지금 지원 담당자와 채팅
지원 담당자와 채팅

Migration Manager for AD 8.15 - Granular Account Permissions

Using Preinstalled Service Feature

The preinstalled service feature allows you to use Active Directory synchronization accounts that are domain members not included in Administrators group to migrate passwords and/or SID History. The preinstalled service must be also configured for environments where Microsoft Local Security Authority (LSA) protection is used.

To use this feature the following requirements should be met:

Preinstalled service can be disabled when necessary as described in Disabling Preinstalled Service.

IMPORTANT:

Directory Synchronization Agent assigned for preinstalled service will not try to install binaries that should be installed to source and target DC under standard workflow. In case the existing Directory Synchronization Agent is used for multiple domain pairs, and preinstalled service feature will be used for part of them, Quest recommends to install and configure separate Directory Synchronization Agent assigned for preinstalled service feature usage only.

If the source or target Active Directory domain contains more than one DC, the preferred DC/GC must be specified in the Directory Synchronization Agent properties for source and target domains and configured to use preinstalled service feature.

For details how to install and configure Directory Synchronization Agent see Agent Manager topic of Quest Migration Manager for AD User Guide.

To configure source and target DC using AllowAccess.ps1 script

 

On the computer where Migration Manager is installed:

  1. Copy Preinstalled Service folder located on the Migration Manager installation CD in the \QMM ResKit\Scripts subfolder to the %ProgramFiles%\Quest Software\Migration Manager\Common\BIN\DeployDistr folder.

  2. Copy the following files from %ProgramFiles%\Common Files\Aelita Shared\ to the %ProgramFiles%\Quest Software\Migration Manager\Common\BIN\DeployDistr\Preinstalled Service folder:

    • aelagentms.exe
    • aelagentms64.exe
    • PwdHlp.dll
    • PwdHlp64.dll

The compiled preinstalled service distributive is now available by network in \\QMM_host\DSASetup\.

 

On source or target DC:

  1. On the domain controller, run the PowerShell session as administrator.
  1. Execute the following commands:

Net Use Z: \\QMM_host\DSASetup

Z:

cd “Preinstalled Service”

.\AllowAccess.ps1 <NetBIOSDomainName> <userName>

Where NetBIOSDomainName and UserName is the account specified for the domain in the domain pair configuration.

  1. Repeat the actions 2-4 for target domain, specifying the domain and account specified for the domain in the domain pair configuration.
  2. Restart the source and target DC.

Remember: The agent installation will not be complete and functional until the domain controller has been rebooted.

To configure the Directory Synchronization Agent using the EnablePreinstalledMode.ps1 script

  1. Stop all synchronization in progress on Quest Migration Manager console.
  2. On the server hosting the Quest Directory Sync Agent, run the PowerShell session as administrator.
  3. Open 32-bit (x86) version of the PowerShell prompt on the computer where Directory Synchronization Agent is hosted and execute the following commands:

Net Use Z: \\QMM_host\DSASetup

Z:

cd “Preinstalled Service”

.\EnablePreinstalledMode.ps1

  1. Restart the synchronization jobs of the Directory Synchronization Agent that have been stopped on Quest Migration Manager Console on the step 1.

Disabling Preinstalled Service

To disable preinstalled service when necessary perform the following actions:

  • Disable preinstalled service on a source and target DC
  • Disable preinstalled service on a computer where Directory Synchronization Agent is hosted

All these actions should be performed to disable preinstalled service successfully.

