Quest Notes Migrator for Exchange (NME) – What are the most minimum permissions needed in Domino to use
NME?
Version 1.0, Dated July 7, 2008
Contents
Purpose ......................................................................................................................................................... 4
Domino Actions ............................................................................................................................................. 5
Creating the Domino Account................................................................................................................... 5
Add the Domino Account to the ACL of all NSF files to be migrated ........................................................ 7
Quest Notes Migrator for Exchange Actions .............................................................................................. 12
Add ‘NotesMig User’ to the ‘Notes Server Configuration’ area ............................................................. 12
Migrating Mail with Quest Notes Migrator for Exchange....................................................................... 13
Set/Remove forwarding, ‘Allow foreign directory synchronization’, ‘Visibility’ ..................................... 15
Summary ..................................................................................................................................................... 21
NME Minimum Permissions
P a g e | 2 Copyright 2008 – Quest Software Inc. All Rights Reserved
© Copyright Quest Software, Inc. 2008. All rights reserved.
This guide contains proprietary information, which is protected by copyright. The software described in
this guide is furnished under a software license or nondisclosure agreement. This software may be used
or copied only in accordance with the terms of the applicable agreement. No part of this guide may be
reproduced or transmitted in any form or by any means, electronic or mechanical, including
photocopying and recording for any purpose other than the purchaser's personal use without the
written permission of Quest Software, Inc.
Warranty
The information contained in this document is subject to change without notice. Quest Software makes
no warranty of any kind with respect to this information. QUEST SOFTWARE SPECIFICALLY DISCLAIMS
THE IMPLIED WARRANTY OF THE MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Quest
Software shall not be liable for any direct, indirect, incidental, consequential, or other damage alleged in
connection with the furnishing or use of this information.
Trademarks
Quest® is a trademark of Quest Software, Inc. Other trademarks and registered trademarks used in this
guide are property of their respective owners.
Quest Software, Inc. World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 USA
www.quest.com e-mail: [email protected] U.S. and Canada: 949.754.8000
Please refer to our Web site for regional and international office information.
Quest Software complies with U.S. Export Control laws. Consequently, Quest Software will not ship products to or
provide support to anyone in prohibited destinations as defined by the U.S. Department of Commerce. For a copy
of the current export administration regulations, please visit their website at:
http://www.access.gpo.gov/bis/index.html.
NME Minimum Permissions
P a g e | 3 Copyright 2008 – Quest Software Inc. All Rights Reserved
Quest Support
Quest Support is available to customers who have a trial version of a Quest product or who have purchased a commercial version and have a valid maintenance contract. Quest Support provides around the clock coverage with SupportLink, our web self-service. Visit SupportLink at www.quest.com/support From SupportLink, you can do the following: Quickly find thousands of solutions (Knowledgebase articles/documents) Download patches and upgrades. Seek help from a Support engineer. Log and update your case, and check its status. View the Global Support Guide for a detailed explanation of support programs, online services, contact information, and policy and procedures.
NME Minimum Permissions
P a g e | 4 Copyright 2008 – Quest Software Inc. All Rights Reserved
Purpose
When Quest Notes Migrator for Exchange (NME) is used to migrate from Domino, the person running
(NME) and the account specified within the ‘Notes Server’ area of the NME product needs to have
specific permissions to complete all of its migration actions. Actions include:
- Migrating Mail
- Send “You’ve been migrated” messages to Notes mailboxes
- Set/Remove forwarding
- Set ‘Allow foreign directory synchronization’
- Set user visibility
Quest Notes Migrator for Exchange manages all of these activities, but uses basic Domino/Notes
commands to perform these actions.
Certain environments dictate that certain rights, roles and permissions cannot be granted to one user.
For Quest Notes Migrator for Exchange to be able to perform all of these activities successfully, certain
Domino permissions, rights and roles must be granted to a migration account. This document will use a
simple one Domino Server scenario to describe (and show) how to grant the least amount of Domino
permissions/rights/roles to enable a non-authoritative (or limited permission) account to perform a
migration from Domino.
NOTE: This document is used for informational purposes only using a very basic Domino structure. For
larger, more complex environments, further investigation on the part of the end-user will be
warranted. If the provided information here does not allow for the said actions to work successfully,
Quest Technical Support will request that the recommended permissions/rights/roles given from the
current Quest Notes Migrator for Exchange “System Requirements” be implemented.
