objects (for the OU you are writing back into).
- Log on to the server hosting your Active Directory.
- Run ADSIEdit.msc.
- Connect to the default-naming context for the domain.
- Navigate down the tree to the OU that you wish to allow write back.
- Right click the OU and select Properties.
- Click the Security tab.
- At this point, you need to add the DOMAIN\spups user and grant
Create Child Objects permission and read and write permissions—but wait!
- The DOMAIN\spups user already
exists in this list because you delegated Directory Replicating Changes
permission. If you are tempted to add the additional permissions to
this user, do not. This will result in breaking the profile import.
- From the dialog shown in Figure 5, click the Add button, to add the user again.
- Do not click OK just yet.
- Click the Advanced button, and in the dialog that appears, scroll down to the instance of DOMAIN\spups account that has <not inherited>.
- Click the Edit button.
- Ensure that the Apply To combo box value is This Object and All Descendent Objects.
- Click the check box in the Allow column for the permissions: Write All Properties and Create Child Objects.
- Click OK several times to get back to the main ADSIEdit.msc window.
At this stage, the profile import connection,
which you established in an earlier configuration stage, imports only!
If you think about it, this makes sense—could you imagine how upset HR
might be if SharePoint were to overwrite its profile data with user
changes, without management control?
The following steps configure the User Profile
Synchronization Service for more granular control of properties written
back to AD:
- Return to the User Profile Service Administration page.
- Click the Manage User Properties link.
- Choose the property, with mapping to AD, to write back.
- Make a mental note of the AD property-mapped field.
- Click the combo box over the property name and select Edit.
- Scroll to the section Property Mapping for Synchronization.
- Click the Remove button.
- In the Add New Mapping section, select the AD property in the Attribute combo box.
- Change the direction to Export.
- Click the Add button.
- Click the OK button to save changes.
You can now make changes to the data
in the profile field you changed previously, and when the
synchronization process runs, you should see the changes for the
property reflected in Active Directory.
