When and Where to Use Active Directory Processing Wizard
Generally, if you want the new users to have the same level of access as the old users after Active Directory migration, you need to run Active Directory Processing Wizard (ADPW) in all domains where the old users had specifically configured access rights. This is as good as obligatory in most Active Directory migrations, at least for the initial transition period.
The following are examples of activities that you may need to perform in ADPW to restore users' resource access levels:
- Add target users to source groups
This is the most common operation for ADPW.
- Update linked attributes other than group membership
For that, ADPW modifies forward links so that back links are resolved as you expect. All linked attributes are supported.
|
NOTE: Commonly-used important linked attributes include:
- The managedBy attribute of groups
- Links (to users) that role-based administration in Exchange 2007 and later is based on
|
- Update permissions on objects such as OUs
- If an Exchange resource forest topology is set up in the environment, update Active Directory in the Exchange resource forest
For details about handling Exchange resource forests, see the When and Where to Use Exchange Processing Wizard topic.
Starting Active Directory Processing
You can perform Active Directory processing in several ways. Select the one that best suits your situation.
- Create an Active Directory processing task and run it from Migration Manager. To create an Active Directory processing task, go to the Resource Processing | Tasks node and click the Active Directory Processing button in the right pane.
- Create an Active Directory processing task and then create a setup package for the task, delegate rights to perform this task to another person, and send the package to that person. The delegated administrator then will install the package and perform the Active Directory processing as specified in the task configuration. Refer to the Delegating Resource Update topic for more details.
- Export the INI file with the appropriate settings for Active Directory processing, and then create and configure an Active Directory processing task to run in stand-alone mode using this INI file. Refer to the Delegating Resource Update topic for more details.
Regardless of the method you select, Active Directory Processing Wizard will guide you through the updating process. You can use Active Directory Processing Wizard in any of the three modes:
- Standalone
- Console integration
- Delegation
Each mode has a specific set of steps, as described in the related topics.
Using Standalone Mode
Step 1. Specify Mapping File
In this step you are prompted to specify location of the INI mapping file. The mapping file is used to establish matching between source and target accounts.
To get the file, export the INI file, as follows:
- From the Tools menu in Migration Manager Console, select Export to | INI file. The Export INI File dialog box will appear.
- Select Active Directory Processing Wizard in the Wizard Name list box.
- Specify the INI file name and path in the INI file field or leave the default.
- Select the desired re-permissioning options.
- Click OK. This will create an INI file in the folder you specified in step 3.
Step 2. Set Processing Options
Select the way Active Directory will be processed.
- Reassign group membership and permissions to target users
Select this option to save group membership and grant the permissions of the source accounts to the new (target) user accounts.
|
Caution:
- Target account permissions will be merged with the source account's permissions.
- If you click Cancel during permissions update, further re-permissioning will be stopped. Objects that are already processed by that moment will have new (target) permissions. Objects that are not yet processed will keep old permissions. If you want to completely restore the Active Directory state, run the wizard with the Revert to the original group membership and permissions option.
|
- Select the Leave source users' group membership and permissions check box to allow access for both the source and the target user accounts. This way you will be able to make the migration smoother, granting both accounts the same privileges for the transition period.
- Clean up group membership and permissions of migrated users
Select this option if you want to remove permissions granted for source accounts from the objects’ Access Control Lists (ACLs), thus disabling the rights for the legacy accounts. Normally, this should be done as soon as the transition period is over.
|
Caution:
- The wizard revokes the rights for only source accounts that are already migrated to target.
- If you click Cancel during the cleanup process, further processing will be stopped. Permissions of the objects that are already processed by that moment will be cleaned up. Objects that are not yet processed will be left intact.
|
- Revert to the original group membership and permissions
This option lets you undo re-permissioning, which removes target accounts from the Access Control Lists and returns all rights to the source accounts.
|
Caution:
- If two source users were merged to one target user during migration, and if only one of the source users had permissions on some objects, then after the SD update and reverting of permissions back, both users will have permissions on these objects (that is, the users will have common permissions).
