{
	"id": "489f544e-88ec-4cda-8b17-5dc1cb08b22a",
	"created_at": "2026-04-06T00:12:14.159499Z",
	"updated_at": "2026-04-10T03:20:35.998008Z",
	"deleted_at": null,
	"sha1_hash": "fbab05114fc8e42ccf5c1bd12c4b93d2a7070b2f",
	"title": "Replicating Directory Changes permission - Windows Server",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47400,
	"plain_text": "Replicating Directory Changes permission - Windows Server\r\nBy kaushika-msft\r\nArchived: 2026-04-05 16:10:55 UTC\r\nThis article describes how to grant the \"Replicating Directory Changes\" permission for the Microsoft\r\nMetadirectory Services ADMA service account.\r\nOriginal KB number:   303972\r\nSummary\r\nWhen discovering objects in Active Directory using the Active Directory management agent (ADMA), the\r\naccount that is specified for connecting to Active Directory must either have Domain Administrative permissions,\r\nbelong to the Domain Administrators group, or be explicitly granted Replicating Directory Changes permissions\r\nfor every domain of the forest that this management agent accesses. This article describes how to explicitly a grant\r\na user account the Replicating Directory Changes permissions on a domain.\r\nNote\r\nIn Windows Server 2003, the name of this permission changed to \"Replicate Directory Changes.\"\r\nMore information\r\nThe Replicating Directory Changes permission, known as the Replicate Directory Changes permission in\r\nWindows Server 2003, is an Access Control Entry (ACE) on each domain naming context. You can assign this\r\npermission by using the ACL editor or the Adsiedit support tool in Windows 2000.\r\nSetting permissions by using the ACL editor\r\n1. Open the Active Directory Users and Computers snap-in\r\n2. On the View menu, click Advanced Features.\r\n3. Right-click the domain object, such as \" company.com \", and then click Properties.\r\n4. On the Security tab, if the desired user account is not listed, click Add; if the desired user account is listed,\r\nproceed to step 7.\r\n5. In the Select Users, Computers, or Groups dialog box, select the desired user account, and then click\r\nAdd.\r\n6. Click OK to return to the Properties dialog box.\r\n7. Click the desired user account.\r\n8. Click to select the Replicating Directory Changes check box from the list.\r\n9. Click Apply, and then click OK.\r\n10. Close the snap-in.\r\nhttps://support.microsoft.com/help/303972/how-to-grant-the-replicating-directory-changes-permission-for-the-micr\r\nPage 1 of 2\n\nSetting permissions by using Adsiedit\r\nWarning\r\nUsing Adsiedit incorrectly can cause serious problems that may require you to reinstall your operating system.\r\nMicrosoft cannot guarantee that problems resulting from the incorrect use of Adsiedit can be solved. Use Adsiedit\r\nat your own risk.\r\n1. Install the Windows 2000 Support tools if they have not already been installed.\r\n2. Run Adsiedit.msc as an administrator of the domain. Expand the Domain Naming Context (Domain NC)\r\nnode. This node contains an object that begins with \"DC=\" and reflects the correct domain name. Right-click this object, and then click Properties.\r\n3. Click the Security tab.\r\n4. If the desired user account is not listed, click Add, otherwise proceed to step 8.\r\n5. In the Select Users, Computers, or Groups dialog box, select the desired user account, and then click\r\nAdd.\r\n6. Click OK to return to the Properties dialog box.\r\n7. Click Apply, and then click OK.\r\n8. Select the desired user account\r\n9. Click to select the Replicating Directory Changes check box.\r\n10. Click Apply, and then click OK.\r\n11. Close the snap-in.\r\nNote\r\nUsing either method, setting the Replicating Directory Changes permission for each domain within your forest\r\nenables the discovery of objects in the domain within the Active Directory forest. However, enabling discovery of\r\nthe connected directory does not imply that other operations can be performed.\r\nTo create, modify, and delete objects within Active Directory using a non-administrative account, you may need to\r\nadd additional permissions as appropriate. For example, for Microsoft Metadirectory Services (MMS) to create\r\nnew user objects in an Organizational Unit (OU) or container, the account that is being used must be explicitly\r\ngranted the Create All Child Objects permission, as the Replicating Directory Changes permission is not sufficient\r\nto allow the creation of objects.\r\nIn a similar fashion, the deletion of objects requires the Delete All Child Objects permission.\r\nIt is possible that there are limitations on other operations, such as attribute flow, depending on the specific\r\nsecurity settings that are assigned to the object in question, and whether or not inheritance is a factor.\r\nSource: https://support.microsoft.com/help/303972/how-to-grant-the-replicating-directory-changes-permission-for-the-micr\r\nhttps://support.microsoft.com/help/303972/how-to-grant-the-replicating-directory-changes-permission-for-the-micr\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://support.microsoft.com/help/303972/how-to-grant-the-replicating-directory-changes-permission-for-the-micr"
	],
	"report_names": [
		"how-to-grant-the-replicating-directory-changes-permission-for-the-micr"
	],
	"threat_actors": [],
	"ts_created_at": 1775434334,
	"ts_updated_at": 1775791235,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fbab05114fc8e42ccf5c1bd12c4b93d2a7070b2f.pdf",
		"text": "https://archive.orkl.eu/fbab05114fc8e42ccf5c1bd12c4b93d2a7070b2f.txt",
		"img": "https://archive.orkl.eu/fbab05114fc8e42ccf5c1bd12c4b93d2a7070b2f.jpg"
	}
}