Enterprise Vault Accounts and Permissions

Article:TECH76700  |  Created: 2009-01-11  |  Updated: 2013-06-10  |  Article URL http://www.symantec.com/docs/TECH76700
Article Type
Technical Solution

Product(s)

Subject

Issue



This article describes the various accounts and users that are involved in an Enterprise Vault environment, as well as the permissions required by each. As some accounts are feature-specific, not every environment will make use of every account and permission listed here. Rather, this article is meant as a reference to double check when troubleshooting permissions-related errors.  For accounts and permissions specific to the Compliance Accelerator and Discovery Accelerator products, refer to TECH200788.


Solution



Select from the user accounts below to view a description and the requirements for each account.
 



Vault Service Account

Description: The single most important account in Enterprise Vault is the Vault Service Account (VSA). This account is primarily responsible for running the multiple services and tasks on the Enterprise Vault server, but it also has several other responsibilities and requirements, which are detailed below. Enterprise Vault’s archiving tasks operate as this account when evaluating archivable items, copying them into the archive, and replacing the items with shortcuts or placeholders in their original location; therefore, broadly speaking, the VSA requires full (read/write) access to all sources from which items are to be archived (these sources are known as “Targets”). The VSA is the only account that has complete free reign in all areas of the Vault Administration Console (VAC), and it can use the Roles-Based Administration console to assign more focused administration privileges to other accounts. Additionally, an administrator should always log in as the VSA when troubleshooting the system using Dtrace, EVSVR, or other utilities.

Requirements:

The VSA’s requirements in Active Directory

  • The VSA must be a dedicated Active Directory account. Do not reuse one of the built-in Windows accounts (Administrator, Guest, etc.) for the VSA.
     
  • The VSA’s password should be set not to expire.
     
  • It is recommended that the VSA not be a member of the Enterprise Admins group, the Domain Admins group, or any other group that contains a default DENY permission on mailboxes. It is better to start with a standard domain user account and explicitly assign only the required permissions.
     

The VSA’s requirements on the Enterprise Vault server

  • The VSA must belong to the Local Administrators group on all Enterprise Vault servers (even if they only run a subset of the services, such as dedicated Storage or Indexing servers).
     
  • The installation wizard will automatically grant the VSA the following user rights assigned on the Enterprise Vault server:
     
  • Log on as a service
  • Act as part of the operating system
  • Debug programs
  • Replace a process-level token
  • Log on as a batch job
     
  • The VSA must have Full Control permissions (both NTFS and Share) on the PST Holding folder, and it is recommended that this folder be located on the Enterprise Vault server. 
      

The VSA’s requirements in SQL Server

Note: Granting the sysadmin server role to the VSA covers all of the necessary permissions. Read on for the least-privilege requirements.
 

  • The VSA must have a SQL login with the following permissions to the SQL server (instructions):
     

Server role: dbcreator

Server permission: View server state
 

  • The VSA also requires the following rights on the msdb system database (instructions):
     

Select permissions on the sysjobs, sysjobschedules, sysjobservers, and sysjobsteps tables.

SQLAgentUserRole database role

 

The VSA’s requirements in Exchange

  • The VSA requires full access to all mailboxes and public folders. Choose one of the following options:
     
  • For Exchange 2003 and earlier, grant the permissions manually using Exchange System Manager (instructions).
  • For Exchange 2007 and later, grant the permissions using the PowerShell script included on the Enterprise Vault media (instructions).
  • For any version of Exchange, grant the permissions manually using ADSIEdit (list of the required permissions; instructions on using ADSIEdit).
     
  • If archiving from Exchange 2010, the VSA is required to have its own mailbox with a custom Throttling Policy (instructions).
    (Note that the mailbox receiving this Throttling Policy is the mailbox associated with the VSA, not the EV System Mailbox discussed below. They are separate mailboxes.)
     
  • In a multiple-domain environment, the VSA must be able to access all domains associated with any Exchange Servers that are to be archived (further details and examples).
     
  • The VSA should not be a member of the built-in Exchange Organization Administrators group.

 

The VSA’s requirements in Domino

The Domino Server service on the Enterprise Vault Domino Gateway must run as the VSA

 

The VSA’s requirements on an FSA target

For a Windows file server:

  • For releases beore Enteprise Vault 10.0.3, the VSA must be a local administrator on each target Windows file server, and must have Full Control permission on each share that is configured as a target volume. 
  • From Enterprise Vault 10.0.3 the VSA can run instead as a member of the local Print Operators group on the file server and with  reduced set of permissions and prvileges.  This change enables archiving from domain controllers and other file servers where local Administrator rights are not permitted for a service account (further details).  

 

For a NetApp filer:

  • The VSA must have administrator permissions on the NetApp filer (instructions).

