AD permissions are not fully migrated from source to target (4230453)

Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

Return

Feedback Submitted

Did this article solve an issue for you?

Select Rating

Title

AD permissions are not fully migrated from source to target
Description

Some AD permissions are not fully migrated from source to target. Accounts that have access to mailboxes in the source other than their own do not have this access on the target. An example would be the Send As/Receive As access.
Cause

Skipping of NtSecurityDescriptor and msExchMailboxSecurityDescriptor attributes during Directory Synchronization or Migration will prevent some AD permissions from being fully synchronized. Security Descriptor migration rule setting also affects how QMM treats these attributes. Please see an explanation below for more details on QMM behavior in each corresponding scenario.
Resolution

1. Skipping NtSecurityDescriptor attribute would skip permissions under objectsSecurity TAB in AD, for example such as Send As/Receive As.

2. Skipping msExchMailboxSecurityDescriptor attribute would skip mailbox permissions under ADUC - Exchange Advanced | Mailbox Rights, for example such as Full Mailbox access

3. Setting Security Descriptor migration rule to Skip would be similar to skipping NtSecurityDescriptor attribute. Unless Security Descriptor migration rule option in either the Active Directory Migration or Synchronization job properties is set to something other than Skip (Default option), objects AD permissions will not be migrated. If the Security Descriptor migration rule is set after the initial sync, then a Full Resync is needed. Please select Start and Re-Sync (Pop up message will state to only do a start. This is incorrect).

NOTE: Sometimes Send As/Receive As permissions are mistakenly believed to be part of msExchMailboxSecurityDescriptor attribute. They are however contained in NtSecurityDescriptor attribute. It is important to understand, that in the default QMM configuration where Security Descriptor migration rule is set to Skip, Send As/Receive As permissions will not be migrated.
Additional Information

Please also see the following solutions for additional information on and Send on Behalf Solution SOL46577 - How does QMM (Quest Migration Manager) handle Send on Behalf mailbox permission? - https://support.quest.com/SUPPORT/index?page=solution&id=SOL46577">https://support.quest.com/SUPPORT/index?page=solution&id=SOL46577 Solution SOL48950 - Values in the publicDelegates linked attribute that point to groups are not resolved. They are left in Unresolved Links queue. - https://support.quest.com/SUPPORT/index?page=solution&id=SOL48950 Solution SOL22936 - How to handle the migration of shared or delegated mailboxes? - https://support.quest.com/SUPPORT/index?page=solution&id=SOL22936

Feedback Submitted

Did this article solve an issue for you?

Select Rating
Request a KB Article

Request a topic for a future Knowledge Base Article

Request a topic for a future Knowledge Base Article

Products

Topic

Title

Description

Email Address

Leave a Comment

Must select 1 to 5 star rating above in order to send comments

Recommended Content

Product(s):

Topic(s):

Technical Solutions

Article History:

Created on: 5/2/2009
Last Update on: 5/7/2023

Welcome to Quest Support

You can find online support help for Quest *product* on an affiliate support site. Click continue to be directed to the correct support content and assistance for *product*.

Search All Knowledge Base

Please select your product:

To serve you better, please complete the Purpose of your Chat:

Recommended Solutions for Your Problem

AD permissions are not fully migrated from source to target (4230453)

Title

Description

Cause

Resolution

Additional Information

Leave a Comment