When you are setting up the User Profile Synchronization in SharePoint 2010, you need an account wich is going to do the synchronization. This account has to be given “Replicate Directory Changes” permissions on the domain.
See this article on TechNet on how to do this using the Active Directory Users and Computers snap-in.
If the NETBIOS name of the domain is different than the FQDN of the domain, these permissions also need to be set on the Configuration Naming Context of the domain.
(Rational Guide to Implementing SharePoint Server 2010 User Profile Synchronization)
Doing this using the snap-in is OK, but I like to do things using script, so I have been looking for a way to do this using PowerShell. I found some information on how to use PowerShell to check if these permissions where set but I didn’t succeed in setting them.
Then, I stumbled onto a post of Søren Granfeldt, which showed me that setting these permissions are actually very easy. You simply use the DSACLS commandline tool to set the permissions.
$Identity = "domain\account"
$RootDSE = [ADSI]"LDAP://RootDSE"
$DefaultNamingContext = $RootDse.defaultNamingContext
$ConfigurationNamingContext = $RootDse.configurationNamingContext
$UserPrincipal = New-Object Security.Principal.NTAccount("$Identity")
DSACLS "$DefaultNamingContext" /G "$($UserPrincipal):CA;Replicating Directory Changes"
DSACLS "$ConfigurationNamingContext" /G "$($UserPrincipal):CA;Replicating Directory Changes"