none
Migration Account Privileges and why it's required

Answers

All replies

    • Marked as answer by DIFFMEISTER Friday, March 09, 2018 1:28 PM
    Thursday, March 08, 2018 4:45 AM
  • Hi Garth,

    Can you give me a few examples and stored proc names of what is executed? Is their a log file that has a list of changes/executions made by the Migration.

    Thanks.

    Michael 

    Thursday, March 08, 2018 5:54 AM
  • Hi,

    https://technet.microsoft.com/en-us/library/gg712275.aspx?f=255&MSPPError=-2147217396

    To upgrade the distribution point, Configuration Manager uses the Source Site Access Account that is configured to gather data from the SMS Provider of the source site. Although this account requires only Read permission for site objects to gather data from the source site, it must also have Delete and Modify permission to the Site class to successfully remove the distribution point from the Configuration Manager 2007 site during the upgrade.

    Just found above statement when reading Prerequisites for migration. It appears that it needs execute permission for running stored procedure to delete DPs, perhaps below are related:

    • spDeleteAllMigrationDistributionPoints, 
    • spDeleteMigrationDistributionPoint, 
    • spDeleteMigrationDPAndBoundaryGroup.

    The log file to troubleshoot migration would be migmctrl.log.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    Thursday, March 08, 2018 6:36 AM
    Moderator
  • Hi Frank,

    Kind of what I was hoping it wouldn't be doing:), why would it need to delete existing DP's this maybe for DP site reassignment?

    Is there a log file of what it's exactly doing, a list of sp's its executing what I don't want it doing is making any deletions from the existing hierarchy or making any changes in the source hierarchy. I know it doesn't, other than the DP reassignment, need to confirm.

    Need the source site to be in running condition to mitigate any risks.

    Thanks,

    Michael

    Thursday, March 08, 2018 6:46 AM
  • migmctrl.log and smsprov.log would show what's happening. I cannot think of any deletions (except the one already mentioned) though.

    Torsten Meringer | http://www.mssccmfaq.de

    • Marked as answer by DIFFMEISTER Friday, March 09, 2018 1:28 PM
    Thursday, March 08, 2018 6:50 AM
  • thanks Torsten,

    I need this information for security clearance from the global organization,.. so I need it prior to execution, have  sample logs I can refer?

    Thanks,

    Michael.

    Thursday, March 08, 2018 7:11 AM
  • thanks Torsten,

    I need this information for security clearance from the global organization,.. so I need it prior to execution, have  sample logs I can refer?

    Thanks,

    Michael.

    At the end of the day, it doesn't matter why or what is execute or queried. It is documented as a requirement. There will not be a list of queries or SP that are executed. Your Sec team will have to live with what is documented. 

    Garth Jones

    Blog: http://www.enhansoft.com/blog Old Blog: http://smsug.ca/blogs/garth_jones/default.aspx

    Twitter: @GarthMJ Book: System Center Configuration Manager Reporting Unleased

    • Marked as answer by DIFFMEISTER Friday, March 09, 2018 1:29 PM
    Thursday, March 08, 2018 5:34 PM
  • Yeah you're right in that, I agree with what your saying completely. Thanks a lot everyone for shedding some perspective into it.
    Friday, March 09, 2018 1:27 PM