Chat now with support
Chat with Support

Preparing Migration 8.15 - System Requirements and Access Rights

Migration Manager Console Migration to Microsoft Office 365 License Server Migration Manager Database Servers Migration Manager Agent Servers Statistics Portal Server Resource Updating Manager Resource Updating Wizards Processed Platforms Additional Environment Security Configuration Ports Used by General Migration Manager Components Ports Used by Migration Manager for Exchange Components Ports Used by Migration Manager for Active Directory Components Ports Used by Resource Updating Manager Accounts Required for Migration Manager Operation Accounts Used by the Directory Synchronization Agent Source Accounts Used by Migration Manager for Exchange Agents Target Accounts Used by Migration Manager for Exchange Agents Agent Host Account Used by Legacy Migration Manager for Exchange Agents Agent Host Account Used by Migration Agent for Exchange (MAgE) Accounts Used for Migrating to Microsoft Office 365 Accounts Used by RUM Agent Service Accounts Used by RUM Controller Service Account Used by Statistics Collection Agent Service Accounts Used by Statistics Portal Accounts Accounts and Rights Required for Active Directory Migration Tasks Accounts and Rights Required for Exchange Migration Tasks Using the Exchange Processing Wizard with Exchange 2010 or later Appendix. How to Set the Required Permissions for Active Directory Migration

Using the Exchange Processing Wizard with Exchange 2010 or later

This section is relevant only for scenarios where migration to or from Exchange 2010 or later is a part of Active Directory migration.

Processing Mailboxes and Public Folders

Access to mailboxes and public folders

Rights and Permissions Where Specified

The account should be a member of the Domain Admins or Enterprise Admins group (See the note below the table)

Alternatively, if you want to avoid granting such broad privileges, make the account a member of the Organization Management and Public Folder Management roles.

To assign the roles to the account (<User>), run the following commands in the Exchange Management Shell:

Add-RoleGroupMember "Organization Management" -Member <User>

Add-RoleGroupMember "Public Folder Management" -Member <User>

Exchange impersonation (step 1)

Rights and Permissions Where Specified
The ApplicationImpersonation role enables the Exchange processing user account to impersonate other users.

To enable the account (<User>) to impersonate all users in an organization, run the following in the Exchange Management Shell:

New-ManagementRoleAssignment –Name <AssignmentName> -Role ApplicationImpersonation –User <User>

See http://msdn.microsoft.com/en-us/library/bb204095.aspx for more details related to enabling Exchange impersonation, such as limiting the scope of users.

Exchange impersonation (step 2)

Rights and Permissions Where Specified
In addition to enabling Exchange impersonation for an account, give it the necessary access privileges by granting the ms-Exch-EPI-May-Impersonate extended right.

To give the account (<User>) the right to impersonate all users on all Client Access Servers, run the following in the Exchange Management Shell:

Get-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User ((Get-User -Identity <User>) | select-object).identity -extendedRight ms-Exch-EPI-Impersonation}

To give the account (<User>) permission to impersonate all accounts on all MailboxDatabases, run the following in the Exchange Management Shell:

Get-MailboxDatabase | ForEach-Object {Add-ADPermission -Identity $_.DistinguishedName -User <User> -ExtendedRights ms-Exch-EPI-May-Impersonate}

See http://msdn.microsoft.com/en-us/library/bb204095%28EXCHG.80%29.aspx for more details related to granting Exchange impersonation rights, such as narrowing the scope of accounts, servers and databases.

 

IMPORTANT: Since membership in the Domain Admins or Enterprise Admins group denies Send As and Receive As permissions, you cannot continue using single administrative account. In this case it is advised to create separate processing service account.

Processing Mailbox and Public Folder Contents

Operation Rights and Permissions Where Specified
Message sending

Send As extended right.

Run the following in the Exchange Management Shell:

Add-ADPermission "Mailbox" -User <User> -Extendedrights "Send As"

Message processing in other users' mailboxes Full mailbox access rights.

Run the following in the Exchange Management Shell:

Add-MailboxPermission "Mailbox" -User <User> -AccessRights FullAccess

Appendix. How to Set the Required Permissions for Active Directory Migration

This section will help you to set the permissions that are required by Migration Manager for Active Directory.

Set Administrative Access to Source and Target Domains

Migration Manager for Active Directory requires administrative access to each source and target domain involved in Active Directory migration.

We recommend that you to create a new user account for the migration activities in each source and target domain instead of using an existing one.

To grant the account administrative access to the Active Directory domain, add the account to the domain’s local Administrators group as follows:

  1. In the Active Directory Users and Computers snap-in, right-click the user and select Properties.
  2. Go to the Member Of tab and click Add to make the user a member of the domain local Administrators group.

If you have established two-way trusts between each source and target domain or forest trust, you can grant this single account administrative access to each source and target domain. This powerful account must be maintained closely and should be deleted after the project is complete. It is recommended that this account be owned by one individual and one backup individual (or as few individuals as possible).

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating