Chat now with support
Chat with Support

Migration Manager for AD 8.14 - Granular Account Permissions

Overview

Overview

To synchronize or migrate objects with their attributes from source to target Active Directory domain, Directory Synchronization Agent works with source and target domains using accounts specified during domain pair creation. Those accounts must have a specific set of rights in order to access the domain objects and perform directory migration or synchronization. A generalized set of permissions suitable for most migration scenarios is described in Accounts Used by the Directory Synchronization Agent. It is the most easy and efficient way to grant all necessary permissions for source and target accounts. However, if the requirements are too excessive and for security reasons you cannot grant such high privileges to the accounts, this document provides the minimum required set of rights that the source and target accounts must have.

This document also describes minimum required permissions for accounts used by Active Directory Processing Wizard (ADPW) and Exchange Processing Wizard (EPW).

Account Migration and Directory Synchronization

Account Migration and Directory Synchronization

During account migration or directory synchronization DSA connects to the source and target Active Directory domains and to the source and target Microsoft Exchange information stores (if necessary). For that it uses source and target Active Directory accounts. These accounts are specified on the Select Source Domain and the Select Target Domain tab in the Domain Pair Properties dialog. The following sections provide minimum required permissions for the source and target Active Directory accounts.

In case you plan to perform the following operations that cannot be performed using granular account permissions described in this document:

  • Migration of passwords
  • Migration of SID History
  • Undo of changes made by migration sessions

you must do one of the following:

  • use preinstalled service as described in Using Preinstalled Service Feature to limit the source and target Active Directory synchronization account rights in accordance with least privilege principle.

 

Source Active Directory Synchronization Account Permissions

Source Active Directory Synchronization Account Permissions

Source Active Directory synchronization account must have the following permissions in the source domain:

  1. The Replicate Directory Changes permission on a domain naming context in case you perform directory synchronization from a Windows 2000 domain.
  2. If you plan to merge or replace security descriptors, the Manage auditing and security log privilege must be granted for the source account in the source Domain Controllers Policy. This privilege is not required if security descriptors configured to be skipped.

TIP: Alternatively, if you perform migration (but not the synchronization), you can set the SDFlagsSearch registry parameter instead of granting the Manage auditing and security log privilege. For more information on the SDFlagsSearch, see the following KB articles: KB Article 59357, KB Article 78252 and KB Article 26334.
Caution: Setting this registry parameter will cause SACL to be wiped out for target objects after migration.

  1. If you plan to create mail- or mailbox-enabled objects on target, source account must have the Write proxyAddresses permission on source objects. For details on types of target objects, see Specify Exchange Options in Configuring the Synchronization Job.
  2. If you plan to migrate passwords or SID History the source account should be member of Administrators group or preinstalled service feature should be used as described in Using Preinstalled Service Feature in accordance with least privilege principle.
  3. For performing mailbox switch using Migration Manager for Exchange, source account must have the Write proxyAddresses and Write targetAddress permissions on source objects.
  4. If you plan to disable source user mailboxes or reconnect them to disabled target accounts, grant source account the following permissions:
    • Permissions to Write the msExchMasterAccountSid, msExchUserAccountControl, msExchRecipientDisplayType and msExchRecipientTypeDetails attributes
    • The Manage auditing and security log and Restore files and directories privileges in the source Domain Controllers Policy
    • The Modify permissions and Modify owner permissions on the source objects
    • The Read All Properties and List content permissions on the Exchange organization using the following script in Exchange Management Shell:
      Get-OrganizationConfig | Add-ADPermission -User <SourceAccount> -AccessRights "ListChildren, ReadProperty"
    • The Modify permissions and Administer Information Store permissions on the Exchange mailbox store where mailboxes reside using the following script in Exchange Management Shell:
      Get-MailboxDatabase | Add-ADPermission -User <SourceAccount> -ExtendedRights ms-Exch-Store-Admin -AccessRights WriteDacl

Note: The Administer Information Store permission is required only for Microsoft Exchange 2010 or lower.

For more details on disabling source accounts, see Specify Object Processing Options of Creating a Migration Session.

Target Active Directory Synchronization Account Permissions

Target Active Directory Synchronization Account Permissions

Target Active Directory synchronization account must have the following permissions in the target domain:

  1. The Create all child objects (if during migration or synchronization any objects are planned to be created) and Write all properties permissions on the target domain (or specifically on the OUs where objects reside or will be created) for all objects included in the migration or synchronization process.

