Solved: Minimum Rights

dbateman64 · ‎02-05-2003

I need to install Unity 4.0 at a client that wants Unity to have little to no AD rights. Is it true that permissions wizard assigns the bare minimum rights required or can fewer rights be assigned manually and still have Unity function properly?

Thanks,

Dave

lindborg · ‎02-06-2003

The Permissions wizard has a couple options in it when you run it allowing you to restrict the ability to create new users, create contacts and the like - taking these options is about as stripped down as we'll support. You can review the rights it is actually adding in AD from the help file in the Permissions wizard itself - The installation account needs creation rights for making the location objects and default DLs and the like during installation but the account actually associated with the directory facing services in Unity don't really need that much... we need the ability to update user and distribution list objects for some properties and, of course, read access all over - you can dictate which OU container and below we can update user/DL objects in (i.e. which containers we can import users and DLs from) so you have a reasonable amount of control.

Getting down to individual property rights is going to bring you to grief and we wont support you - too many issues can and will come up with the installation - when those things come up we will ask you to run permissions wizard to clear them and/or run the Directory Access Diagnostics tool (both this and the latest Permissions Wizard tool can be found on www.CiscoUnityTools.com) which checks all the rights for importing specific users and/or creating new users in a specific container.

Both the DAD and PW tools have decent help files that go into some detail about which permissions are being checked and set - you'll want to start there with your customer - but short story is we'll need to extend the AD schema and we'll need the set of minimum permissions set by PW to operate properly.

View solution in original post

lindborg · ‎02-06-2003

The Permissions wizard has a couple options in it when you run it allowing you to restrict the ability to create new users, create contacts and the like - taking these options is about as stripped down as we'll support. You can review the rights it is actually adding in AD from the help file in the Permissions wizard itself - The installation account needs creation rights for making the location objects and default DLs and the like during installation but the account actually associated with the directory facing services in Unity don't really need that much... we need the ability to update user and distribution list objects for some properties and, of course, read access all over - you can dictate which OU container and below we can update user/DL objects in (i.e. which containers we can import users and DLs from) so you have a reasonable amount of control.

Getting down to individual property rights is going to bring you to grief and we wont support you - too many issues can and will come up with the installation - when those things come up we will ask you to run permissions wizard to clear them and/or run the Directory Access Diagnostics tool (both this and the latest Permissions Wizard tool can be found on www.CiscoUnityTools.com) which checks all the rights for importing specific users and/or creating new users in a specific container.

Both the DAD and PW tools have decent help files that go into some detail about which permissions are being checked and set - you'll want to start there with your customer - but short story is we'll need to extend the AD schema and we'll need the set of minimum permissions set by PW to operate properly.