Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Cisco Employee

Applying new MS Exchange security script will bring you to grief

Now that I have your attention…

Microsoft Knowledge Base Article 313807: “XADM: Enhancing the Security of Exchange 2000 for the Exchange Domain Servers Group” talks about hardening security with a script which will break Unity. You can find the article here:;en-us;313807

Short story: they provide a snappy little script that makes sure that all members of the Exchange Domain Servers groups in the entire forest are explicitly denied send as/receive as rights on the Exchange mailstores.

If you run this you will, in most case, take Unity out at the knees.

The account that is associated with the message store facing services for Unity is added as a member of the Exchange Domain Servers group such that we can have the ability to log into everyone’s mailboxes for monitoring changes (lamps, notifications) and getting at your messages when you call in, sending message as someone for ISM (Identified Subscriber Messaging) functionality etc… without Send as/receive as on the mailstores where all Unity subscribers are homed, Unity will not function.

So… if you feel the need to apply this script, be aware you will have to explicitly allow send as/receive as rights on every mailstore in the forrest that homes one or more subscribers for the account associated with the message facing services in Unity. There’s several ways you can go about this that come to mind off the top of my head:

1. explicity grant SA/RA on the mailstores. A local allow will over ride an inherited deny in AD permissions land so this will work. However if you add another Exchange server or a new mailstore you will have to remember to do this for that account on those stores which can be a pain.

2. Take the message facing account out of the Exchange Domain Servers group and grant them sa/ra rights at the exchange servers level – this will ensure they have this right on all exchange mailstores moving forward.

3. You can do the same as 2, only create a security group that is allow sa/ra on the exchange servers node and then assign users to that group that are acting as message facing account for Unity server(s) in your site.

Here’s an article that talks more generally about how rights to the mailstore are controlled that may be helpful:

CreatePlease to create content