Hello Jeff, Keith, and all -
I am in the process of testing the Unity 4.02 permissions wizard in our lab environment (separate Exchange 2000) using the 4 new Unity accounts. Our test environment simulates production, one Exchange forest with two departmental (and politically separate) administrative groups. We were able to get the permissions correct for all items EXCEPT the Send As and Receive As permissions. We finally were able to get the entire permissions wizard run to completion by using an account that had "god privileges" at the forest root. Unfortunately, we will not be in a position to have these same priviledges in production.
We currently have Unity 3.1(5) running in production with Exchange 2000. The single account, unityadm, was implemented according to the install procedures and configured for Send As/Receive As permissions. Unity is currently configured/authorized to import subscribers from a single administrative group which contains only our departmental Exchange servers.
1. Can the permissions wizard be modified to only attempt to update the Send As and Receive As permissions for a single administrative group?
2. The Enterprise Admins at the forest root have implemented a policy whereby only servers are allowed in the Exchange Domain Servers group. The permissions wizard places the user account for the UnityMessageStoreSvc in this group. What can we do to work around this limitation, as the Enterprise Admins have implemented a fix to pull any user account out of this group automatically.
3. Our Exchange admin is also concerned the permissions wizard will attempt to access other department's Exchange servers and needs to know how we can avoid this from occurring.
Thanks, as always, for your help and advice. Sincerely,
1. Not currently - this is something we're working on figuring out - the UI for allowing folks to limit which mailstores/servers to grant SA/RA rights is tricky since we don't know which ones subscribers will end up being homed on. Limiting it by domain is too broad, and a UI for "hunting and picking" individual mailstores in the forrest is hairy at best.
2. Hmmm... I've not hear of such an aggressive "yank it" policy like that. Interesting. I'll check with Ken tomorrow to see what can be done here.
3. We wont "access" Exchange servers that don't have subscribers homed on them - we wont be logging into mailboxes or the like if that's what they're concerned about.
It sounds like this is a site that will need to manualy configure rights - this may cause problems as TAC may ask that PW be run if there are problems uncovered that look to be permissions related but some sites are wired down tight enough that an automated tool like PW just can't make them happy and do it's job as well.
Hi Jeff -
Thanks for your reply! I appreciate any advice your team can provide here. Since we will be upgrading from 3.1(5) to 4.0(2) in production, not yet scheduled, perhaps we'll have time to work out the permissions that need to change from what we have today to what is required for 4.x?
Hey Jeff -
Did Ken have any recommendations for our forest having a policy that only allows servers to be in the Exchange Domain Servers group, not userids? When we are ready to upgrade our 3.1(5) system to 4.0(x), how should we handle the manual configuration of permissions as well as the multiple userids (install, directory, etc.)? Should I work with TAC preceding the upgrade? For followup, I could get a list of the permissions that unityadm has in production now, to see if those would be sufficient to run when installing 4.0?
I knew I forgot something...
Yes, the account does not need to be a member of that group at all any longer and the updated Permissions Wizard being tested now does not include it there any more. The only thing necessary is for SA/RA rights on the mailstores themselves which is now granted directly. Also, the updated version has a snappy tree view under an "advanced" button that lets you pick and choose which exchange servers/mailstores you want to grant SA/RA rights for the message facing account as opposed to ripping through every mailstore it can see in the forest.
This version of Permissions wizard will be shipping with 4.0(3) - I will be posting it however it grants fewer rights (we cut many out with some help from the MS boys and girls) - however earlier Unity setups will still be expecting those rights so you wont be able to use it as a replacement during setup for 3.1(5) or 4.0(1/2) - I'm trying to figure out how to work around this at the moment - perhaps posting updated XML files for the sysCheck component (this is the guy setup runs that says if it's ok to install with the accounts you have selected or not) - I'm not sure, some more testing is in order.
That said, you don't need the account in the Exchange domain servers group so long as you have SA/RA rights on all the mailstores - this is true in 3.1(x) as well as later 4.0(x) versions... so for that specific problem you should be ok.
The rest of the permissions granted by PW should be doable as is so the manual steps would only be granting SA/RA rights on the mailstores.
Just saw your note - I'm printing it for home so I can read/digest there. Thanks so much (as always). Great to hear from you!
I have a question related to the issues described in this message - giving right in a specific AD tree, and not in all the forest.
I gave my Unity installation account "Full Administrator right" in our Exchange (in our own tree). But, when I'm running the "Configuring Message Store", it says my Unity installation account "does not have Full Administrator right in Exchange".
My question is: Does the Unity installation account need "Full Exchange Administrator right" on all the forest for the installation to succeed?
Which version of Unity are you trying to install? You shouldn't need full Exchange Admin rights in the forest but SysCheck (running under setup) may be checking for it...
We are trying to install Unity 4.0.2.
If Syscheck is checking for Full Admin right on the forrest, do you have any idea how to keep on going with the installation?