Chat now with support
Chat with Support

Preparing Migration 8.15 - System Requirements and Access Rights

Migration Manager Console Migration to Microsoft Office 365 License Server Migration Manager Database Servers Migration Manager Agent Servers Statistics Portal Server Resource Updating Manager Resource Updating Wizards Processed Platforms Additional Environment Security Configuration Ports Used by General Migration Manager Components Ports Used by Migration Manager for Exchange Components Ports Used by Migration Manager for Active Directory Components Ports Used by Resource Updating Manager Accounts Required for Migration Manager Operation Accounts Used by the Directory Synchronization Agent Source Accounts Used by Migration Manager for Exchange Agents Target Accounts Used by Migration Manager for Exchange Agents Agent Host Account Used by Legacy Migration Manager for Exchange Agents Agent Host Account Used by Migration Agent for Exchange (MAgE) Accounts Used for Migrating to Microsoft Office 365 Accounts Used by RUM Agent Service Accounts Used by RUM Controller Service Account Used by Statistics Collection Agent Service Accounts Used by Statistics Portal Accounts Accounts and Rights Required for Active Directory Migration Tasks Accounts and Rights Required for Exchange Migration Tasks Using the Exchange Processing Wizard with Exchange 2010 or later Appendix. How to Set the Required Permissions for Active Directory Migration

Accounts for Target Exchange 2010 Server (MAgE)

Exchange account

Used To Where Specified Rights and Permissions
  • Work with target Exchange mailboxes and public folders (used by Migration Agent for Exchange, Public Folder Source Agent, and Public Folder Target Agent)
  • Make the newly-created public folders mail-enabled (used by the public folder agents only: Public Folder Source Agent and Public Folder Target Agent)
  • Move mailboxes
On the General>Connection page of the target Exchange server Properties in the Migration Manager Console

For mailbox and calendar synchronization:

  • Read access to the target domain (including all descendant objects)
  • Read permission for the Microsoft Exchange container in the Configuration partition of target Active Directory (including all descendant objects)
  • The Move Mailboxes management role
  • The Mail Recipients management role
  • The ApplicationImpersonation management role

TIP: The Read permission for the Microsoft Exchange container is required only if you plan to add the target Exchange organization using the Add Target Organization Wizard under this account.

For public folder synchronization:

  • Membership in the local Administrators group on all source Exchange servers involved in the migration. If a server is a domain controller, the account should be added to the domain local Administrators group of the domain.
  • Membership in the Public Folder Management group
  • Permissions to process public folders involved in the migration by granting Full Control permission on public folder databases where those public folders reside.

Active Directory account

Used To Where Specified Rights and Permissions
  • Work with the target Active Directory
  • Switch mailboxes
On the General>Associateddomain controller page of the target Exchange server Properties in the Migration Manager Console

For mailbox and calendar synchronization:

  • Read access to the target domain (including all descendant objects)
  • Read permission for the Microsoft Exchange container in the Configuration partition of target Active Directory (including all descendant objects)

For public folder synchronization:

  • The Write proxyAddresses permission on the Descendant publicFolder objects for the Microsoft Exchange System Objects organizational unit in all domains in which target Exchange servers involved in public folder synchronization reside.

NOTE: Alternatively, you can grant the Write permission on that organizational unit.

To learn how to grant rights and permissions required for this account, refer to the Target Exchange 2010 Preparation (MAgE) document.

Accounts for Target Exchange 2013 Server

Exchange account

Used To Where Specified Rights and Permissions
  • Work with target Exchange mailboxes and public folders (used by the Migration Agent for Exchange, Public Folder Source Agent, and Public Folder Target Agent)
  • Mail-enable the newly-created public folders (used by the public folder agents only: Public Folder Source Agent and Public Folder Target Agent)
  • Move mailboxes
On the General>Connection page of the target Exchange server Properties in the Migration Manager Console

For mailbox and calendar synchronization:

  • Read access to the target domain (including all descendant objects)
  • Read permission for the Microsoft Exchange container in the Configuration partition of target Active Directory (including all descendant objects) . This is required only if you plan to add the target Exchange organization using the Add Target Organization Wizard under this account.
  • Permissions to log on to every mailbox involved in the migration by granting Full Control permission on a mailbox database
  • The Move Mailboxes management role
  • The Mail Recipients management role
  • The ApplicationImpersonation management role

For public folder synchronization:

  • Membership in the local Administrators group on all target Exchange servers involved in the migration. If a server is a domain controller, the account should be added to the domain local Administrators group of the domain.
  • The Mail Enabled Public Folders management role
  • Permissions to process public folders involved in the migration by granting Full Control permission on mailbox databases where those public folders reside.