NME Minimum Permissions
P a g e | 5 Copyright 2008 – Quest Software Inc. All Rights Reserved
Domino Actions
Creating the Domino Account For example purposes, the user to be created will be called ‘NotesMig User’ in a single Domino domain
called ‘DOMINODOMAIN’. This user will be used to perform all the Domino actions.
- Open ‘Domino Administrator’ and expand the “Domino Directories | ‘DomainName’s |’
Directory” | People’. On the right-hand side, expand ‘People’ and click “Register...”. In the
“Register Person – New Entry” dialog, the following is entered, clicking “Register All” when
completed:
Figure 1 - Create the NotesMig Notes Account – Basics Screen
NME Minimum Permissions
P a g e | 6 Copyright 2008 – Quest Software Inc. All Rights Reserved
Resulting Notes User:
Figure 2 - NotesMig User's Personal Document
Note: For more information on creating users with Domino Administrator, please see the
following IBM/Domino article titled “Setting up Notes users” found at the following link:
http://infocenters.lotus.com/help7/topic/com.ibm.help.domino.admin85.doc/DOC/H_SETTING
_UP_NOTES_USERS.html
NME Minimum Permissions
P a g e | 7 Copyright 2008 – Quest Software Inc. All Rights Reserved
Add the Domino Account to the ACL of all NSF files to be migrated Because this is a new account, this account has no access to the source NSF files to be migrated. An easy
way to verify this is to be true is to log into either Lotus Notes (client) or Domino Administrator as the
new ‘NotesMig User’:
Figure 3 - Logging in as 'NotesMig User'
...and attempt to open a user to be migrated NSF file via the ‘File | Database -> Open...’, Open Database
dialog. For this example, an attempt to open ‘Carl User’ (cuser.nsf) database on the ‘cs-domino65-
01/MIG1’ domino server will be made:
Figure 4 - 'Open Database' dialog
NME Minimum Permissions
P a g e | 8 Copyright 2008 – Quest Software Inc. All Rights Reserved
When this occurs, the following “IBM Domino Administrator” dialog appears stating that the logged on
account has not the required permissions to access:
Figure 5 - Open Database not authorized dialog
Logging into Domino Administrator as a person who has access to the said ‘cuser.nsf’ file (‘File |
Database -> Open...’ then ‘File | Database -> Access Control...’), we can indeed see that ‘NotesMig User’
is not specified which is why the “You are not authorized to access that database” is returned:
Figure 6 - Access Control List for Carl User
NME Minimum Permissions
P a g e | 9 Copyright 2008 – Quest Software Inc. All Rights Reserved
To remedy this lack of access, the new ‘NotesMig User’ notes user will need to be added to ALL NSF files
that are too be migrated. This would be a daunting task to add manually to each NSF file individually,
however, this can be achieved using the ‘Manage ACL...’ option under the ‘Files’ tab in Domino
Administrator. In the ‘Files’ tab, locate the NFS files to add/modify the ACLs on (multi-select is available
if needed) and (under the ‘Database’ drop-down) click ‘Manage ACL...’ as shown:
Figure 7 - Manage ACL option for CUSER.NSF
NME Minimum Permissions
P a g e | 10 Copyright 2008 – Quest Software Inc. All Rights Reserved
If multiple NSF files are selected and the ‘Manage ACL...’ is selected, the following dialog will appear:
Figure 8 - Manager Multiple ACLs dialog
...if only one is selected, the normal ‘Access Control List to: UserName’ will appear:
Figure 9 - Access Control List for Carl User
NME Minimum Permissions
P a g e | 11 Copyright 2008 – Quest Software Inc. All Rights Reserved
For either dialog, click the ‘Add...’ button and select the desired user to be added. For this example,
‘NotesMig User’ will be added:
Figure 10 - Adding NotesMig User to Carl Users NSF ACL
...for this example ‘NotesMig User’ will be added as ‘User Type: Person’ and ‘Access:Manager’.
Note:
Anything set less than “Access:Manager” will result in errors when Quest Notes Migrator for
Exchange is run. Please see the section titled “Migrating Mail with Quest Notes Migrator for
Exchange” for examples of these possible errors.