Important: The following attributes must not be skipped for directory synchronization: name, cn, ou, displayName, objectCategory, objectSID, msExchMasterAccountSid, nTSecurityDescriptor, and msExchMailboxSecurityDescriptor.

1.1. Grant target account the Create permission for types of objects (for instance, users) you plan to create on target (if any).

1.2. The permission to Write service attributes specified on the Object Matching tab of the domain pair properties. By default, service attributes are adminDescription, adminDisplayName, extensionAttribute14 and extensionAttribute15. For more details, see Service Attributes in Configuring a Domain Pair.

1.3. The Write userAccountControl permission for user, inetOrgPerson or computer objects and the Write groupType permission for group objects.

1.4. If you plan to create mail- or mailbox-enabled objects on target then target account must have permissions to Write attributes from the table below in the target domain when synchronizing objects of the user, inetOrgPerson, contact or group classes, regardless of whether those attributes are included or skipped.

OBJECT TYPE       
ATTRIBUTE NAME
user
(inetOrgPerson)
contact group
homeMDB X*    
homeMTA X*    
legacyExchangeDN X X X
mail X X X
mailNickname X X X
msExchGroupDepartRestriction     X
msExchGroupJoinRestriction     X
msExchHomeServerName X*    
msExchMailboxGuid X**    
msExchMDBRulesQuota X    
msExchModerationFlags     X
msExchPoliciesExcluded X X X
msExchPoliciesIncluded X X X
msExchProvisioningFlags     X
msExchRBACPolicyLink X***    
msExchRecipientDisplayType X X X
msExchRecipientTypeDetails X X X
msExchResourceDisplay X*    
msExchResourceMetaData X*    
msExchResourceSearchProperties X*    
msExchTransportRecipientSettingsFlags     X
msExchUMEnabledFlags2 X*    
msExchUserAccountControl X*    
msExchVersion X X X
protocolSettings X*    
proxyAddresses X X X
showInAddressBook X X X
targetAddress X X  
textEncodedOrAddress X X X

The following notation is used in the table:

X — any option except for Users without mail options is selected in Exchange Options
X* — only if Mailbox-enabled users option is selected in Exchange Options and source user is mailbox-enabled
X** — only if either Mailbox-enabled users or Mail-enabled users for Native Move option is selected in Exchange Options, and source user is mailbox-enabled

X*** — only if source user is mail-enabled, or the Mailbox-enabled users option is selected in Exchange Options and source user is mailbox-enabled

For details on possible Exchange options, see Specify Exchange Options in Configuring the Synchronization Job.

Note: If you plan to select the Merge objects with corresponding contacts option available on the Specify Exchange Options step, grant target account permission to delete corresponding contacts and to add objects to groups those contacts are members of.

1.5. If you plan to enable target accounts that are mailbox-enabled, grant target account permissions to Write the msExchMasterAccountSid, msExchUserAccountControl, msExchRecipientDisplayType and msExchRecipientTypeDetails attributes. For more details on enabling target accounts, see Specify Object Processing Options of Creating a Migration Session.

  1. If you use the Synchronize object deletions option, grant target account permission to delete corresponding objects.
  2. If you plan to migrate passwords or SID History the target account should be member of Administrators group or preinstalled service feature should be used as described in Using Preinstalled Service Feature in accordance with least privilege principle.

  3. For updating security descriptors, the following permissions must be granted to the target account:
    • The Manage auditing and security log and Restore files and directories privileges in the target Domain Controllers Policy
    • The Modify permissions and Modify owner permissions on the target objects
  4. For updating Microsoft Exchange mailbox permissions, the target account must have the following permissions:
    • The Read All Properties and List content permissions on the Exchange organization using the following script in Exchange Management Shell:
      Get-OrganizationConfig | Add-ADPermission -User <TargetAccount> -AccessRights "ListChildren, ReadProperty"
    • The Modify permissions and Administer Information Store permissions on the Exchange mailbox store where mailboxes reside using the following script in Exchange Management Shell:
      Get-MailboxDatabase | Add-ADPermission -User <TargetAccount> -ExtendedRights ms-Exch-Store-Admin -AccessRights WriteDacl

Note: The Administer Information Store permission is required only for Microsoft Exchange 2010 or lower.

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents