Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Unityinstall needed Exchange Full Admin rights at ORG level

Hi-

When we did our Unity 4.0(3) upgrade this past weekend, we had problems with the Message store configuration wizard. It complained the unityinstall account did not have Exchange Full Admin rights. We had run the 4.0(3) permissions wizard in production, but had only set the Exchange permissions at our administrative group and domain level NOT at the top organization level. The organization level is administered by a different data center group and domain, who function as the Enterprise Admins. We believed we did not need this level of permissions with 4.0(3) since we would only be importing subscribers from our own domain. After contacting them and getting the necessary Exchange permissions set and replication between our two domains, we were able to continue. They would like an explanation of why Exchange Full Admin is needed for the unityinstall account and why Exchange View is needed for unitydirsvc (we only import subscribers from AD). I know they will also ask if these permissions can be removed at the ORG level, now that we have Unity upgraded. What problems would we encounter with Unity if that was done?

Thanks for your help!

Ginger

5 REPLIES
New Member

Re: Unityinstall needed Exchange Full Admin rights at ORG level

We are experiencing exactly the same problem, bot for a fresh install, not an upgrade. Once again, the exchange ORG level admin is outside of our control and at the moment they are not providing the Exchange Admin rights that we require. Is there any way of doing it only at the Admin Group level. If not, and the rights have to be at Org, what does the unityInstall account do with the full rights as Ginger has asked, can it be used as a temp user and removed post install?

Thanks also

Cisco Employee

Re: Unityinstall needed Exchange Full Admin rights at ORG level

Yes, you can create an account that you use to install Unity and then remove it when you're done (provided, of course, you don't use the same account for your directory or message store access account!).

The messaging team is working with Microsoft to see specifically which rights we have to grant individually to replace membership in the Exchange admins group - most of it swirls around the SA/RA rights (specifically the ability to grant them to other accounts) and a few other things. If we can trim it back and have it still work reliably we will but currently that investigation is still in progress and there's lots of testing that will be needed after that (fiddling with permissions is always the 3rd rail of testing here).

so I would suggest getting a temporary installation account and installing Unity and then removing the account - you can't get much safer than that.

Re: Unityinstall needed Exchange Full Admin rights at ORG level

Hi Jeff -

Your additional information is much appreciated! Sometime this year, we will be migrating to Exchange 2003, at which point I will need to rerun the Message Store Configuration Wizard. So if the Exchange Full Admin rights for the unityinstall account get removed at the ORG level, we would need to have them reinstated again. From your post, sounds like there might be a revised permissions document available in the future depending upon the results with Microsoft. I will look forward to reading more about that!

Thanks again,

Ginger

Gold

Re: Unityinstall needed Exchange Full Admin rights at ORG level

Just to add a little reason to why things are the way they are...

With AD permissions they’re a hundreds of ways to skin a cat. The only true way for the Unity installer to determine if it has all the rights it needs is to test the permissions of every single object. This means users, distribution lists, contacts, mailbox stores, OUs and so on. If you have 5000 users or 100 mailbox stores that isn't going to scale and setup would like days to complete. So, what is do instead is check permissions at a specific level and assume that they are being inherited from that point down. To do this we need a cookie cutter place to look for all customer so for Exchange we chose the Org. As you have found, we don't necessary need rights at that level but it is the only place we can check to ensure that 99% of customer have permissions set correctly.

On he flip side rights can be configured at a specific level but an explicit deny or inheritance being disable can make it appear to the Unity installer that permissions are in place when in fact they are not. (This is what you saw the other day with Exchange 2003 ForestPrep setting that deny ACE.) Again, the only sure fire way around this would be to have the Permissions Wizard set rights on every single object which doesn’t scale.

In a perfect world we could check and set permissions everywhere but I don’t see that happening. So to support the economies of scale we will probably continue to do this (unless somebody can show us a better way) and customers that find themselves out side of the norm will have to do that you did an work around the issue.

Maybe we should put a check in place to see if you are upgrading and skip checking permissions unless it is a new install. Hmmm -- that might help.

Hope that explains things better...

Keith :-)

Re: Unityinstall needed Exchange Full Admin rights at ORG level

Hey Keith -

Excellent detail and explanation, as we have come to enjoy seeing from you! Thanks so much! Hope you don't mind another thought on this from the 4.0(3) permissions wizard angle? Since the 4.0(3) permissions wizard gives the administrator the ability to specify from which information stores subscribers will be imported, could the Message Store Configuration Wizard check to see what mailstores were specified? In our particular instance, it would have seen we had only specified mail stores in our Administrative group PWA. Just curious - maybe a registry key could be checked? But I also like your idea of putting a check in place if you are upgrading.

Sincerely,

Ginger

126
Views
0
Helpful
5
Replies
CreatePlease to create content