I need the ability to grant unityaccess to one AD account and allow that single user to manage multiple unity servers. I dont see any way to do this, we cannot create more then one AD account for these users.
To answer the second question, Unity relies on AD/Exchange and outside of Template or CoS - there really isn’t any distinction between an admin and what you would deem a typical subscriber. A subscriber is a subscriber.
This is where Unity Connection has an advantage - since there is no reliance on AD, you have the concept of Users with Mailboxes (Subscribers) and Users without Mailboxes (Administrators - or other pre-defined roles). So going back the reliance on AD/Exchange, in Unity - every user is a user with a mailbox. So, once a Subscriber is associated with a particular Unity server an attribute is updated within the AD properties for their account. If you move users between servers within a single domain, you have to clean that association up (the GSM tool is made for this).
Please rate helpful posts!
Access to the Unity system (SAWeb) requires that accounts have permissions at two levels: the OS and the application. I am guessing you were hoping for a way to use OS permissions to allow the AD accounts to access the SAWeb. While you do need to modify local box OS permissions to facilitate this, it will not allow the user to manage the "application". That is what the grantunityaccess tool can do.
I take it you aren't a fan of that approach but I did a write up on this topic that may be helpful. It is a quick read.
You don't need to associate the AD account to the EAdmin nor do you need to create a second AD account. Though, to be honest that is our recommendation. But it isn't strictly required. You will, however, need an AD account that serves as a "dummy" account for the VM mailbox that you need to create. This "dummy" account needs an exchange mailbox and is just like a standard user EXCEPT as follows:
1. The AD account itself is disabled (or can be)
2. The Unity mailbox account is configured with Unity CoS permissions so that the user of the account can do admin-level tasks
The idea is that you use grantunityaccess to associate your AD user account to the new "dummy" user. We like to use something like "tier1admin" and "tier2admin", etc. The idea here is that "tier1" may be able to add mailboxes while "tier2" can do everything.
Maybe it is a different spin on the grantunityaccess tool that you didn't account for, maybe not. Hopefully it is helpful.