This section is relevant only for scenarios where migration to or from Exchange 2010 or later is a part of Active Directory migration.
This section is relevant only for scenarios where migration to or from Exchange 2010 or later is a part of Active Directory migration.
Rights and Permissions | Where Specified |
---|---|
The account should be a member of the Domain Admins or Enterprise Admins group (See the note below the table) Alternatively, if you want to avoid granting such broad privileges, make the account a member of the Organization Management and Public Folder Management roles. |
To assign the roles to the account (<User>), run the following commands in the Exchange Management Shell: Add-RoleGroupMember "Organization Management" -Member <User> Add-RoleGroupMember "Public Folder Management" -Member <User> |
Rights and Permissions | Where Specified |
---|---|
The ApplicationImpersonation role enables the Exchange processing user account to impersonate other users. |
To enable the account (<User>) to impersonate all users in an organization, run the following in the Exchange Management Shell: New-ManagementRoleAssignment –Name <AssignmentName> -Role ApplicationImpersonation –User <User> See http://msdn.microsoft.com/en-us/library/bb204095.aspx for more details related to enabling Exchange impersonation, such as limiting the scope of users. |
Rights and Permissions | Where Specified |
---|---|
In addition to enabling Exchange impersonation for an account, give it the necessary access privileges by granting the ms-Exch-EPI-May-Impersonate extended right. |
To give the account (<User>) the right to impersonate all users on all Client Access Servers, run the following in the Exchange Management Shell: Get-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User ((Get-User -Identity <User>) | select-object).identity -extendedRight ms-Exch-EPI-Impersonation} To give the account (<User>) permission to impersonate all accounts on all MailboxDatabases, run the following in the Exchange Management Shell: Get-MailboxDatabase | ForEach-Object {Add-ADPermission -Identity $_.DistinguishedName -User <User> -ExtendedRights ms-Exch-EPI-May-Impersonate} See http://msdn.microsoft.com/en-us/library/bb204095%28EXCHG.80%29.aspx for more details related to granting Exchange impersonation rights, such as narrowing the scope of accounts, servers and databases. |
|
IMPORTANT: Since membership in the Domain Admins or Enterprise Admins group denies Send As and Receive As permissions, you cannot continue using single administrative account. In this case it is advised to create separate processing service account. |
Operation | Rights and Permissions | Where Specified |
---|---|---|
Message sending |
Send As extended right. |
Run the following in the Exchange Management Shell: Add-ADPermission "Mailbox" -User <User> -Extendedrights "Send As" |
Message processing in other users' mailboxes | Full mailbox access rights. |
Run the following in the Exchange Management Shell: Add-MailboxPermission "Mailbox" -User <User> -AccessRights FullAccess |
This section will help you to set the permissions that are required by Migration Manager for Active Directory.
Migration Manager for Active Directory requires administrative access to each source and target domain involved in Active Directory migration.
We recommend that you to create a new user account for the migration activities in each source and target domain instead of using an existing one.
To grant the account administrative access to the Active Directory domain, add the account to the domain’s local Administrators group as follows:
If you have established two-way trusts between each source and target domain or forest trust, you can grant this single account administrative access to each source and target domain. This powerful account must be maintained closely and should be deleted after the project is complete. It is recommended that this account be owned by one individual and one backup individual (or as few individuals as possible).
© ALL RIGHTS RESERVED. Nutzungsbedingungen Datenschutz Cookie Preference Center