Posted on:
Categories: SharePoint
Description:

​Scenario:

After successfully configuring the User Profile Service Application for your SharePoint farm you are able to successfully sync user profile data from Active Directory. However, after rebooting the SharePoint server you notice that Active Directory user profile changes are no longer being synchronized with SharePoint.

Solution:

The issue is that the Forefront Identity Manager Synchronization Service is not started on the SharePoint server. This prevents any synchronization with Active Directory.

ServiceStopped

You may also see the following error in the event logs on the SharePoint server

Error Message

Ultimately, the issue is related to permissions. At one point during the process, when the Synchronization service is attempting to start, the Network Service account requires access to some files in the SharePoint root (i.e. 14.0 directory). If the account does not have access to these files then the Synchronization service will fail to start.

The solution is to add the Network Service account on the SharePoint server to the WSS_WPG Group. This should resolve the issue.

There are some posts that recommend adding the Network Service account to the administrators group on the server or granting the Network Service account Full Control to the entire SharePoint root. However, these strategies are not aligned with security best practices and are not necessary. Adding the service account to the WSS_WPG group is sufficient to resolve the issue and will not introduce any security issues.

Helpful links

http://www.agileconcepts.com/Blogs/AQ/Lists/Posts/Post.aspx?ID=62

http://www.harbar.net/articles/sp2010ups.aspx