Migrating Users to new forest while exchange "stays" in current domain
I'm currently involved within a project where a new forest/domain is build. In this new forest first the workstations and user will be migrated followed by the back-end components. Therefore the users in the new domain need to have access to the Exchange mailboxes hosted in the current domain.
Therefore we created a new user account in the new domain. Secondly we disabled the user account in the current domain and assigned the permission Associated external account to the user account in the new domain.
With these settings the user can use his own mailbox as usual. However we notice that earlier assigned permissions to another user's mailbox are not functioning anymore when this right is assigned directly to the user. If the permissions are set on a Distribution Group the user can still access that resource.
Is there any possibility that the permissions assigned on a per user based can be preserved in this process or should we re-assing such permissions?
We are running MS Exchange 2003 in a domain 2003 (with domain level 2003) in forst running on forst level 2000.
http://sbc.vanbragt.net
All Replies
Hi,
I am afraid that you do not have method to preserve the permission assigned on a per user based. You need to re-assign the permissions.
Nevertheless, why do you not migrate the user instead of create a new user in the new domain?
Mike Shen
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact tngfb @ microsoft.com
~~~~~~~~~~~~~~~~
I tried to use ADMT to migrate the user to the new domain, but then again the permission on the Exchange mailboxes are lost. I soon as I disable the user account in the Exchange domain the permissions are lost. The permissions are stored using the domainname/username.
Do you know it's possible to query the Exchange database information to determine on which mailbox(items) a user has permissions, followed by a script that adds the same permission to the useracount in the new domain?
http://sbc.vanbragt.netHi,
Sorry for delay in response. I was on training last week.
I have local tested the configuration on my lab and I am able to reproduce your issue. After some research, I would like to explain that before migrating user account, when you grant user permission to access another mailbox or folder, the user’s objectsid is set on the mailbox/folder.
After migrating the user account to target forest and configure associated with external account. The user in source forest is disabled and msExchMasterAccountSid is set by using the new user’s SID on the target forest.
When the user attempts to access the shared mailbox/folder in the source forest, the new SID is used to authenticate to Information Store. Therefore, the user will fail to access shared mailbox/folder after migrating to new forest.
Regarding your question, to export all the mailbox permission, you can use ADmodify tool. To export all the folders permission, you can use PFDavAdmin tool. Regarding whether there is a script to do it automatically, I would like to explain that you may post the question to Development forum:
http://social.technet.microsoft.com/Forums/en-US/exchangesvrdevelopment/threads
For more information:
How can I dump out the mailbox permissions on a Microsoft Exchange Server box or bulk change multiple users' attributes at once?
XADM: Requirements for Disabling the Recipient Update Service
http://support.microsoft.com/kb/296479/en-us
Mike Shen
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact tngfb@microsoft.com
~~~~~~~~~~~~~~~~
