The following is a list of migration accounts and the minimal level of permissions they require in order for successful migrations to occur when using Migration Manager.
You may experience problems switching mailboxes and logon errors if the service accounts to do not have the minimum required permissions granted.
Example of an error due to insufficient permissions:
"Logon Error -2147221219 You do
not have permission to log on. - MAPI_E_FAILONEPROVIDER"
Migration Manager Console accounts and minimal rights:
Migration Manager Account - The account used to log on to the console machine.
1. Must be a member of the local Administrators group on the server.
2. If there are cluster servers in the source or target Exchange Organizations, the Migration Manager account must be a member of the local Administrators group on each cluster node and have Full Control rights over the cluster.
ADAM Administrative Account - The account specified when the ADAM instance is installed.
1. This account is granted Full Control rights over the ADAM instance when installed.
2. The account must be specified in the Open Project Wizard to connect to ADAM and create a new migration project (which also creates a new ADAM partition.) This is only done the first time Migration Manager is started.
3. The user who creates the project is automatically granted Full Control rights in the project and can later delegate rights within the project to other users. These delegated users will only have rights within the ADAM project partition; however, they will not have rights to manage the ADAM instance.
SQL Configuration Database Account - This account manages the Exchange migration project information that is stored within the SQL Configuration database.
1. The account requires the Database Creators role on the SQL server on which the SQL configuration database is created. This account will then have the appropriate permissions to create/own and modify databases on a SQL server.
Auxiliary Account - This account is used by QMM to write to the ADAM partition.
2. The auxiliary account is an internal account that does not require any rights to either the source or the target domain and does not require any rights in Exchange. This account can be any user account that is a member of the Domain Users group.
3. This account must be considered to be the service account and must not be changed during the migration.
4. The account's password must not expire or be changed during the migration.
Directory Synchronization & AD Migration accounts and minimal rights:
NEW - Please see the attached (Below) PDF regarding the absolute Minimal Permissions required for Migration Manager for AD.
Exchange Data Migration accounts and minimal rights:
NEW - Please see the attached (Below) PDF regarding the absolute Minimal Permissions required for Migration Manager for Exchange.
Migration Statistics Accounts and their minimal rights:
Statistics Collection Agent - This account is used to start/run the Statistics Collection Agent service where the agent is installed.
The Statistics Collection Agent account must have the following rights:
1. The account must be a member of the local Administrators group on the server where the agent is installed.
2. The account requires Log on as a Service rights on the server where the agent is installed.
3. If Windows Authentication is used while selecting the database for Migration Manager, the Statistics Collection Agent service account should have access to the SQL server.
4. If SQL Authentication is used, the Statistics Collection Agent will use the SQL authentication credentials.
The Statistics Collection Agent service account can be changed on the Server page of the Statistics Collection Agent Properties dialog box.
Statistics Portal Accounts - Is used to retrieve statistical information from the ADAM project partition and the SQL configuration database.
When configuring the Statistics Portal, two accounts must be specified to connect to ADAM and SQL. These accounts must have the following rights:
1. The account must be delegated Full Control rights in the project to connect to ADAM.
2. To connect to the SQL configuration database, the SQL login must have at least the db_datareader role on the database. Only SQL Server authentication is supported for this operation by the Statistics Portal Server. AD-integrated authentication (Windows Authentication) is not supported.
3. The account used to configure the Statistics Portal from the Open Project Wizard must be a member of the local Administrators group on the IIS server on which the portal is installed.
Start the Delegation of Control Wizard on the domain top level and assign the "Write nTSecurityDescriptor" permission. You might also want to assign "Read nTSecurityDescriptor" in the source as well.
IMPORTANT:This property is not exposed by default. You need to close ADUC and find dssec.dat in here C:\Windows\System32.
Do replace all from "nTSecurityDescriptor=7" to " nTSecurityDescriptor=0"
See also attached screenshot.