 

The VSA’s requirements in Sharepoint 

  • The VSA must be a local administrator on each targeted SharePoint Server computer.
  • The VSA must have full access to target site collections and their content.

 

The VSA’s requirements in Microsoft SQL Server Reporting Services

  • The VSA requires a Content Manager role in Microsoft SQL Server Reporting Services.
  • The VSA must be a local administrator on the Microsoft SQL Server Reporting Services computer. 

 

The EV System Mailbox


Description:
If archiving Microsoft Exchange, an EV System Mailbox needs to be created on each Exchange Mailbox server that will be archived. The EV System Mailbox is not the same as the System Mailbox that Exchange creates, nor is it just the mailbox associated with the VSA. The EV System Mailbox is a separate mailbox used by the Exchange Mailbox, Journaling, and Public Folder Archiving tasks when connecting to Exchange.

Requirements:


The EV System Mailbox’s requirements in Active Directory
  • Each EV System Mailbox should be a dedicated Active Directory account. Do not reuse one of the built-in Windows accounts (Administrator, Guest, etc.) for an EV System Mailbox.
  • The EV System Mailbox must not be disabled in Active Directory or hidden from any address lists.

 

The Domino Archiving User

Description: If archiving Lotus Domino, a Domino archiving user needs to be created to access the users’ mail databases using a Lotus Notes ID file. This user needs permission to all the mail files that will be archived.

Requirements:


The Domino archiving user’s requirements in Domino
 
If archiving all messages regardless of read/unread state:
  • Editor access, plus Delete Documents and Create shared folders/views

If read/unread state will affect archiving eligibility:
The Enterprise Vault Reporting User

Description: The Enterprise Vault reporting user is the conduit between the information in the Enterprise Vault databases and the Enterprise Vault Reporting feature that builds that information into useful reports. The reporting user provides the context for Enterprise Vault Reporting to access the Enterprise Vault databases. 

Requirements:


The Enterprise Vault reporting user’s requirements in Active Directory
  • The reporting user’s password should be set not to expire.
  • The reporting user’s account must not be disabled.
  • The option User Must Change Password At Logon should not be selected.
  • The option User Cannot Change Password should not be selected.

 

 

The Enterprise Vault reporting user’s requirements in SQL Server
  • All the required SQL server roles and permissions are set up by running the Reporting Configuration Utility (instructions).

The Monitoring User

Description: The Enterprise Vault monitoring user is the conduit between the information in the Enterprise Vault databases and the Enterprise Vault Operations Manager feature that allows for remote monitoring of the Enterprise Vault system. The monitoring user provides the context for Enterprise Vault Operations Manager to access the Enterprise Vault databases.

Requirements:

 
The Enterprise Vault monitoring user’s requirements in Active Directory
  • The monitoring user’s password should be set not to expire.
  • The monitoring user’s account must not be disabled.
  • The option User Must Change Password At Logon should not be selected.
  • The option User Cannot Change Password should not be selected.

 

The OWA Data Access Account

Description: The OWA Data Access Account (often called the “OWA anonymous user”) is a domain account that is used by the Exchange CAS server to make requests for archived items on behalf of OWA users. It should be a separate account; do not reuse the VSA as the OWA Data Access Account.

Requirements:

The OWA Data Access Account’s requirements in Active Directory
  • The OWA Data Access Account’s password should be set not to expire.
  • The OWA Data Access Account must not be disabled.
  • The option User Must Change Password At Logon should not be selected.
  • The option User Cannot Change Password should not be selected.


The OWA Data Access Account’s requirements on the Enterprise Vault server

 

The OWAUser.wsf script (instructions) will automatically grant the OWA Data Access Account the following user rights assigned on the Enterprise Vault server:
  • Access this computer from the network
  • Allow log on locally
  • Log on as a batch job
  • Bypass traverse checking

User for PST Migrations

Description: If migrating PST files using the server driven method (Locate, Collect, Migrate), it is recommended to create a separate account to run the PST tasks, rather than running them under the Vault Service Account.

Requirements:

The PST user’s requirements in Active Directory
  • The PST user must have local administrative access to all workstations, servers, and network locations on which to Locate PST files. This can be achieved by adding the PST user to the Domain Admins, Enterprise Admins, or another appropriate group.
  • Using Group Policy (instructions), ensure that the PST user has the following user rights assigned on all computers on which it will Locate PST files.
  • Log on as a service
  • Replace a process level token
  • Act as part of the operating system
The PST user’s requirements on the Enterprise Vault server
  • The PST user must have Full Control permissions to the PST Holding folder, and it is recommended that this folder be located on the Enterprise Vault server.
  • The PST user must be have the PST Administrator role in Enterprise Vault’s Authorization Manager (instructions)

 

 




Legacy ID



337103


Article URL http://www.symantec.com/docs/TECH76700


Terms of use for this information are found in Legal Notices