Migration Manager for Exchange 8.15 - Source and Target Exchange 2003 Environment Preparation

Granting Full Control on Exchange Servers

Granting Full Control on Exchange Servers

The Exchange Account should have the Full Control permission on Exchange servers in the Exchange 2003 organization, including the Send As and Receive As permissions.

To grant the required permissions to the account, do one of the following:

• If an Active Directory Connector (ADC) has previously been installed in the Active Directory domain, add the account to the Exchange Services group. This is a local domain security group created when you install ADC.
• Grant an account access to all mailboxes in the entire organization by completing the following steps:
  1. Start Exchange System Manager.
  2. Open the organization’s Properties.
  3. Open the Security tab.
     

     NOTE: By default, you are not allowed to modify security on the organization object, and the Security tab is not displayed. Refer to the Enabling the Security Tab section below for instructions on how to enable the Security tab on the organization object.

  4. Select the Full Control permission for the account.

Alternatively, if you do not want to enable the Security tab on the organization object, you can grant the account access to every single server by completing the following steps:

1. Start the Exchange System Manager.
2. Open the server’s Properties.
3. Click the Security tab.
4. Select the Full Control or the Send As and Receive As permissions for the account.

After you change permissions, you may need to log off and log on again. You should wait for about 10 minutes for the directory cache to expire. If you have multiple domain controllers in the forest, it may also be necessary to wait for directory replication to complete.

Enabling the Security Tab

To force the display of the Security tab on the organization objects, you must add a registry key, as follows:

1. Click Run on the Start Menu and type regedit to start Registry Editor.
2. Locate the following registry key on the local machine: HKEY_CURRENT_USER\Software\Microsoft\Exchange\ExAdmin
3. On the Edit menu, click Add Value, and then add the following registry value:
   Value name: ShowSecurityPage
   Data type: REG_DWORD
   Value: 1
4. Quit Registry Editor.

This change takes effect immediately; you do not need to restart Exchange System Manager. This change affects only the user currently logged on.

Granting Full Control on the Microsoft Exchange System Objects Organizational Unit

The Exchange Account used by Migration Manager for Exchange agents needs the Full Control permission on the Microsoft Exchange System Objects organizational unit (OU) in all domains in which Exchange 2003 servers involved in public folder synchronization reside.

1. In the Active Directory Users and Computers snap-in, right-click the Microsoft Exchange System Objects OU and click Properties.

   NOTE: If there is no Microsoft Exchange System Objects OU, you should select View | Advanced Features in the Active Directory Users and Computers snap-in.

2. On the Security tab, click Add, and select the Exchange Account.
3. Select the account name, and then enable the Allow option for the Full Control permission in the Permissions box.
4. Click the Advanced button. In the Advanced Security Settings dialog box, select the account you specified on step 2, and click Edit.
5. In the Permission Entry dialog box, select This object and all child (descendant) objects from the Apply onto drop-down list.
6. Close the dialog boxes by clicking OK.

Granting Modify Permissions

Granting Modify Permissions

The Exchange Account used by Migration Manager for Exchange agents needs the following permissions:

• Modify public folder replica list permission
• Modify public folder deleted item retention permission
• Modify public folder quotas permission

To grant the required permissions to the account, perform the following:

1. From the Start menu, select Run. In the Run dialog box, type ADSIEdit.msc. Click OK.

   NOTE: If you have a Windows 2003 domain controller, the ADSIEdit utility, which is a part of the Windows 2003 Support Tools, may not be installed. In this case install the Support Tools by running the Support\Tools\Suptools.msi file located on the Windows 2003 CD.

2. In the ADSIEdit snap-in, open the CN=Administrative Groups,CN=<ExchangeOrganizationName>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<…>,DC=<…> container.
3. For each administrative group in the container, right-click the CN=<AdministrativeGroupName> container and select Properties.
4. In the Properties dialog box, click the Security tab.
5. On the Security tab, click Advanced.
6. In the Advanced Security Settings dialog box, click Add.
7. In the Select User, Computer, or Group (or similar) dialog box, select the Exchange account and click OK.
8. In the Permission Entry for dialog box, select This object and all child (descendant) objects from the Apply onto drop-down list.
9. Allow the Modify public folder replica list permission, Modify public folder deleted item retention permission and Modify public folder quotas permissions for the administrative account.
10. Close the dialog boxes by clicking OK.

Setting Up the Active Directory Account

This section describes how to set the required permissions for the Active Directory Account used by Migration Manager for Exchange agents. This account is used for the following:

In the source Exchange 2003 environment

• Working with the source Active Directory

In the target Exchange 2003 environment

• Working with the target Active Directory
• Re-homing mailboxes
• Switching mailboxes and synchronize mailboxes in Remote Users Collections (Mail Source Agent, Mail Target Agent)

The required permissions for the Active Directory Account are as follows:

• Read access to the corresponding domain.
• Full Control permission on the organizational units (OUs) (and their child objects) where the synchronized objects are located.

To set up the Active Directory Account, perform the steps described in the related subtopics.