Chat now with support
Chat with Support

Migration Manager for AD 8.14 - Granular Account Permissions

Using Preinstalled Service Feature

Using Preinstalled Service Feature

The preinstalled service feature allows you to use Active Directory synchronization accounts that are domain members not included in Administrators group to migrate passwords and/or SID History. The preinstalled service must be also configured for environments where Microsoft Local Security Authority (LSA) protection is used. The preinstalled service feature is available starting from Quest Migration Manager for Active Directory version 8.14 with the Product Update 20180619.

To use this feature the following requirements should be met:

  • Directory Synchronization Agent assigned for preinstalled service should be configured using the EnablePreinstalledMode.ps1 script as described below.

IMPORTANT:

  • Directory Synchronization Agent assigned for preinstalled service will not try to install binaries that should be installed to source and target DC under standard workflow. In case the existing Directory Synchronization Agent is used for multiple domain pairs, and preinstalled service feature will be used for part of them, Quest recommends to install and configure separate Directory Synchronization Agent assigned for preinstalled service feature usage only.
  • In case source or target Active Directory is based on multiple DC, the preferred DC must be specified in the Directory Synchronization Agent properties for source and target domains and configured to use preinstalled service feature.

For details how to install and configure Directory Synchronization Agent see Agent Manager topic of Quest Migration Manager for AD User Guide.

Preinstalled service can be disabled when necessary as described in Disabling Preinstalled Service.

To configure source and target DC using AllowAccess.ps1 script

 

On the computer where Migration Manager is installed:

  1. Extract Switch Agent Mode.zip located in %Program Files%\Quest Software\Migration Manager\Common\BIN\DeployDistr folder to the same location.
  2. Copy the following files from %Program Files%\Common Files\Aelita Shared\ to the %Program Files%\Quest Software\Migration Manager\Common\BIN\DeployDistr\Switch Agent Mode folder:
    • aelagentms.exe
    • aelagentms64.exe
    • PwdHlp.dll
    • PwdHlp64.dll

The compiled preinstalled service distributive is now available by network in \\QMM_host\DSASetup\.

 

On source and target DC:

  1. Copy Switch Agent Mode folder containing preinstalled service distributive from \\QMM_host\DSASetup\ to the convenient folder on the source DC.

TIP: This folder also contains scripts that should be used in case you decide to disable preinstalled service later.

  1. On source DC run the PowerShell session as administrator. You must select the 32-bit (x86) version of the PowerShell or 64-bit (x64) version depending on DC server bit version.
  2. Execute the following commands:

cd "<full path to the folder used for preinstalled service distributive on the step 3 above>"

.\AllowAccess.ps1 <domainName> <userName>

Where domainName\userName is a source account, specified as Source Active Directory synchronization account for source domain when domain pair was configured.

  1. Repeat the actions 3-5 for target domain, specifying Target Active Directory synchronization account for target domain accordingly.
  2. Restart the source and target DC.

To configure the Directory Synchronization Agent using the EnablePreinstalledMode.ps1 script

  1. Copy Switch Agent Mode folder containing preinstalled service distributive from \\QMM_host\DSASetup\ to the convenient folder.
  2. Stop all synchronization jobs of the Directory Synchronization Agent that may be in progress on Quest Migration Manager console.
  3. Open 32-bit (x86) version of the PowerShell prompt on the computer where Directory Synchronization Agent is hosted and execute the following commands:

cd "<full path to the folder used for preinstalled service distributive on step 1 above>"

.\EnablePreinstalledMode.ps1

  1. Restart the synchronization jobs of the Directory Synchronization Agent that have been stopped on Quest Migration Manager Console on the step 2.

Disabling Preinstalled Service

Disabling Preinstalled Service

To disable preinstalled service when necessary perform the following actions:

  • Disable preinstalled service on a source and target DC
  • Disable preinstalled service on a computer where Directory Synchronization Agent is hosted

All these actions should be performed to disable preinstalled service successfully.

To disable preinstalled service on a source and target DC

  1. On source DC run the PowerShell session as administrator. You must select the 32-bit (x86) version of the PowerShell or 64-bit (x64) version depending on DC server bit version.
  2. Execute the following commands:

cd "<full path to the folder on this DC used for preinstalled service distributive on step 1 above>"

.\DisableAccess.ps1

  1. Repeat these actions for target domain, specifying Target Active Directory synchronization account for target domain accordingly.
  2. Restart the source and target DC.
  3. Optionally, you can remove the following files from the %Systemroot%\System32 on the source and target DC:

on computers running 32-bit Microsoft Windows

    • aelagentms.exe
    • PwdHlp.dll

on computers running 64-bit Microsoft Windows

    • aelagentms64.exe
    • PwdHlp64.dll

To disable preinstalled service on a computer where Directory Synchronization Agent is hosted

  1. Stop all synchronization jobs of the Directory Synchronization Agent that may be in progress on Quest Migration Manager console.
  2. Open 32-bit (x86) version of the PowerShell prompt on the computer where Directory Synchronization Agent is hosted and execute the following commands:

cd "<full path to the folder on this machine specified for preinstalled service distributive when Directory Synchronization agent was configured>"

.\DisablePreinstalledMode.ps1

  1. Restart the synchronization jobs of the Directory Synchronization Agent that have been stopped on Quest Migration Manager Console.

Active Directory Processing

Active Directory Processing

Account under which Active Directory Processing Wizard (ADPW) performs Active Directory processing must have the following permissions:

1. For processing Group membership grant account the Write Members permission on group objects.

2. For processing Linked attributes grant account permissions to Write corresponding linked attributes for processed objects.

3. For processing Active Directory permissions, the following permissions must be granted to the account:

  • The Manage auditing and security log and Restore files and directories privileges in the Domain Controllers Policy
  • The Modify permissions and Modify owner permissions on processed objects

4. For processing Default schema permissions grant account the Write defaultSecurityDescriptor permission on classSchema objects inside schema naming context.

5. For processing Exchange mailbox permissions, the account must have the following permissions:

  • The Write msExchMailboxSecurityDescriptor and Write msExchMasterAccountSid permissions on processed objects.
  • The Read All Properties and List content permissions on the Exchange organization using the following script in Exchange Management Shell:
    Get-OrganizationConfig | Add-ADPermission -User <ServiceAccount> -AccessRights "ListChildren, ReadProperty"
  • The Administer Information Store and Modify permissions on the Exchange mailbox store where mailboxes reside using the following script in Exchange Management Shell:
    Get-MailboxDatabase | Add-ADPermission -User <ServiceAccount> -ExtendedRights ms-Exch-Store-Admin -AccessRights WriteDacl

Note: The Administer Information Store permission is required only for Microsoft Exchange 2010 or lower.

6. For processing the Other Exchange permissions, the following permissions must be granted to the account:

  • The Manage auditing and security log and Restore files and directories privileges in the Domain Controllers Policy
  • The Read permissions, Modify permissions and Modify owner permissions on objects inside the Exchange configuration container
  • The Read All Properties and List content permissions on the Exchange configuration container using the following script in Exchange Management Shell:
    Add-ADPermission -Identity (Get-OrganizationConfig).Identity.Parent -User <ServiceAccount> -AccessRights "ListChildren, ReadProperty"
  • The Write msExchAdmins permission for msExchOrganizationContainer and msExchAdminGroup objects
  • The Write msExchChatAccess permission for msExchChatChannel, msExchChatNetwork and msExchChatProtocol objects
  • The Write msExchUserLink permission for msExchRoleAssignment objects

 

Exchange Server Processing

Exchange Server Processing

Account under which Exchange Processing Wizard performs Exchange servers processing must have the following permissions:

1. Read All Properties and List content permissions on the Exchange organization. To grant these permissions to the account, use the following script in Exchange Management Shell:

Get-OrganizationConfig | Add-ADPermission -User <ServiceAccount> -AccessRights "ListChildren, ReadProperty"

2. To process client permissions of mailboxes, grant the ApplicationImpersonation management role.

3. To perform public folder processing:

  • The account must be mailbox-enabled
  • For Exchange 2010 servers:
    • Grant membership in the Public Folder Management role group (Mail Enabled Public Folders, Public Folders roles) for processing client and administrative permissions of public folders
  • For Exchange 2013 or later servers:
    • Account must have the ReadItems, EditOwnedItems, EditAllItems, FolderOwner, FolderContact, and FolderVisible on the public folders to be processed.

-OR-

Related Documents