Example Bank creates a special user that Identity Synchronization for Windows uses when connecting to Active Directory. This user is created in the cn=Users container in the eb.com domain. After the user is created, a minimum set of administration rights is assigned to this user.
In the Tree pane of the Active Directory Users and Computers window, right-click the eb.com container icon.
From the All Tasks menu, choose Delegate Control.
In the Selected User and Groups list, select the special user and click Next.
In the Tasks to Delegate window, select Create a Custom Tasks to Delegate, and click Next.
In the Only the Following Objects in the Folder section, select User Objects.
Identity Synchronization for Windows manages only User objects, so it is sufficient to delegate control of these objects.
Because Example Bank requires the synchronization of users from Directory Server to Active Directory, the special user is given full control of user objects in the eb.com domain.
If you specify a user with default Active Directory permissions, some operations will succeed, for example, an idsync resync operation from Active Directory to Directory Server. Other operations, such as detecting and applying changes in Active Directory, can fail abruptly.
If Example Bank is synchronizing the deletions from Active Directory to Directory Server, even Full Control is insufficient. You must use a Domain Administrator account to detect account deletions in Active Directory.