The AD integration by default will try to use an incremental sync. For this to work we need two things:
- The user needs to be able to read uSNChanged attributes.
- The user needs to be able to access Deleted Objects container.
If either of these conditions is not true incremental sync will not work. At the moment Crowd silently just blindly assumes both of these conditions hold and tries to do an incremental sync even though it might not be working.
Crowd should detect if either of these conditions does not hold, and warn the user in some way. For example, during the connection test it could say that "Incremental Update is not possible....". Crowd might even rollback to doing a full sync if it detects that either of these conditions is not true.