To synchronize deletions in Microsoft Active Directory with Oracle Internet Directory, you must grant the necessary privilege to the Microsoft Active Directory user account that the Oracle directory integration server uses to perform synchronizations with Microsoft Active Directory. Microsoft Active Directory deletions can be synchronized with Oracle Internet Directory by querying for them in Microsoft Active Directory.
For the USN-Changed (ActiveChgImp) approach, the Microsoft Active Directory user account that the Oracle Directory Integration Platform uses to access Microsoft Active Directory must have “List Content” and “Read Properties” permission to the cn=Deleted Objects
container of a given domain. In order to set these permissions, you must use the dsacls.exe command which was previously known as Active Directory Application Mode or ADAM.
Follow below steps to execute dsacls command:
1. Open a command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
2. At the command prompt, type the following and press enter after each command:
· dsacls <deleted_object_dn> /takeownership
Ex: dsacls “CN=deleted objects, dc = domain” /takeownership
· dsacls <deleted_object_dn> /G <user_or_group>:LC
Ex: dsacls “CN=deleted objects, dc = domain” /G ldapaccess:LC
· dsacls <deleted_object_dn> /G <user_or_group>:RP
Ex: dsacls “CN=deleted objects, dc = domain” /G ldapaccess:RP
Parameter
|
Description
|
deleted_object_dn
|
The distinguished name of the deleted directory object.
|
user_or_group
|
The user or group for whom the permissions apply.
(user account used to access AD from OID)
|
If you create a matching filter for the ActiveChgImp profile (for the USN-Changed profile) be sure to include only the following key Microsoft Active Directory attributes:
- ObjectGUID
- ObjectSID
- ObjectDistName
- USNChanged
If you specify any attributes in a matching filter other than the preceding key attributes, deletions in Microsoft Active Directory are not propagated to Oracle Internet Directory.