For more information on adding domino users to ACLs of multiple NSF files, please see the
following IBM/Domino article titled “Manage ACL | Basic Options” found at the following link:
http://infocenters.lotus.com/help7/index.jsp?topic=/com.ibm.help.domino.admin.doc/DOC/FIL
ES_TAB_TOOLS_MANAGE_ACL_0210.html
NME Minimum Permissions
P a g e | 12 Copyright 2008 – Quest Software Inc. All Rights Reserved
Quest Notes Migrator for Exchange Actions
Add ‘NotesMig User’ to the ‘Notes Server Configuration’ area Once the ‘NotesMig User’ has been created and added to the Access Control List of the needed NSF
files, ‘NotesMig User’ will need to be added to the ‘Notes Server Configuration’ area of Quest Notes
Migrator for Exchange as shown here:
Figure 11 - Specify ‘NotesMig User’ to the NME Notes Server area
Please be sure to click the ‘Apply...’ button and be sure the “Status” area states that it “Successfully
saved the Notes settings” before continuing.
Note: If this action fails, please launch the Lotus Notes Client on the same computer (as NME) and
attempt to login using the same ID file found in the same folder structure as shown in the ‘Notes Server
Configuration’, ‘User ID file (UNC path):’ area of Quest Notes Migrator for Exchange. This should succeed
without any errors or prompts.
NME Minimum Permissions
P a g e | 13 Copyright 2008 – Quest Software Inc. All Rights Reserved
Migrating Mail with Quest Notes Migrator for Exchange With the ‘Notes Server Configuration’ area now set with the correct user, an attempt to migrate ‘Carl
User’ mail sending a “You’ve been migrated” message will be performed:
Figure 12 - Migrating mail and Migrated Message options
Results:
Figure 13 - Migrating mail and Migrated Message results
...where the ‘2 warning(s)’ noted (in the screenshot) are for the ‘LocalDomainServers’ and
‘OtherDomainServers’ groups which do not have a corresponding Exchange Account in the target Active
Directory environment (so they can be safely ignored).
NME Minimum Permissions
P a g e | 14 Copyright 2008 – Quest Software Inc. All Rights Reserved
Note: If an attempt to migrate Carl User was made with “Quest Notes Migrator for Exchange” having
‘NotesMig User’ set as the default ‘Editor’ (or lower) to the said NSF files ACL, the following (possible)
error(s) may be seen in the logs (as an example, other errors may be seen depending upon the content
being migrated):
13:22:15 ERROR: [4618-33-102-00000246] Unable to open NSF file 'cs-domino65-01/MIG1!!mail\cuser.nsf' 13:22:15 NSFDbOpen: 13:22:15 You are not authorized to perform that operation ... 13:42:36 WARNING: [4619-33-2-00000246] Unable to get unread note table for user '' in database 'cs-domino65-01/MIG1!!mail\cuser.nsf'; assuming all notes are read 13:42:36 NSFDbGetUnreadNoteTable: 13:42:36 You are not authorized to perform that operation ... 13:42:37 WARNING: [4619-33-2-00000246] Unable to get unread note table for user 'CN=Carl User/O=MIG1' in database 'cs-domino65-01/MIG1!!mail\cuser.nsf'; assuming all notes are read 13:42:37 NSFDbGetUnreadNoteTable: 13:42:37 You are not authorized to perform that operation ... 13:43:15 ERROR: [4996-33-192-00000246] Unable to migrate contents of folder 'HeadlinesView' 13:43:15 NIFOpenCollection: 13:43:15 You are not authorized to perform that operation ... 13:43:15 WARNING: [4652-33-165-00000000] Unable to migrate one or more mail messages.
NME Minimum Permissions
P a g e | 15 Copyright 2008 – Quest Software Inc. All Rights Reserved
Set/Remove forwarding, ‘Allow foreign directory synchronization’, ‘Visibility’ The following actions:
- Set/Remove forwarding
- Set ‘Allow foreign directory synchronization’
- Set user visibility
...all modify the personal document of the Notes user. Giving only ACL permissions to the NSF file will
not be enough to perform these actions. These actions require the ability to modify personal
documents, similar to modifying the personal documents when utilizing Domino Administrator.
As per the following IBM/Domino documentation, the following chart summarizes what needs to be
done to allow a said user to perform certain actions (within specific environments).