To disable preinstalled service on a source and target DC

  1. On source DC run the PowerShell session as administrator.
  2. Execute the following commands:

Net Use Z: \\QMM_host\DSASetup

Z:

cd “Preinstalled Service”

.\DisableAccess.ps1

  1. Repeat these actions for target DC.
  2. Restart the source and target DC.
  3. Optionally, you can remove the following files from the %Systemroot%\System32 on the source and target DC after they have been rebooted.

on computers running 32-bit Microsoft Windows

    • aelagentms.exe
    • PwdHlp.dll

on computers running 64-bit Microsoft Windows

    • aelagentms64.exe
    • PwdHlp64.dll

To disable preinstalled service on a computer where Directory Synchronization Agent is hosted

  1. Stop all synchronization jobs that may be in progress on Quest Migration Manager console.
  2. On the server hosting the Quest Directory Sync Agent, run the PowerShell session as administrator.
  3. Execute the following commands:

Net Use Z: \\QMM_host\DSASetup

Z:

cd “Preinstalled Service”

.\DisablePreinstalledMode.ps1

  1. Restart the synchronization jobs that were stopped on Quest Migration Manager Console.

Active Directory Processing

Account under which Active Directory Processing Wizard (ADPW) performs Active Directory processing must have the following permissions:

1. For processing Group membership grant account the Write Members permission on group objects.

2. For processing Linked attributes grant account permissions to Write corresponding linked attributes for processed objects.

3. For processing Active Directory permissions, the following permissions must be granted to the account:

  • The Manage auditing and security log and Restore files and directories privileges in the Domain Controllers Policy
  • The Modify permissions and Modify owner permissions on processed objects

4. For processing Default schema permissions grant account the Write defaultSecurityDescriptor permission on classSchema objects inside schema naming context.

5. For processing Exchange mailbox permissions, the account must have the following permissions:

  • The Write msExchMailboxSecurityDescriptor and Write msExchMasterAccountSid permissions on processed objects.
  • The Read All Properties and List content permissions on the Exchange organization using the following script in Exchange Management Shell:
    Get-OrganizationConfig | Add-ADPermission -User <ServiceAccount> -AccessRights "ListChildren, ReadProperty"
  • The Administer Information Store and Modify permissions on the Exchange mailbox store where mailboxes reside using the following script in Exchange Management Shell:
    Get-MailboxDatabase | Add-ADPermission -User <ServiceAccount> -ExtendedRights ms-Exch-Store-Admin -AccessRights WriteDacl

Note: The Administer Information Store permission is required only for Microsoft Exchange 2010 or lower.

6. For processing the Other Exchange permissions, the following permissions must be granted to the account:

  • The Manage auditing and security log and Restore files and directories privileges in the Domain Controllers Policy
  • The Read permissions, Modify permissions and Modify owner permissions on objects inside the Exchange configuration container
  • The Read All Properties and List content permissions on the Exchange configuration container using the following script in Exchange Management Shell:
    Add-ADPermission -Identity (Get-OrganizationConfig).Identity.Parent -User <ServiceAccount> -AccessRights "ListChildren, ReadProperty"
  • The Write msExchAdmins permission for msExchOrganizationContainer and msExchAdminGroup objects
  • The Write msExchChatAccess permission for msExchChatChannel, msExchChatNetwork and msExchChatProtocol objects
  • The Write msExchUserLink permission for msExchRoleAssignment objects

 

Exchange Server Processing

Account under which Exchange Processing Wizard performs Exchange servers processing must have the following permissions:

1. Read All Properties and List content permissions on the Exchange organization. To grant these permissions to the account, use the following script in Exchange Management Shell:

Get-OrganizationConfig | Add-ADPermission -User <ServiceAccount> -AccessRights "ListChildren, ReadProperty"

2. To process client permissions of mailboxes, grant the ApplicationImpersonation management role.

3. To perform public folder processing:

  • The account must be mailbox-enabled
  • For Exchange 2010 servers:
    • Grant membership in the Public Folder Management role group (Mail Enabled Public Folders, Public Folders roles) for processing client and administrative permissions of public folders
  • For Exchange 2013 or later servers:
    • Account must have the ReadItems, EditOwnedItems, EditAllItems, FolderOwner, FolderContact, and FolderVisible on the public folders to be processed.

      -OR-

    • Grant FullAccess on a mailbox where public folders are located using the following script:
      Get-Mailbox "PublicFolderMailbox" –PublicFolder | Add-MailboxPermission -User "ServiceAccount" -AccessRights "FullAccess"
관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택