Active Directory account

Used To Where Specified Rights and Permissions
  • Work with the target Active Directory
  • Re-home mailboxes
  • Switch mailboxes (Migration Agent for Exchange)
On the General>Associateddomain controller page of the target Exchange server Properties in the Migration Manager Console

For mailbox and calendar synchronization:

  • Read access to the target domain (including all descendant objects)
  • Read permission for the Microsoft Exchange container in the Configuration partition of target Active Directory (including all descendant objects)

For public folder synchronization:

  • The Write proxyAddresses permission on the Descendant publicFolder objects for the Microsoft Exchange System Objects organizational unit in all domains in which target Exchange servers involved in public folder synchronization reside.

NOTE: Alternatively, you can grant the Write permission on that organizational unit.

To learn how to grant rights and permissions required for this account, refer to the Target Exchange 2013 Preparation document.

Accounts for Target Exchange 2016 Server

Exchange account

Used To Where Specified Rights and Permissions
  • Work with target Exchange mailboxes and public folders (used by the Migration Agent for Exchange, Public Folder Source Agent, and Public Folder Target Agent)
  • Mail-enable the newly-created public folders (used by the public folder agents only: Public Folder Source Agent and Public Folder Target Agent)
  • Move mailboxes
On the General>Connection page of the target Exchange server Properties in the Migration Manager Console

For mailbox and calendar synchronization:

  • Read access to the target domain (including all descendant objects)
  • Read permission for the Microsoft Exchange container in the Configuration partition of target Active Directory (including all descendant objects) . This is required only if you plan to add the target Exchange organization using the Add Target Organization Wizard under this account.
  • Permissions to log on to every mailbox involved in the migration by granting Full Control permission on a mailbox database
  • The Move Mailboxes management role
  • The Mail Recipients management role
  • The ApplicationImpersonation management role

For public folder synchronization:

  • Membership in the local Administrators group on all target Exchange servers involved in the migration. If a server is a domain controller, the account should be added to the domain local Administrators group of the domain.
  • The Mail Enabled Public Folders management role
  • Permissions to process public folders involved in the migration by granting Full Control permission on mailbox databases where those public folders reside.
  • Permission to log on to public folder administrator mailbox by granting Full Control on it.

NOTE: Exchange account used for public folder synchronization must be mailbox-enabled to be able obtaining target public folder hierarchy.

Active Directory account

Used To Where Specified Rights and Permissions
  • Work with the target Active Directory
  • Re-home mailboxes
  • Switch mailboxes (Migration Agent for Exchange)
On the General>Associateddomain controller page of the target Exchange server Properties in the Migration Manager Console

For mailbox and calendar synchronization:

  • Read access to the target domain (including all descendant objects)
  • Read permission for the Microsoft Exchange container in the Configuration partition of target Active Directory (including all descendant objects)

For public folder synchronization:

  • The Write proxyAddresses permission on the Descendant publicFolder objects for the Microsoft Exchange System Objects organizational unit in all domains in which target Exchange servers involved in public folder synchronization reside.

NOTE: Alternatively, you can grant the Write permission on that organizational unit.

To learn how to grant rights and permissions required for this account, refer to the Target Exchange 2016 Preparation document.

Accounts for Target Exchange 2019 Server

Exchange account

Used To Where Specified Rights and Permissions
  • Work with target Exchange mailboxes (used by the Migration Agent for Exchange)
  • Move mailboxes
On the General>Connection page of the target Exchange server Properties in the Migration Manager Console

For mailbox and calendar synchronization:

  • Read access to the target domain (including all descendant objects)
  • Read permission for the Microsoft Exchange container in the Configuration partition of target Active Directory (including all descendant objects). This is required only if you plan to add the target Exchange organization using the Add Target Organization Wizard under this account.
  • Permissions to log on to every mailbox involved in the migration by granting Full Control permission on a mailbox database
  • The Move Mailboxes management role
  • The Mail Recipients management role
  • The ApplicationImpersonation management role

Active Directory account

Used To Where Specified Rights and Permissions
  • Work with the target Active Directory
  • Re-home mailboxes
  • Switch mailboxes (Migration Agent for Exchange)
On the General>Associateddomain controller page of the target Exchange server Properties in the Migration Manager Console

For mailbox and calendar synchronization:

  • Read access to the target domain (including all descendant objects)
  • Read permission for the Microsoft Exchange container in the Configuration partition of target Active Directory (including all descendant objects)

NOTE: Alternatively, you can grant the Write permission on that organizational unit.

To learn how to grant rights and permissions required for this account, refer to the Target Exchange 2019 Preparation document.

Related Documents