Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

Gold

Unity stumbles when faced with adverse Active Directory permissions

We have several customers using various revisions of Unity 3.x and Unity 4.x. During a few of our installations, we have noticed a problem with Unity's handling of Active Directory permissions issues.

We run the Permissions Wizard normally, the install goes normally, etc. Most users can be imported and work just fine. However, for whatever reason, several customers of ours have had a few users marked with the "Allow inherit" permissions checkbox turned off. This means that the users in question don't inherit the permissions from higher in the tree that allow the Unity role accounts to act on that user, and thus Unity can't modify that user. This means Unity can't add them as a subscriber or otherwise service that account.

One might say that's just something we have to fix in Active Directory, and you would be absolutely right. However, here is the problem: Unity doesn't stop you from adding the user, but breaks messily in the middle of the process. You end up with a non-functional subscriber that you can't view, modify or most importantly, delete. You get no notice that there was a permissions issue (except in Event Viewer). You just get a broken user with no (supported) way to repair the problem. Unity continues to run fine, but even if you repair that user's AD permissions, there's no way to repair that particular Unity subscriber during runtime.

It seems like every install we've been on lately, there have been one or a few users with their permissions set strangely like this. It would be completely acceptable if Unity would refuse to import them, but instead we end up in a state where not even dbwalker can repair the database. We have to go in with SQL Enterprise Admin and remove the Subscriber and Call Handler table entries for the invalid user, and then restart the Unity service. Obviously this is bad if we add a broken user on a production deployment. There's no convenient way that I know of to find all users with inheritance turned off, so we get to do an extremely time-consuming review of the entire user database or we get to play Russian roulette every time we add a user.

I guess what I'm looking for here is an idea if anybody else is running into this, and if there's a workaround or fix. The fact that Active Directory permissions are wrong obviously isn't Unity's fault, but I think that Unity could be a lot more robust in the face of such an issue.

2 ACCEPTED SOLUTIONS

Accepted Solutions
Gold

Re: Unity stumbles when faced with adverse Active Directory perm

I'm in the process of publishing a doc on this issue this week. Also the 4.0(3) permissions wizard will set these rights automatically. Here are the contents of the doc more or less:

Title:

Members of protected groups do not inherit permissions set by the Cisco Unity Permissions Wizard from their parent container.

Introduction:

This document applies to Cisco Unity 3.0(1) and later integrated with Exchange 2000, Exchange 2003, mixed Exchange 2000 and Exchange 2003 or mixed Exchange 2000 and/or Exchange 2003 with Exchange 5.5.

Within Active Directory there is a concept known as a protected group. User objects can be either explicit or transitive members of a protected group. Explicit members are those who are members of the protected group and transitive members are those who are members of another security or distribution group which in turn is a member of a protected group.

User objects associated with protected groups do not follow the standard Active Directory hierarchical permissions model. Instead of inheriting permissions from their parent container their ACL is a copy of the ACL on the AdminSDHolder object. Once an hour, the domain controller which holds the PDC emulator FSMO roll will compare the ACL for user objects associated with protected groups against the ACL on the AdminSDHolder object. If a discrepancy is found between the ACL for a user object associated with a protected group and the AdminSDHolder object, the user object ACL will be updated to match the current ACL of the AdminSDHolder object.

The following list describes the protected groups in Windows 2000:

• Enterprise Admins

• Schema Admins

• Domain Admins

• Administrators

The following list describes the protected groups in Windows Server 2003 and in Windows 2000 after you apply the 327825 hotfix or Service Pack 4:

• Administrators

• Account Operators

• Server Operators

• Print Operators

• Backup Operators

• Domain Admins

• Schema Admins

• Enterprise Admins

• Cert Publishers

Additionally the following users are also considered protected:

• Administrator

• Krbtgt

Problem:

The Cisco Unity Permissions Wizard does not assign permissions to the AdminSDHolder object. Since permissions are not assigned to the AdminSDHolder object, Cisco Unity is not able to write the data necessary to maintain normal operation with user objects associated with protected groups.

Solution:

Several possible solutions exist to this problem. The method recommend by Cisco to correct this issue is to assign the following rights to the Cisco Unity Directory Service Account on the ADminSDHolder object for each domain that Unity will service users in:

Applied on this object only:

• List contents

• Read all properties

• Write all properties

Within one hour the new ACL will be updated on the user objects associated with the protected groups to reflect the changes.

NOTE: To set permissions on the AdminSDHolder object with Active Directory Users and Computers the Advanced Features must be selected from the View menu.

The AdminSDHolder object is in the following location for each domain in the Active Directory Forest:

CN=AdminSDHolder,CN=System,DC=Cisco,DC=Com

Where "DC=Cisco,DC=Com" is the distinguished name (DN) of the domain.

Cisco Employee

Re: Unity stumbles when faced with adverse Active Directory perm

One of the problems here is waiting for the directory montiors to come back and tell us the "synch" to the directory failed or not - having the user wait there at the SA interface while this happens (which can take several minutes depending on topology issues) is not practical so this is done in the background. You can check out some code samples I posted on www.CiscoUnityTools.com for some details on how/why this works that way and how to use the synch ticket method for checking later if a synch of a new user or an existing user into the directory failed. The architecture overview document out on the Documents page also provides some insights into the difficulties here.

