Issue
Some organizations have heavy restrictions on providing a service account that is within the “Organization Management” role. This article describes a alternative set of permissions to meet the requirements of a MailboxShuttle deployment.
Solution
MailboxShuttle requires elevated rights in order to synchronize Active Directory (AD) and on premises Exchange environment(s). When the “Organization Management” role is prohibited due to internal security requirements, a custom “Role Group” can be created within Exchange. The role group must have the following roles.

  • Migration
  • Move Mailboxes
  • View-Only Configuration
  • View-Only Recipients
  • Mailbox Import Export

For information on how to manage Role Groups for your version of Exchange please visit Microsoft Technet.
https://technet.microsoft.com/en-us/library/jj657480(v=exchg.160).aspx
Note: If advanced functionality such as pre-scripts and/or post-scripts are required, the permissions will need to be modified accordingly.
Applies to Exchange 2010, 2013

Print Friendly, PDF & Email