Chat now with support
Chat with Support

Migration Manager for Exchange 8.14 - Granular Account Permissions for Exchange 2010 to 2010 Migration

Overview

This document describes minimal set of permissions required for mailbox, calendar and public folder synchronization from a source Exchange 2010 organization to a target Exchange 2010 organization using Migration Manager for Exchange.

Note: Permissions required for native mailbox move are out of scope of this document.

For general information on account permissions required for Migration Manager for Exchange operation, refer to System Requirements and Access Rights document.

Important: Permissions in this document are sufficient for a successful migration only if the following requirements are met:

  1. User accounts used by Migration Manager for Exchange agents are members of the Domain Users group. Membership in that group is gained automatically when a user is created in a domain.
  2. Default group permissions of the Domain Users group are not modified.
  3. Permissions for Active Directory Synchronization accounts are granted according to Accounts Used by the Directory Synchronization Agent. Those accounts are used for switching mailboxes during mailbox synchronization.

Source Exchange 2010 Permissions

Exchange Account

Mailbox and Calendar Synchronization

The following permissions are required for source Exchange account used by MSA and CSA during legacy mailbox or calendar synchronization:

Permission How to Grant
Read access to the source domain (including all descendant objects) Link
Membership in the local Administrators group on all source Exchange servers involved in the migration. If a server is a domain controller, the account should be added to the domain local Administrators group of the domain. Link
Read permission for the Microsoft Exchange container in the Configuration partition of source Active Directory (including all descendant objects) Link

Permissions to process every mailbox involved in the migration by granting

  1. Full Control permission on a mailbox database
  2. Full Control permission on an associated public folder database

Link: Mailbox database

Link: Public folder database

NOTE: If you have any Exchange 2010 Service Pack 2 servers in the source Exchange organization, the Address Book Policy (ABP) assigned to the account must include Global Address List (GAL) containing all recipients of the source Exchange organization.

TIP: The Read permission for the Microsoft Exchange container is required only if this account is used as Active Directory account as well and you plan to add the source Exchange organization using the Add Source Organization Wizard under this account.

Public Folder Synchronization

The following permissions are required for source Exchange account used by PFSA and PFTA during public folder synchronization:

Permission How to Grant
Membership in the local Administrators group on all source Exchange servers involved in the migration. If a server is a domain controller, the account should be added to the domain local Administrators group of the domain. Link
Membership in the Public Folder Management group Link
Permissions to process public folders involved in the migration by granting Full Control permission on public folder databases where those public folders reside. Link

Active Directory Account

Mailbox and Calendar Synchronization

The following permissions are required for source Active Directory account used by MSA and CSA during legacy mailbox or calendar synchronization:

Permission How to Grant
Read access to the source domain (including all descendant objects) Link
Read permission for the Microsoft Exchange container in the Configuration partition of source Active Directory (including all descendant objects) Link

Important: If migration is performed in the child domain, ensure that Active Directory account has the Read access to the parent (root) domain as well.

Public Folder Synchronization

The following permissions are required for source Active Directory account used by PFSA and PFTA during public folder synchronization:

Permission How to Grant

The Write proxyAddresses permission on the Descendant publicFolder objects for the Microsoft Exchange System Objects organizational unit in all domains in which source Exchange servers involved in public folder synchronization reside.

NOTE: Alternatively, you can grant the Write permission on that organizational unit.

Link

Target Exchange 2010 Permissions

Exchange Account

Mailbox and Calendar Synchronization

The following permissions are required for target Exchange account used by MSA, MTA and CSA during legacy mailbox or calendar synchronization:

Permission How to Grant
Read access to the target domain (including all descendant objects) Link
Membership in the local Administrators group on all target Exchange servers involved in the migration. If a server is a domain controller, the account should be added to the domain local Administrators group of the domain. Link
Read permission for the Microsoft Exchange container in the Configuration partition of target Active Directory (including all descendant objects) Link

Permissions to process every mailbox involved in the migration by granting

  1. Full Control permission on a mailbox database
  2. Full Control permission on an associated public folder database

Link: Mailbox database

Link: Public folder database

The Move Mailboxes management role Link

NOTE: If you have any Exchange 2010 Service Pack 2 servers in the target Exchange organization, the Address Book Policy (ABP) assigned to the account must include Global Address List (GAL) containing all recipients of the target Exchange organization.

 

TIP: The Read permission for the Microsoft Exchange container is required only if this account is used as Active Directory account as well and you plan to add the target Exchange organization using the Add Target Organization Wizard under this account.

Public Folder Synchronization

The following permissions are required for target Exchange account used by PFSA and PFTA during public folder synchronization:

Permission How to Grant
Membership in the local Administrators group on all target Exchange servers involved in the migration. If a server is a domain controller, the account should be added to the domain local Administrators group of the domain. Link
Membership in the Public Folder Management group Link
Permissions to process public folders involved in the migration by granting Full Control permission on public folder databases where those public folders reside. Link

Active Directory Account

Mailbox and Calendar Synchronization

The following permissions are required for target Active Directory account used by MSA, MTA and CSA during legacy mailbox or calendar synchronization:

Permission How to Grant
Read access to the target domain (including all descendant objects) Link
Read permission for the Microsoft Exchange container in the Configuration partition of target Active Directory (including all descendant objects) Link

Important: If migration is performed in the child domain, ensure that Active Directory account has the Read access to the parent (root) domain as well.

Public Folder Synchronization

The following permissions are required for target Active Directory account used by PFSA and PFTA during public folder synchronization:

Permission How to Grant

The Write proxyAddresses permission on the Descendant publicFolder objects for the Microsoft Exchange System Objects organizational unit in all domains in which target Exchange servers involved in public folder synchronization reside.

NOTE: Alternatively, you can grant the Write permission on that organizational unit.

Link

How to Grant Required Permissions

This section contains reference information how to grant an account the following permissions:

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents