To synchronize or migrate objects with their attributes from source to target Active Directory domain, Directory Synchronization Agent works with source and target domains using accounts specified during domain pair creation. Those accounts must have a specific set of rights in order to access the domain objects and perform directory migration or synchronization. A generalized set of permissions suitable for most migration scenarios is described in Accounts Used by the Directory Synchronization Agent. It is the most easy and efficient way to grant all necessary permissions for source and target accounts. However, if the requirements are too excessive and for security reasons you cannot grant such high privileges to the accounts, this document provides the minimum required set of rights that the source and target accounts must have.
This document also describes minimum required permissions for accounts used by Active Directory Processing Wizard (ADPW) and Exchange Processing Wizard (EPW).
During account migration or directory synchronization DSA connects to the source and target Active Directory domains and to the source and target Microsoft Exchange information stores (if necessary). For that it uses source and target Active Directory accounts. These accounts are specified on the Select Source Domain and the Select Target Domain tab in the Domain Pair Properties dialog. The following sections provide minimum required permissions for the source and target Active Directory accounts.
In case you plan to perform the following operations that cannot be performed using granular account permissions described in this document:
Undo of changes made by migration sessions
you must do one of the following:
|
Important: The minimum permissions listed in this document are not valid if you plan to perform the following:
If you need to perform these operations, grant source and target accounts permissions according to Accounts Used by the Directory Synchronization Agent. |
|
TIP: SID history adding requires membership in the Administrators group either for source or for target DSA account depending on the SID history adding method. For details, see Adding SID History topic of the Migration Manager for Active Directory User Guide. |
Source Active Directory Synchronization Account Permissions
Target Active Directory Synchronization Account Permissions
Source Active Directory synchronization account must have the following permissions in the source domain:
|
TIP: Alternatively, if you perform migration (but not the synchronization), you can set the SDFlagsSearch registry parameter instead of granting the Manage auditing and security log privilege. For more information on the SDFlagsSearch, see the following KB articles: KB Article 59357, KB Article 78252 and KB Article 26334. |
|
Note: The Administer Information Store permission is required only for Microsoft Exchange 2010 or lower. |
For more details on disabling source accounts, see Specify Object Processing Options of Creating a Migration Session.
Target Active Directory synchronization account must have the following permissions in the target domain:
|
Important: The following attributes must not be skipped for directory synchronization: name, cn, ou, displayName, objectCategory, objectSID, msExchMasterAccountSid, nTSecurityDescriptor, and msExchMailboxSecurityDescriptor. |
1.1. Grant target account the Create permission for types of objects (for instance, users) you plan to create on target (if any).
1.2. The permission to Write service attributes specified on the Object Matching tab of the domain pair properties. By default, service attributes are adminDescription, adminDisplayName, extensionAttribute14 and extensionAttribute15. For more details, see Service Attributes in Configuring a Domain Pair.
1.3. The Write userAccountControl permission for user, inetOrgPerson or computer objects and the Write groupType permission for group objects.
1.4. If you plan to create mail- or mailbox-enabled objects on target then target account must have permissions to Write attributes from the table below in the target domain when synchronizing objects of the user, inetOrgPerson, contact or group classes, regardless of whether those attributes are included or skipped.
OBJECT TYPE → ATTRIBUTE NAME ↓ |
user (inetOrgPerson) |
contact | group |
homeMDB | X* | ||
homeMTA | X* | ||
legacyExchangeDN | X | X | X |
X | X | X | |
mailNickname | X | X | X |
msExchGroupDepartRestriction | X | ||
msExchGroupJoinRestriction | X | ||
msExchHomeServerName | X* | ||
msExchMailboxGuid | X** | ||
msExchMDBRulesQuota | X | ||
msExchModerationFlags | X | ||
msExchPoliciesExcluded | X | X | X |
msExchPoliciesIncluded | X | X | X |
msExchProvisioningFlags | X | ||
msExchRBACPolicyLink | X*** | ||
msExchRecipientDisplayType | X | X | X |
msExchRecipientTypeDetails | X | X | X |
msExchResourceDisplay | X* | ||
msExchResourceMetaData | X* | ||
msExchResourceSearchProperties | X* | ||
msExchTransportRecipientSettingsFlags | X | ||
msExchUMEnabledFlags2 | X* | ||
msExchUserAccountControl | X* | ||
msExchVersion | X | X | X |
protocolSettings | X* | ||
proxyAddresses | X | X | X |
showInAddressBook | X | X | X |
targetAddress | X | X | |
textEncodedOrAddress | X | X | X |
The following notation is used in the table:
X*** — only if source user is mail-enabled, or the Mailbox-enabled users option is selected in Exchange Options and source user is mailbox-enabled
|
Note: If you plan to select the Merge objects with corresponding contacts option available on the Specify Exchange Options step, grant target account permission to delete corresponding contacts and to add objects to groups those contacts are members of. |
1.5. If you plan to enable target accounts that are mailbox-enabled, grant target account permissions to Write the msExchMasterAccountSid, msExchUserAccountControl, msExchRecipientDisplayType and msExchRecipientTypeDetails attributes. For more details on enabling target accounts, see Specify Object Processing Options of Creating a Migration Session.
If you plan to migrate passwords or SID History the target account should be member of Administrators group or preinstalled service feature should be used as described in Using Preinstalled Service Feature in accordance with least privilege principle.
|
Note: The Administer Information Store permission is required only for Microsoft Exchange 2010 or lower. |
© ALL RIGHTS RESERVED. Nutzungsbedingungen Datenschutz Cookie Preference Center