【解决】授权“复制目录更改”（Replicating Directory Changes ）权限的PowerShell脚本

1. 可将如下脚本保存到文件“Grant-ReplicatingDirectoryChanges.ps1”中：

# Grants necessary permissions for AD MA Service Account for
# FIM 2010 or ILM 2007 according to directions in
# http://support.microsoft.com/kb/303972/en-us article
#
# Please note that this script has only been tested on Windows Server 2008 R2
param (
 $Account
)
# get domain environment information
$RootDse = [ADSI] "LDAP://RootDSE"
$DefaultNamingContext = $RootDse.defaultNamingContext
$Domain = [ADSI] "LDAP://$DefaultNamingContext"
$DomainNetBIOSName = $Domain.Name.ToString().ToUpper()
$DomainFQDN = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
# translate to SID (I like this due to it's uniqueness characterictics
$UserPrincipal = New-Object Security.Principal.NTAccount("$DomainNetBIOSName", "$Account")
$SID = $UserPrincipal.Translate([System.Security.Principal.SecurityIdentifier]).Value
DSACLS "$DefaultNamingContext" /G "$($SID):CA;Replicating Directory Changes";

2. 启动PowerShell进入上述脚本文件所在目录，执行如下脚本：

.\Grant-ReplicatingDirectoryChanges.ps1 -Account SVC-FIM-ADMA

其中“SVC-FIM-ADMA”是要被授予权限的账户名。

参考：http://blog.goverco.com/2011/08/granting-replicating-directory.html
         http://support.microsoft.com/kb/303972