- If you click Cancel while changes are being reverted back, further re-permissioning will be stopped. Objects that are already processed by that moment will have source permissions. Objects that are not yet processed will keep target permissions. If you want to restore the Active Directory state, run the wizard with the Reassign group membership and permissions to target users option.
|
- Clean up objects' SIDHistory
Select this option to clean up SIDHistory attributes of Active Directory objects.
|
NOTE: Only SIDs of the source objects migrated within the current migration project and selected for processing will be cleaned up from the SIDHistory attributes of the target objects. The SIDs of other objects (that is, objects either not selected for processing or migrated in a separate project) will be left intact. |
|
Caution: Changes have probably been made to permissions, service accounts, group membership, etc. on resources since resource processing was last executed. We recommend you update distributed resources and production servers one more time before you clean up SIDHistory to make sure that all permissions, service accounts, and group membership are up to date. |
Step 3. Select Objects to Process
Specify the objects to process. You can process one or more of the following objects:
- Group membership (group links). Select this check box to update the group membership (the member linked attribute) for the groups from the selected scope. If, for example, SourceUser is a member of a source group and this user is migrated to TargetUser, updating group membership using Active Directory Processing Wizard will ensure that TargetUser becomes a member of this group.
You should also select this check box, if you want to process Exchange Administrative Roles.
|
NOTE: Group membership for the target migrated groups will not be processed; these groups will be skipped. |
- Linked attributes (other links except group links). Select this check box to update the linked attributes (the linked attributes other than member) for the objects in the selected scope. The forward links (links to other objects in the directory) will be processed.
- Active Directory permissions (including processing the Default Security of Active Directory Schema Classes). Select this check box to update the permissions and ownership for the objects from the selected containers. Select the Default schema permissions check box to update the Default Security of Active Directory Schema Classes.
|
Caution:
- For successful Default schema permissions processing, the service account must be a member of the Schema Admins group.
- Enable this option if you are going to process Exchange mailbox permissions or Other Exchange permissions. This is necessary for correct processing of the SendAs and ReceiveAs permissions.
|
- Exchange mailbox permissions. Select this check box to update the permissions both in Active Directory and in the Exchange mailbox database.
|
Caution: The service account must have permissions to do the following:
- Modify the msExchMailboxSecurityDescriptor attribute on mailbox-enabled objects that are processed.
- Read and modify items in the Exchange mailbox database.
Grant these permissions using the Exchange System Manager Console or ADSI Edit snap-in. For details about assigning permissions in your particular Exchange environment, see the corresponding Exchange Environment Preparation document. |
- Other Exchange permissions. Select this check box to update the following:
- Directory permissions for Exchange objects, such as organizations, servers, and containers
- In domains with Exchange 2013 organizations, role-based access control settings
To update the Public Folders directory permissions, select the Permissions check box and in the expanded processing scope tree select the check box next to the Microsoft Exchange System Objects container.
|
Caution: For successful processing of the directory permissions for Exchange objects, the service account must be granted Exchange Full Administrator rights using Exchange System Manager Console. |
Step 4. Select Domains
In this step, add the domains in which you want to process the objects. For each domain you add, specify the credentials that the wizard will use to access the domain and update objects. You can either use the credentials of the user currently logged on or specify different credentials.
|
Caution: For successful Active Directory processing, the specified account must have Administrative rights. |
To change the specified credentials for the domain server, select the server and click the Properties button.
To set the processing scope for the selected domain server, take the following steps:
- Click the Scope button.
- In the Select Processing Scope dialog box, browse the domain hierarchy tree and clear check boxes next to the names of containers you want to exclude from processing.
To set the preferred GC and/or DC, take the following steps:
- Click the Options button.
- In the Specify Options dialog box, type the names of preferred Global Catalog and DC into the corresponding text boxes.
Step 5. Complete the Wizard
In the Progress step, you should wait while the wizard performs all requested operations. The following information is available:
- Processing progress bar
- State of processing for the particular server
- The name of container processed at the moment
- Number of errors
In the Summary step, you may review results and statistics of group membership and permissions processing. If any errors occurred during processing, they are indicated in the Summary. Error descriptions are available in the log file.
