Some organizations have heavy restrictions on providing a service account that is within the “Organization Management” role. This article describes a alternative set of permissions to meet the requirements of a MailboxShuttle deployment.
MailboxShuttle requires elevated rights in order to synchronize Active Directory (AD) and on premises Exchange environment(s). When the “Organization Management” role is prohibited due to internal security requirements, a custom “Role Group” can be created within Exchange. The role group must have the following roles.
- Move Mailboxes
- View-Only Configuration
- View-Only Recipients
- Mailbox Import Export
For information on how to manage Role Groups for your version of Exchange please visit Microsoft Technet.
Note: If advanced functionality such as pre-scripts and/or post-scripts are required, the permissions will need to be modified accordingly.
Applies to Exchange 2010, 2013