Experts,
I noticed that to use QMM for AD, account needs to be in Domain admins group in target domain.
For security reasons, this might not be possible.
There is only 1 OU in target domain where the accounts from source domain will migrate.
Can we use an account that has Full Control over that OU rather than Domain Admin account?
There can be more then one account used in QMM AD
Directory Sync Account (DSA) on a Domain tab in a Domain Pair:
Technically the accounts needs "Administrators" group membership not "Domain Admins" group membership. This is due to how the tool migrates passwords and sid history by default. It uses an agent that is installed at run time and removed when it is competed. This installation and removal of the Agent service is what requires "Administrators" group membership.
It is a process account that the operators do not need to know the password to or use the account.
Additionally you can configured the tool to NOT migrate passwords and leverage MS's method for writing sid history and that will allow you to NOT use an account with "Administrators" group membership.
See the Granular Account and Permissions documentation for complete details. support.quest.com/.../
RUM Credentials :
Additionally MS released a Patch that requires Domain Admins membership to create computer account. You have an option to remove the patch or grant domain admins membership to the RUM Cred.
There can be more then one account used in QMM AD
Directory Sync Account (DSA) on a Domain tab in a Domain Pair:
Technically the accounts needs "Administrators" group membership not "Domain Admins" group membership. This is due to how the tool migrates passwords and sid history by default. It uses an agent that is installed at run time and removed when it is competed. This installation and removal of the Agent service is what requires "Administrators" group membership.
It is a process account that the operators do not need to know the password to or use the account.
Additionally you can configured the tool to NOT migrate passwords and leverage MS's method for writing sid history and that will allow you to NOT use an account with "Administrators" group membership.
See the Granular Account and Permissions documentation for complete details. support.quest.com/.../
RUM Credentials :
Additionally MS released a Patch that requires Domain Admins membership to create computer account. You have an option to remove the patch or grant domain admins membership to the RUM Cred.
