I had a production SharePoint 2010 Enterprise environment that was setup to allow syncing of the picture property from SharePoint back into Active Directory. I ran into an issue recently were I found a 3 users pictures where not updating. As I researched the issue, I looked at the Microsoft Synchronization Service Manager (miisclient.exe) on the Application server were the User Profile Synchronization Service was running. I found that for the DS_EXPORT step of the sync process, the users were being flagged as having Export Errors and the error field in miisclient showed ‘permission-issue’, and the data source error stated ‘Insufficient access rights to perform the operation’.
After comparing the 3 users AD profiles along with a few other users that did not have any issues, I found a discrepancy in the Security tab and inside of Advanced properties. I found that the box for “Include inheritable permissions for this object’s parent” was not checked.
After correcting the issue and making sure it was selected with all of the failing users, on the next UPS sync, the errors were eliminated and the profile pictures synced to AD successfully.