What is the minimum permissions needed to give an Active Directory account to perform the migrations to Exchange?
The bare minimums would be very difficult to come by as this would be dictated by Microsoft's document titled "Minimum permissions necessary to perform Exchange-related tasks":
<<http://support.microsoft.com/kb/316792/en-us>>
The real issue is that the accounts specified in the "Active Directory" area needs to be able to delete and create AD objects, modify attributes, mail-enable objects, mailbox-enable objects and delete contacts.
The "Exchange Server" account (mailbox-enabled) needs to 1) have "Receive As" permissions on the target mailbox store *AND* 2) be able to enumerate all the mailstores on the target exchange server.
So to achieve this (doing quick tests), I created a normal user called John and:
- In ADUC gave user 'John' delegated rights on the target OU 'Create, delete and manage user accounts'
- In ADUC, the delegated user also needs 'Delete Contact Objects' permissions on the OU (right-click, properties, security (tab) , Advanced, find John, edit and check 'Delete Contact Objects' )
- In Exchange System Manager and delegated John as 'Exchange View Only Administrator'
- In Exchange System Manager gave John 'Receive As' permissions on the target mail store
- Went into NME 4.1 and specified John as Exchange and AD user and ran the following tests to success:
mailbox-enable
Ad object merge
