Accounts Used by Statistics Portal Accounts
The account used to configure the Statistics Portal from the Open Project Wizard must be a member of local Administrators group on the IIS server on which the portal is installed.
Statistics Portal account to connect to ADAM/AD LDS project partition
| Description | Where Specified | Rights and Permissions |
|---|---|---|
|
Used to connect to ADAM/AD LDS |
When you configure Statistics Portal (create a new portal configuration) |
Requires Full Control rights in the project. |
Statistics Portal account to connect to the SQL configuration database
| Description | Where Specified | Rights and Permissions |
|---|---|---|
| Used to connect to the SQL configuration database to read the statistical information | When you configure Statistics Portal (create a new portal configuration) |
At least the db_datareader role on the configuration database. Important: Only SQL Server authentication is supported for this operation by the Statistics Portal Server. AD-integrated authentication (Windows authentication) is not supported. |
|
|
IMPORTANT: To see statistical information on a particular directory or Exchange synchronization job or on a resource processing task, a user must be delegated at least the Reader role at the Migration Project, Directory Migration, or domain pair node in the migration project, regardless of whether a delegated migration task for that user has been created. For more information on Migration Manager delegation model, refer to the Delegating Migration Tasks section of the Migration Manager for Active Directory User Guide. |
Accounts and Rights Required for Active Directory Migration Tasks
Migration Manager for Active Directory requires administrative access for the source and target domains, processed servers, and workstations.
Migration Manager for Active Directory allows you to use different administrative accounts to access domains and computers involved in migration. For directory migration and synchronization Migration Manager uses the source and the target Active Directory accounts to access the source and the target domains, respectively.
The table below shows what privileges each account must have. To learn how to set these permissions, please see Appendix. How to Set the Required Permissions for Active Directory Migration and Exchange environment preparation documents.
Directory migration
| Accounts Involved | Requirements | How To Grant |
|---|---|---|
|
Source and target Active Directory accounts |
Administrative access to each source and target domain involved in Active Directory migration |
We recommend that you to create a new user account for the migration activities in each source and target domain instead of using an existing one. Add these accounts to the domain’s local Administrators group in the corresponding domains. For details, see Appendix. How to Set the Required Permissions for Active Directory Migrationand dedicated Exchange environment preparation documents.. Note: If you have established two-way trusts between each source and target domain or forest trust, you can grant this single account administrative access to each source and target domain. Important: This powerful account must be maintained closely and should be deleted after the project is complete. It is recommended that this account be owned by one individual and one backup individual (or as few individuals as possible). |
Distributed resource update
| Accounts Involved | Requirements |
|---|---|
| The account used to update a computer |
Member of the computer’s local Administrators group |
| Migration Manager RUM Controller Service account |
|
Exchange update
Full Exchange Administrator role for the Exchange organization
Intraforest mailbox reconnection
| Accounts Involved | Requirements |
|---|---|
| The account that the DSA uses to connect to the source domain | Full Control for the Exchange store where the reconnected mailboxes reside |
SMS update
| Accounts Involved | Requirements |
|---|---|
| The account used to process the SMS server | Administrative rights to all SMS classes |
SQL update
| Accounts Involved | Requirements |
|---|---|
| Account used to process SQL server | Member of the sysadmin role |
SharePoint permissions processing
| Accounts Involved | Requirements | How To Grant |
|---|---|---|
| The account used to reassign SharePoint permissions after migration |
For SharePoint versions prior to 2010:
For SharePoint 2010:
|
How to specify the SharePoint administration group:
For more information about Central Administrator group for SharePoint, see the following Microsoft KB article: Managing the SharePoint Administration Group. How to add user account to the Farm Administrators group:
How to grant user account the Full Control permission on User Profile Service Application:
|
Site Migration
| Accounts Involved | Requirements | How To Grant |
|---|---|---|
| Source and target Active Directory accounts | Enterprise Administrator privileges in the target domain | Use the Active Directory Sites and Services snap-in. |
Trust Migration
| Accounts Involved | Requirements | How To Grant |
|---|---|---|
| Source and target Active Directory accounts | Enterprise Administrator privileges in the target domain | Use the Active Directory Sites and Services snap-in. |
* Not all inter-forest trusts are supported
Accounts and Rights Required for Exchange Migration Tasks
This section lists the tasks that will be performed during Exchange migration, and names the required accounts.
Migration Manager for Exchange agents work with different servers on the network. They create and modify Exchange and Active Directory objects and work with mailboxes and public folders. To accomplish all these tasks, the agents must have the appropriate permissions.
Migration Manager for Exchange allows you to use different administrative accounts for different purposes. Exchange data is migrated by the Exchange agents, which use the Exchange and Active Directory accounts.
Enumerate source and target Exchange organizations (added to the migration project)
| Accounts Involved | Requirements | How To Grant |
|---|---|---|
|
Account intended to enumerate organizations (specified while adding source and target organizations to migration project; see the Registering Source and Target Organizations section of the Migration Manager for Exchange User Guide for details) Note: This account will be set by default as the Exchange account, Active Directory account and Agent Host account for all the Exchange servers in the registered organization for subsequent migration. If you do not want to change the Exchange account after the organization is registered for each server, grant this account the permissions required for Exchange migration. |
Read access to Active Directory (sufficient to read the Exchange configuration) |
To grant an account this permission, complete the following steps:
|
Migrate Exchange data (using Migration Manager for Exchange agents)
| Accounts Involved | Requirements | How To Grant |
|---|---|---|
| Exchange and Active Directory accounts (source and target) | Rights and permissions sufficient to create and modify Exchange and Active Directory objects, to work with mailboxes and public folders, etc. | You can create a single administrative account that has all the required permissions. For step-by-step instructions on creating such an account, please see dedicated Exchange environment preparation documents. |
Using the Exchange Processing Wizard with Exchange 2010 or later
This section is relevant only for scenarios where migration to or from Exchange 2010 or later is a part of Active Directory migration.