Permissions configuration required for the use of Control Compliance Suite, CCS, with Exchange.

Article:TECH169111  |  Created: 2011-09-08  |  Updated: 2014-12-08  |  Article URL http://www.symantec.com/docs/TECH169111
Article Type
Technical Solution


Issue



What permissions are required to configure Exchange?


Error



N/A


Environment



N/A


Cause



N/A


Solution



Permissions required for Exchange configuration

The following permissions are required to configure Exchange 2007:
Information Store : RMS Query service account.
Exchange Full Administrator in exchange 2003, in exchange 2007 Exchange Organization Administrator and in exchange 2010 as a Organization Managment Role.
This permissions should be assigned explicit to exchange role
Local Administrator rights are required for all Exchange Servers to query.
AD Enterprise Admin Group: This permission is not required if the account
has the appropriate role assigned in Microsoft Exchange, and is also a local
Administrator on the server.
 
Trust relationships
 
bv-Control for Microsoft Exchange requires that there be a trust relationship
between the domains containing the Microsoft Exchange servers. If the trusts do
not exist, bv-Control for Microsoft Exchange will not be able to report on servers
residing in the un-trusted domain. The user must have certain rights and
permissions to be able to access information on the server in the Microsoft
Exchange organization.
The user’s account that is specified in the Credential Database and the user logged
onto the Console must have the following rights and permissions:
The computer must be a member of the domain or in a trusted domain where
the Exchange organization resides.
Microsoft Outlook must be configured for Corporate or Workgroup mail
support. Internet mail is not sufficient.
Microsoft Outlook must be configured as your default mail provider.
The user must have administrative rights on the local computer.
The user and credential accounts must have Administrator rights to the
Windows severs running Exchange.
The user and credential accounts must have rights in the Exchange
organization.
 
User and credential account rights
 
Ensure that the following requirements about the user and credential account
rights are met:
If your Exchange organization is in native Exchange 2000 or 2003, or mixed
mode, the MAPI/Exchange mailbox account must be configured with the user’s
logon account. Otherwise, you can grant Windows administrator’s rights to
all mailboxes in the entire organization by changing the permissions on the
organization object at the top of the Exchange System Manager tree.
In Exchange 2000 and Exchange 2003, even Enterprise Administrators rights
are denied rights to access all mailboxes, by default. Denying Receive As and
Send As rights sets the explicit denial of rights to administrators on the
organization object. You can clear these denials for accounts for which you
want full access.
 
Permission requirements for Exchange environment
 
Prior to deploying bv-Control for Microsoft Exchange, ensure that all the systems
running the product are set up with the required permissions. The permissions
required are dependent on your Exchange environment.
The permissions required for Exchange 2000 or Exchange 2003 servers are as
follows:
Permissions to systems running bv-Control for Microsoft Exchange
Permissions to Windows servers running Microsoft Exchange
Permissions to the Exchange 2000 or Exchange 2003 organization
Permissions to Exchange 2000 or Exchange 2003 mailboxes
 
Windows account(s) usage
 
The RMS Console and bv-Control for Microsoft Exchange software are designed
to support the program operation under different security contexts. The Console
runs as the login account and performs operations as the login user. Whereas,
the Information Server runs as a Service or System Account and uses Credential
Database credentials specified during the configuration to perform operations.
Because of this design, features that execute on the Console rely upon the login
account to have the required access. Features that execute at the Information
Server rely upon the Credential Database account to have the required access. If
the Login account differs from the account specified in the Credential Database,
both the account must have access to your enterprise.
 
Permissions to bv-Control for Microsoft Exchange system
 
The accounts must have the administrative rights to the Windows servers running
bv-Control for Microsoft Exchange. This requirement includes both the Console
and the Information Server host systems. Administrative rights are granted by
direct or indirect membership in Administrators groups using the default
configuration. If the system or domain policy for the Administrators groups has
been restricted, bv-Control for Microsoft Exchange may not function properly.
 
Windows domain member
 
If you are running Windows 2000, Windows Server 2003, WindowsXPProfessional,
or Windows Vista and your system is a domain member, the Windows rights can
be granted by membership in the local computer Administrators group.
Membership in this local machine group should be verified and granted using the
Windows Computer Management application under Administrative Tools in the
Planning and deployment 29
Permission requirements for Exchange environment
Control Panel. Ensure that the accounts are either members of groups that are
members of the local machine Administrators group, or are explicitly added as
members of the group.
 
Windows domain controller
 
If you are running Windows 2000, Windows Server 2003, WindowsXPProfessional,
or Windows Vista and your system is a domain controller, rights are granted by
membership in the domain local administrators group. Membership in this domain
local group should be verified and granted using the Microsoft Exchange Active
Directory Users and Computers application. Ensure that the accounts are either
members of groups that are members of this built-in group, or are explicitly added
as members of the group. These rights are used when reading file or registry
information and creating process threads during program operation.
 
Permissions to Windows servers running Exchange
 
The accounts must have the administrative rights to the Windows servers where
Microsoft Exchange is installed. These rights can be granted by direct or indirect
membership in Administrators’ groups using the default configuration. If the
system or domain policy for the Administrators’ groups has been restricted,
bv-Control for Microsoft Exchange may not function properly.
 
Windows NT domain member
 
If Microsoft Exchange runs on a Windows NT server and is a domain member,
Windows rights can be granted by membership in the local machine Administrators
group. Membership in the local machine Administrators group should be granted
using the User Manager for Domains application by connecting to the local
computer (specify \\Computer_Name as the domain name). Ensure that the
accounts are either members of groups that are members of the local machine
Administrators group, or are explicitly added as members of the group.
 
Windows NT controller
 
If Microsoft Exchange runs on Windows NT server and is a domain controller,
rights are granted by membership in the domain local Administrators group.
Membership in this domain local group should be granted using the User Manager
for Domains application. Ensure that the accounts are either members of groups
that are members of this built-in group or are explicitly added as members of the
group.
 
Windows 2000, 2003, and XP domain member
 
If Microsoft Exchange runs on a Windows 2000, Windows Server 2003, or Windows
XP server and is a domain member, Windows rights can be granted by membership
in the local machine Administrators group. Membership in the local machine
group should be granted using the Windows Computer Management application
under Administrative Tools in the Control Panel. Ensure that the Accounts are
either members of groups that are members of the Local Machine Administrators
group, or are explicitly added as members of the group.
 
Windows 2000, 2003, or XP domain controller
 
If Microsoft Exchange runs on Windows 2000, Windows Server 2003, or Windows
XP server and is a domain controller, rights are granted by membership in the
domain local Administrators group. Membership in this domain local group should
be granted using the Microsoft Exchange Active Directory Users and Computers
application. Planning for deployment 29 Permission requirements for Exchange
environment Ensure that the accounts are either members of groups that are
members of this built-in group, or are explicitly added as members of the group.
The rights are used when reading file or registry information from the servers to
retrieve configuration and current-state data about the Windows Exchange server.
 
Access to mailbox specified in the configuration
 
The accounts must have full control to the mailbox specified in the configuration.
The accounts must have Full Mailbox Access rights if it is residing on an Exchange
2000 or Exchange 2003 server. Exchange automatically grants full control if the
mailbox specified is the mailbox associated with the account. In this case, no
changes are necessary. If the mailbox is not the associated mailbox for the account,
permission must be granted.
 
For mailbox residing on Exchange 2000/2003
 
For a mailbox that resides on an Exchange 2000 or Exchange 2003 server,
permissions can be granted using the Microsoft Exchange Active Directory Users
and Computers application. Mailbox rights can be obtained indirectly by Global
Group membership or be assigned directly to the accounts. However, there cannot
be a Deny for the groups. These rights are used when creating a MAPI profile and
establishing MAPI connections to the Exchange Servers.
Locate the Active Directory user object to which the mailbox is associated, select
the Exchange Advanced tab, and click Mailbox Rights. Ensure that the accounts
or the group either inherits the Full Mailbox Access right from the container
object, or explicitly grant Full Mailbox Access rights to the mailbox.
By default, the Exchange Advanced tab is disabled. You can enable it by clicking
View and selecting Advanced Features. You must have Exchange System Manager
installed on the system that is running the Microsoft Exchange Active Directory
Users and Computers application to extend programmatic support.



Article URL http://www.symantec.com/docs/TECH169111


Terms of use for this information are found in Legal Notices