Click Finish to close the wizard.
Using Console Integration Mode
Step 1. Set Task Properties
In this step you are prompted to specify a task name and description.
To switch the wizard to Delegation mode, select the Delegate this task check box. Please refer to the Using Delegation Mode topic in this guide for details.
Step 2. Set Processing Options
Select the way Active Directory will be processed.
Step 3. Select Objects to Process
Specify the objects to process. You can process one or more of the following objects:
- Group membership (group links). Select this check box to update the group membership (the member linked attribute) for the groups from the selected scope. If, for example, SourceUser is a member of a source group and this user is migrated to TargetUser, updating group membership using Active Directory Processing Wizard will ensure that TargetUser becomes a member of this group.
You should also select this check box if you want to process Exchange 2007 Administrative Roles.
|
NOTE: Group membership for the target migrated groups will not be processed; these groups will be skipped. |
- Linked attributes (other links except group links). Select this check box to update the linked attributes (the linked attributes other than member) for the objects from the selected scope. The forward links (links to other objects in the directory) will be processed.
- Active Directory permissions (including processing the Default Security of Active Directory Schema Classes). Select this check box to update the permissions and ownership for the objects from the selected containers. Select the Default permissions check box to update the Default Security of Active Directory Schema Classes.
|
Caution: For successful Default permissions processing, the service account must be a member of the Schema Admins group. |
- Exchange mailbox permissions. Select this check box to update the permissions both in Active Directory and in the Exchange mailbox database.
|
Caution: The service account must have permissions to do the following:
- Modify the msExchMailboxSecurityDescriptor attribute on mailbox-enabled objects that are processed.
- Read and modify items in the Exchange mailbox database.
Grant these permissions using the Exchange System Manager Console or ADSI Edit snap-in. For details about assigning permissions in your particular Exchange environment, see the corresponding Exchange Environment Preparation document. |
- Other Exchange permissions. Select this check box to update directory permissions for Exchange objects, such as organizations, servers, and containers.
To update the public folders' directory permissions, select the Permissions check box and in the expanded processing scope tree, select the check box next to the Microsoft Exchange System Objects container.
|
Caution: For successful processing of the directory permissions for Exchange objects, the service account must be granted with Exchange Full Administrator rights using Exchange System Manager Console. |
Step 4. Select Domains
In this step, add the domains in which you want to process the objects. For each domain you add, specify the credentials that the wizard will use to access the domain and update objects. You can either use the credentials of the user currently logged on or specify different credentials.
|
Caution: For successful Active Directory processing, the specified account must have Administrative rights. |
To change the specified credentials for the domain server, select the server and click the Properties button.
To set the processing scope for the selected domain server, take the following steps:
- Click the Scope button.
- In the Select Processing Scope dialog box, browse the domain hierarchy tree, and clear check boxes next to the names of containers you want to exclude from processing.
To set the preferred GC and/or DC, take the following steps:
- Click the Options button.
- In the Specify Options dialog box, type the names of preferred Global Catalog and DC into the corresponding text boxes.
Step 5. Schedule Processing
This step allows you to specify whether the task should be started immediately or should be scheduled.
- Save task configuration only. Select to save the task configuration. You can start the task any time later by right-clicking it in Migration Manager console and selecting Start on the shortcut menu.
- Save task configuration and run processing now. Select to start the task immediately after you finish the wizard.
- Schedule processing. Allows you to specify the time when the task should be started. You can schedule the task to be performed, for example, during the night. You can Add New Schedule, Remove or Edit the existing schedule and specify the account under which the task should be performed
Step 6. Complete the Wizard
In the Progress step, you should wait while the wizard performs all requested operations. The following information is available:
- Processing progress bar
- State of processing for the particular server
- The name of container processed at the moment
- Number of errors
In the Summary step, you may review results and statistics of group membership and permissions processing. If any errors occurred during processing, they are indicated in the Summary. Error descriptions are available in the log file.
Click Finish to close the wizard.