But yeah, you're right... I should pump up dbWalker to find users that do not have a valid DirectoryID value indicating they are not currently tagged to a user in the directory - that's a little dangerous since it could be waiting for a synch to complete and I'd have no way of easily figuring that out... waxing a user in that case would be bad but it might be a good option to add to the walker.

4 REPLIES
Gold

Re: Unity stumbles when faced with adverse Active Directory perm

I'm in the process of publishing a doc on this issue this week. Also the 4.0(3) permissions wizard will set these rights automatically. Here are the contents of the doc more or less:

Title:

Members of protected groups do not inherit permissions set by the Cisco Unity Permissions Wizard from their parent container.

Introduction:

This document applies to Cisco Unity 3.0(1) and later integrated with Exchange 2000, Exchange 2003, mixed Exchange 2000 and Exchange 2003 or mixed Exchange 2000 and/or Exchange 2003 with Exchange 5.5.

Within Active Directory there is a concept known as a protected group. User objects can be either explicit or transitive members of a protected group. Explicit members are those who are members of the protected group and transitive members are those who are members of another security or distribution group which in turn is a member of a protected group.

User objects associated with protected groups do not follow the standard Active Directory hierarchical permissions model. Instead of inheriting permissions from their parent container their ACL is a copy of the ACL on the AdminSDHolder object. Once an hour, the domain controller which holds the PDC emulator FSMO roll will compare the ACL for user objects associated with protected groups against the ACL on the AdminSDHolder object. If a discrepancy is found between the ACL for a user object associated with a protected group and the AdminSDHolder object, the user object ACL will be updated to match the current ACL of the AdminSDHolder object.

The following list describes the protected groups in Windows 2000:

• Enterprise Admins

• Schema Admins

• Domain Admins

• Administrators

The following list describes the protected groups in Windows Server 2003 and in Windows 2000 after you apply the 327825 hotfix or Service Pack 4:

• Administrators

• Account Operators

• Server Operators

• Print Operators

• Backup Operators

• Domain Admins

• Schema Admins

• Enterprise Admins

• Cert Publishers

Additionally the following users are also considered protected:

• Administrator

• Krbtgt

Problem:

The Cisco Unity Permissions Wizard does not assign permissions to the AdminSDHolder object. Since permissions are not assigned to the AdminSDHolder object, Cisco Unity is not able to write the data necessary to maintain normal operation with user objects associated with protected groups.

Solution:

Several possible solutions exist to this problem. The method recommend by Cisco to correct this issue is to assign the following rights to the Cisco Unity Directory Service Account on the ADminSDHolder object for each domain that Unity will service users in:

Applied on this object only:

• List contents

• Read all properties

• Write all properties

Within one hour the new ACL will be updated on the user objects associated with the protected groups to reflect the changes.

NOTE: To set permissions on the AdminSDHolder object with Active Directory Users and Computers the Advanced Features must be selected from the View menu.

The AdminSDHolder object is in the following location for each domain in the Active Directory Forest:

CN=AdminSDHolder,CN=System,DC=Cisco,DC=Com

Where "DC=Cisco,DC=Com" is the distinguished name (DN) of the domain.

Re: Unity stumbles when faced with adverse Active Directory perm

Thanks for the excellent reply, although there is one piece remaining lingering:

Your document will address the root cause and hopefully ensure it doesn't happen anymore. But one could argue Unity should still stop shooting itself in the foot. If a user import is unsuccessful, it sould automatically remove the user from SQL.

Any time Unity puts itself in a position where a user import has failed, but the user cannot be A) deleted or B) fixed from the Unity SA Web, it could be argued that this is improper behavior.

At the very least, an AnswerMonkey tool to remove this user would be helpful [or maybe it already exists; I didn't research]. At best, Unity would check the success (or failure) of the user import and react accordingly.

Thoughts?

Either way, thanks; your reply was execellent.

Cisco Employee

Re: Unity stumbles when faced with adverse Active Directory perm

One of the problems here is waiting for the directory montiors to come back and tell us the "synch" to the directory failed or not - having the user wait there at the SA interface while this happens (which can take several minutes depending on topology issues) is not practical so this is done in the background. You can check out some code samples I posted on www.CiscoUnityTools.com for some details on how/why this works that way and how to use the synch ticket method for checking later if a synch of a new user or an existing user into the directory failed. The architecture overview document out on the Documents page also provides some insights into the difficulties here.

But yeah, you're right... I should pump up dbWalker to find users that do not have a valid DirectoryID value indicating they are not currently tagged to a user in the directory - that's a little dangerous since it could be waiting for a synch to complete and I'd have no way of easily figuring that out... waxing a user in that case would be bad but it might be a good option to add to the walker.

Silver

Re: Unity stumbles when faced with adverse Active Directory perm

I just wanted to add a few comments here:

If you do delete the incomplete subscribers out of the subscriber table, you should not have to restart the Unity service.

At the most you should only have to wait for a resync.

In all of the customers that I have worked with, the deletion fixes the problem immediately, without a restart, and the changes have not caused any issues with their production environment.

270
Views
10
Helpful
4
Replies
CreatePlease to create content