Remove From My Forums

Migration Account Privileges and why it's required

Question

0

Sign in to vote
Hi,

I am trying to understand why the Account (Source Site Database Account) used in migration require the permission of execute?

Source Site Account: Read permission to the SMS Provider for the specified top-level site in the source hierarchy.
Source Site Database Account: Read and Execute permission to the SQL Server database for the specified top-level site in the source hierarchy.

https://docs.microsoft.com/en-us/sccm/core/migration/configuring-source-hierarchies-and-source-sites-for-migration

Why do you need execute privileges on the source database?

Thanks in advance

Michael
- Edited by DIFFMEISTER Wednesday, March 7, 2018 11:43 PM
Wednesday, March 7, 2018 11:43 PM

Reply

|

Quote

Answers

0

Sign in to vote
to execute some stored procedures and alike.
Garth Jones

Blog: http://www.enhansoft.com/blog Old Blog: http://smsug.ca/blogs/garth_jones/default.aspx

Twitter: @GarthMJ Book: System Center Configuration Manager Reporting Unleased
- Marked as answer by DIFFMEISTER Friday, March 9, 2018 1:28 PM
Thursday, March 8, 2018 4:45 AM

Reply

|

Quote

0

Sign in to vote
Hi,

https://technet.microsoft.com/en-us/library/gg712275.aspx?f=255&MSPPError=-2147217396

To upgrade the distribution point, Configuration Manager uses the Source Site Access Account that is configured to gather data from the SMS Provider of the source site. Although this account requires only Read permission for site objects to gather data from the source site, it must also have Delete and Modify permission to the Site class to successfully remove the distribution point from the Configuration Manager 2007 site during the upgrade.

Just found above statement when reading Prerequisites for migration. It appears that it needs execute permission for running stored procedure to delete DPs, perhaps below are related:

spDeleteAllMigrationDistributionPoints,
spDeleteMigrationDistributionPoint,
spDeleteMigrationDPAndBoundaryGroup.

The log file to troubleshoot migration would be migmctrl.log.

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
- Edited by Frank DongModerator Thursday, March 8, 2018 6:42 AM
- Marked as answer by DIFFMEISTER Friday, March 9, 2018 1:28 PM
Thursday, March 8, 2018 6:36 AM

Reply

|

Quote

Moderator

0

Sign in to vote
migmctrl.log and smsprov.log would show what's happening. I cannot think of any deletions (except the one already mentioned) though.
Torsten Meringer | http://www.mssccmfaq.de
- Marked as answer by DIFFMEISTER Friday, March 9, 2018 1:28 PM
Thursday, March 8, 2018 6:50 AM

Reply

|

Quote

0

Sign in to vote
thanks Torsten,

I need this information for security clearance from the global organization,.. so I need it prior to execution, have sample logs I can refer?

Thanks,

Michael.

At the end of the day, it doesn't matter why or what is execute or queried. It is documented as a requirement. There will not be a list of queries or SP that are executed. Your Sec team will have to live with what is documented.
Garth Jones

Blog: http://www.enhansoft.com/blog Old Blog: http://smsug.ca/blogs/garth_jones/default.aspx

Twitter: @GarthMJ Book: System Center Configuration Manager Reporting Unleased
- Marked as answer by DIFFMEISTER Friday, March 9, 2018 1:29 PM
Thursday, March 8, 2018 5:34 PM

Reply

|

Quote

All replies

0

Sign in to vote
to execute some stored procedures and alike.
Garth Jones

Blog: http://www.enhansoft.com/blog Old Blog: http://smsug.ca/blogs/garth_jones/default.aspx

Twitter: @GarthMJ Book: System Center Configuration Manager Reporting Unleased
- Marked as answer by DIFFMEISTER Friday, March 9, 2018 1:28 PM
Thursday, March 8, 2018 4:45 AM

Reply

|

Quote

0

Sign in to vote

Hi Garth,

Can you give me a few examples and stored proc names of what is executed? Is their a log file that has a list of changes/executions made by the Migration.

Thanks.

Michael

Thursday, March 8, 2018 5:54 AM

Reply

|

Quote

0

Sign in to vote
Hi,

https://technet.microsoft.com/en-us/library/gg712275.aspx?f=255&MSPPError=-2147217396

To upgrade the distribution point, Configuration Manager uses the Source Site Access Account that is configured to gather data from the SMS Provider of the source site. Although this account requires only Read permission for site objects to gather data from the source site, it must also have Delete and Modify permission to the Site class to successfully remove the distribution point from the Configuration Manager 2007 site during the upgrade.

Just found above statement when reading Prerequisites for migration. It appears that it needs execute permission for running stored procedure to delete DPs, perhaps below are related:

spDeleteAllMigrationDistributionPoints,
spDeleteMigrationDistributionPoint,
spDeleteMigrationDPAndBoundaryGroup.

The log file to troubleshoot migration would be migmctrl.log.

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
- Edited by Frank DongModerator Thursday, March 8, 2018 6:42 AM
- Marked as answer by DIFFMEISTER Friday, March 9, 2018 1:28 PM
Thursday, March 8, 2018 6:36 AM

Reply

|

Quote

Moderator

0

Sign in to vote

Hi Frank,

Kind of what I was hoping it wouldn't be doing:), why would it need to delete existing DP's this maybe for DP site reassignment?

Is there a log file of what it's exactly doing, a list of sp's its executing what I don't want it doing is making any deletions from the existing hierarchy or making any changes in the source hierarchy. I know it doesn't, other than the DP reassignment, need to confirm.

Need the source site to be in running condition to mitigate any risks.

Thanks,

Michael

Thursday, March 8, 2018 6:46 AM

Reply

|

Quote

0

Sign in to vote
migmctrl.log and smsprov.log would show what's happening. I cannot think of any deletions (except the one already mentioned) though.
Torsten Meringer | http://www.mssccmfaq.de
- Marked as answer by DIFFMEISTER Friday, March 9, 2018 1:28 PM
Thursday, March 8, 2018 6:50 AM

Reply

|

Quote

0

Sign in to vote

thanks Torsten,

I need this information for security clearance from the global organization,.. so I need it prior to execution, have sample logs I can refer?

Thanks,

Michael.

Thursday, March 8, 2018 7:11 AM

Reply

|

Quote

0

Sign in to vote
thanks Torsten,

I need this information for security clearance from the global organization,.. so I need it prior to execution, have sample logs I can refer?

Thanks,

Michael.

At the end of the day, it doesn't matter why or what is execute or queried. It is documented as a requirement. There will not be a list of queries or SP that are executed. Your Sec team will have to live with what is documented.
Garth Jones

Blog: http://www.enhansoft.com/blog Old Blog: http://smsug.ca/blogs/garth_jones/default.aspx

Twitter: @GarthMJ Book: System Center Configuration Manager Reporting Unleased
- Marked as answer by DIFFMEISTER Friday, March 9, 2018 1:29 PM
Thursday, March 8, 2018 5:34 PM

Reply

|

Quote

0

Sign in to vote

Yeah you're right in that, I agree with what your saying completely. Thanks a lot everyone for shedding some perspective into it.

Friday, March 9, 2018 1:27 PM

Reply

|

Quote