Yesterday, I needed to help configure a SharePoint Server 2019 User Profile service to import from local Active Directory using the native SharePoint Active Directory Import.
In order to perform Active Directory Import, the service account you specify must have Replicating Directory Changes permissions. Aside from using the Delegate Control wizard in Active Directory Users and Computers, the easiest way is with PowerShell. I generally prefer the PowerShell way of doing things, as it means it’s easy to document, easy to repeat, and easy to ensure everything was done.
We have some documentation scattered about with multiple links to multiple pages, so I thought I’d consolidate it with a little script I wrote to help:
$SamAccountName = "sps-adimport-svc" $Name = "SharePoint Active Directory Import" $Password = [System.Web.Security.Membership]::GeneratePassword(15,2) $SecurePassword = ConvertTo-SecureString -AsPlainText $Password -Force New-ADUser -DisplayName $Name -SamAccountName $SamAccountName -Name $Name -AccountPassword $SecurePassword -Enabled $True $RootDSE = Get-ADRootDSE $DefaultNamingContext = $RootDSE.defaultNamingContext $ConfigurationNamingContext = $RootDSE.configurationNamingContext dsacls $DefaultNamingContext /G "$($SamAccountName):CA;""Replicating Directory Changes"
You can return the account details at the console (you’ll need them to complete the Active Directory Import configuration):
"$($env:USERDOMAIN)\$($SamAccountName)" "$($Password)"