That's because i've asociated an account to the AD MA with permissions toread, modify and delete all user info, but with some users it gives me this event:connected dta source error: Insufficient access rights to perform the operation.Connected data source error code: 8344I can List all user info (full import and sync) but the exports fails with that event. The weird thing isthe failed accountsisn't domain admins o withany power permissions.If I change the MA service account to Domain Admin it works like a charm, but i don't want to do that. Any help would be appreciated.thanks in advancedwww.flashlight.cl

If the accounts on which it's failing are members of -any- protected group (not just Domain Admins), or have ever been a member of these groups, I'd still investigate AdminSDHolder as a possible cause.If the accounts in question are no longer members of any protected groups, you will need to reset their adminCount attribute to a value of 0, and re-enable permissions inheritance on their objects.See the following for instructions on modifying adminCount and resetting inheritance: http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/05/29/49659.aspxLaura E. Hunter - Directory Services MVP Identity Architect - Oxford Computer Group ILM2 & Identity Training, Upcoming Dates - http://www.oxfordcomputergroup.com/course-dates.aspx

The minimum permissions (for write operations) depends on the AD user attributes you want to manage with your AD MA. Make sure that for each attribute you want to create/update with your MA the service account under which the MA is running has write permissions to the dedicated attribute of the AD object.Hope this helps Matthias

Thanks for the responseI've solved the issue. Never was a permissions problem, they simply didn't inherit permissions from the organizational unit to which they belonged, So my service account was useless with them.thanks againwww.flashlight.cl