where NNN is an integer.
In addition, Active Directory synchronization searches for the attributes configured in the search plus the following:
sAMAccountName, isDeleted, displayName, mail, userAccountControl
The user account requires access to any attributes specified in the custom filter and any mapped attributes specified in System Manager.
Finally, the user account must be able to read the following attributes from rootDSE:
DnsHostName, dsServiceName, invocationID, highestCommittedUSN