Domain Users replication rights

Janus Bariñan 1,126 Reputation points

We just found out our Domain Users security group has the following permissions:

Replicate Directory Changes, Replicate Directory Changes All and Replicate Directory Changes In Filtered Set

Is it safe to remove these permissions from the Domain Users and other users/groups that are not part of domain admins?


Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,059 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,808 questions
0 comments No comments
{count} votes

Accepted answer
  1. Marcin Policht 8,415 Reputation points MVP

    In short, yes - a non-privileged user should not have these permissions.

    More at

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.



    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Jing Zhou 1,390 Reputation points Microsoft Vendor



    Thank you for posting in Q&A forum.

    Yes, it's safe to remove AD Replication permission from the domain Users security group. This permission is only used for AD replication purpose. You can only provide this permission to specific users or group hence they will be able to initiate AD replication when needed (For daily maintenance or issue fix).


    To help other customers who may be facing the same issue, please don't forget to vote if the reply is helpful.

    Hope this answer can help you well.


    Best regards,

    Jill Zhou


    0 comments No comments