For more information on setting up users to perform additional administrative tasks, please see
the following IBM/Domino article titled “Setting up ACLs for the Administration Process” found
at the following link:
http://infocenters.lotus.com/help7/topic/com.ibm.help.domino.admin.doc/DOC/H_MODIFYING
_ACLS_TO_USE_THE_ADMINISTRATION_PROCESS.html
NME Minimum Permissions
P a g e | 16 Copyright 2008 – Quest Software Inc. All Rights Reserved
So the same procedure as section “Add the Domino Account to the ACL of all NSF files to be migrated”
will be needed to add ‘NotesMig User’ to the ACL of the names.nsf, admin4.nsf and certlog.nsf files
(based upon this example scenario). This can be achieved using the ‘Manage ACL...’ option under the
‘Files’ tab in Domino Administrator. In the ‘Files’ tab, locate the names.nsf, admin4.nsf and certlog.nsf
files to modify the ACL on (multi-select is available if needed for the particular environment) and under
the ‘Database’ drop-down, click ‘Manage ACL...’.
Figure 14 - Selecting the needed NSF files for ACL modification
NME Minimum Permissions
P a g e | 17 Copyright 2008 – Quest Software Inc. All Rights Reserved
For this example, ‘NotesMig User’ is added as ‘User type:Person/Access:Editor’ to the names.nsf,
admin4.nsf and certlog.nsf files as shown below:
Figure 15 - Adding NotesMig User to the ACL of the needed NSF files
Note: Once set, this may take time to replicate within the Notes Environment before having the ability
to modify the Person Documents. Log in as ‘NotesMig User’ frequently to Domino Administrator to see if
the Personal Document can be manually edited prior to attempting the same action within Quest Notes
Migrator for Exchange.
NME Minimum Permissions
P a g e | 18 Copyright 2008 – Quest Software Inc. All Rights Reserved
Results
Results of ‘Disable foreign directory synch’ and ‘Set user visibility’:
Figure 16 – NME results of visibility and foreign directory synch
Figure 17 - Results of visibility and foreign directory synch
NME Minimum Permissions
P a g e | 19 Copyright 2008 – Quest Software Inc. All Rights Reserved
Results of ‘Set forwarding’:
Figure 18 - NME results Set Mail Forwarding
Figure 19 - Results of Set Forwarding
NME Minimum Permissions
P a g e | 20 Copyright 2008 – Quest Software Inc. All Rights Reserved
As an example, if an attempt is made to set the ‘Allow foreign directory synchronization’ via the ‘Notes
administrative functions’ option within Quest Notes Migrator for Exchange and the Notes ID file
specified does not have sufficient privileges, the following error will be seen in the Quest Notes Migrator
for Exchange log file:
15:07:57 ERROR: [1395-31-14-00000000] Unable to set forwarding and/or disable foreign dirsync for user 'Carl User' 15:07:57 Person document is read-only.
...and if the same action is attempted via Domino Administrator, it will be noticed that there is no ‘Edit
Person’ button to modify the value which means the person logged into Domino Administrator has
insufficient privileges to modify the Person Document:
Figure 20 - Results of having and not having sufficient privileges
What this means is the user being specified in the Notes Server section of Quest Notes Migrator for
Exchange will require certain privileges to make these activities work.
NME Minimum Permissions
P a g e | 21 Copyright 2008 – Quest Software Inc. All Rights Reserved
Summary Quest Notes Migrator for Exchange manages the activities of Migrating Mail (from Notes mailboxes),
sending “You’ve been migrated” messages to Notes mailboxes, setting/removing of forwarding (within
the Notes Personal Documents), setting the ‘Allow foreign directory synchronization’ (within the Notes
Personal Documents) and setting user visibility (within the Notes Personal Documents) using basic
Domino commands. For these commands to run uninterrupted, privileges need to be given to a
migration account such that they can successfully perform these actions as if the actions were being
performed using Domino/Lotus Notes native tools. Failing to do so will result in errors which will prevent
a successful migration from occurring.
This basic example should give guidance in how to achieve a successful migration with minimum
rights. For larger, more complex environments, further investigation on part of the end-user will be
warranted. If the provided information here does not allow for the said actions to work successfully,
Quest Technical Support will request that the recommended permissions/rights/roles given from the
current System Requirements be implemented.