Applying new MS Exchange security script will bring you to grief
Now that I have your attention
Microsoft Knowledge Base Article 313807: XADM: Enhancing the Security of Exchange 2000 for the Exchange Domain Servers Group talks about hardening security with a script which will break Unity. You can find the article here:
Short story: they provide a snappy little script that makes sure that all members of the Exchange Domain Servers groups in the entire forest are explicitly denied send as/receive as rights on the Exchange mailstores.
If you run this you will, in most case, take Unity out at the knees.
The account that is associated with the message store facing services for Unity is added as a member of the Exchange Domain Servers group such that we can have the ability to log into everyones mailboxes for monitoring changes (lamps, notifications) and getting at your messages when you call in, sending message as someone for ISM (Identified Subscriber Messaging) functionality etc without Send as/receive as on the mailstores where all Unity subscribers are homed, Unity will not function.
So if you feel the need to apply this script, be aware you will have to explicitly allow send as/receive as rights on every mailstore in the forrest that homes one or more subscribers for the account associated with the message facing services in Unity. Theres several ways you can go about this that come to mind off the top of my head:
1. explicity grant SA/RA on the mailstores. A local allow will over ride an inherited deny in AD permissions land so this will work. However if you add another Exchange server or a new mailstore you will have to remember to do this for that account on those stores which can be a pain.
2. Take the message facing account out of the Exchange Domain Servers group and grant them sa/ra rights at the exchange servers level this will ensure they have this right on all exchange mailstores moving forward.
3. You can do the same as 2, only create a security group that is allow sa/ra on the exchange servers node and then assign users to that group that are acting as message facing account for Unity server(s) in your site.
Heres an article that talks more generally about how rights to the mailstore are controlled that may be helpful:
You have reached the Cisco Logistics Support Center.. To Check Status of
your RMA, visit Product Returns & Replacements (RMA). Need help? Contact
us by Phone or Email. North Americas Phone: 1800 553 2447 Option 4
Email: firstname.lastname@example.org Europe Phone: +3...
The short answer is that you don't.... That isn't entirely true while at
the same time it kind of is, but for the most part you don't configure
the softkeys. You enable or disable them via TCL. Here is the long
answer. Be sure to read the whole thing or e...
Topology: IP Phone > Switches > Microsoft NPS setup to forward 802.1x
proxy to > ISE 2.1 patch 3 Authentication: EAP-TLS using Cisco MIC SANs
Phone Models 802.1X support? 802.1x flavor Addtl Comment EAP-MD5 EAP-TLS
Cisco 3905 Y Y N Cisco 6911 Y Y N Cisco ...