Video Screencast Help

Enterprise Vault 9 - Exchange 2010 Permissions

Created: 30 Mar 2012 • Updated: 28 Apr 2012 | 7 comments
lukassc's picture
This issue has been solved. See solution.

Hi everyone! I have a doubt concerning the permissions asign to the VSA with Exchange 2010.

We don't want to doit with the script that Symantec created, we want to doit manualy. So, in the script we notice that several permission take place, like send as, recieve as, read only, etc.

My question is, what kind of permission VSA need and any recomendation to doit manualy.

Thx to all!!

Comments 7 CommentsJump to latest comment

AndrewB's picture

i believe the steps are outlined in the Installing_and_Configuring.pdf if you want to have a look starting at page 63

Andy Becker | Authorized Symantec Consultant | Trace3 | Symantec National Partner |

lukassc's picture

Already read that, I don't want to use any script.

Thx anyway

AndrewB's picture

there's a table that lists all the permissions that are assigned by the scripts. i thought that might have been what you were asking for.

Andy Becker | Authorized Symantec Consultant | Trace3 | Symantec National Partner |

JesusWept3's picture

if you just read the scripts it will show you what you need
but why dont you want to use the scripts? just seems like you're making more work for yourself!

lukassc's picture

The script seems to run inheritance in some cases. What I need to know is in wich cases, and the specific permissions that the script assing.

Already saw the table, thx again but no information about the Function on the script. It's not only "Send As" and "Recieve as" permission like the manual said.

Don't want to use the script because I have severals Exchange server in the same Organization, and this script included all. I just want to run the permision on certain bases of Exchange.

Ameen's picture

If you open that script in any powershell editor then you will come to know that what the script is doing. I would suggest you to use the script instead of doing it manually as the intention of script is to reduce confusion and make life easier.

AndrewB's picture

I just found this for you. I think it should be very close to what you've been looking for.

When minimal permissions can be used
The SetEVExchangePermissions.ps1 script, supplied with Enterprise Vault, is intended to apply permissions that ensure all Enterprise Vault functionality works without the need for additional configuration when new Exchange servers or databases are added into the Exchange organization.
In some circumstances it is possible to set the permissions at lower levels than detailed in the Enterprise Vault Installing and Configuring guide, and by the provided script SetEVExchangePermissions.ps1.
It is assumed that manual configuration of targets is to be completed. If the Getting Started Wizard is to be used instead then this requires a broader set of read permissions in order to automatically locate various objects (for example journal mailboxes) and therefore the minimal permissions approach detailed in this document cannot be used.
The minimal permissions must be applied manually using either AdsiEdit.msc or via the Exchange PowerShell command Add-ADPermission. When applying the permissions take care to note the required inheritance otherwise Enterprise Vault will not function correctly.

Minimal permissions required on information store objects
The following permissions are required on the information store objects (mailbox databases/public folder databases). These allow Enterprise Vault to access mailboxes and public folders. Applying these permissions at the lowest level in the Exchange hierarchy in Active Directory is discussed later.

Permission Reason
Read (ReadProperty, GenericExecute) Allows Enterprise Vault to read additional properties from information store objects. This enables more informative error information when checking task configuration. For Exchange 2010 this permission is granted to Everyone by default (onto descendant mailbox and public information stores). Symantec recommend setting this permission to ensure in locked down Exchange deployments the archiving tasks continue to function correctly.
Receive As (Receive-As) Allows the task to connect and open any mailbox/public folder.
Administer Information Store (ms-Exch-Store-Admin) Allows the task to connect and open any mailbox/public folder. Additionally by using administrative permissions Exchange uses less resource when performing permission checks when opening mailboxes.
Create named properties on information store (ms-Exch-Store-Create-Named-Properties) Allows the tasks to create named properties. The default Exchange permissions grant Everyone this permission by default. Symantec recommend setting this permission to ensure in locked down Exchange deployments the archiving tasks continue to function correctly.
View Information Store Status (ms-Exch-Store-Visible) Allows the task to bypass the default MAPI session limit (32) on the target Exchange server.

Where possible all permissions must be set to inherit to lower objects. For example when using AdsiEdit.msc for Windows 2003 you would need to select the 'Advanced' permission tab and ensure Apply onto is set to 'This object and all child objects'. For Windows 2008 the setting is 'Apply to:' with value 'This object and all descendant objects'. If using Add-ADPermission set -InheritanceType All.

Where to apply minimal permissions in Exchange 2010

Permissions required by VSA or task account (for mailbox, journal and public folder archiving and provisioning)  Read
 Receive as
 Administer information store
 Create named properties in information store
 View Information Store Status
Recommended lowest level in Exchange hierarchy to apply these permissions Set on each individual Exchange database object with inheritance down to lower levels.
 For mailbox archiving, mailboxes in databases that don’t have the required permissions should be excluded from provisioning or the archive task will log errors each time it runs
 For public folder archiving, the mailbox database of the task’s system mailbox and the public folder database must have the required permissions
Additional permission required for Exchange 2010 The archiving tasks require Read permissions to the Global Settings container
Additional permissions required for provisioning task In addition to permissions required for archiving, the VSA or task account requires access to managed folder content settings. The synchronization can be disabled by following the following articles:

Andy Becker | Authorized Symantec Consultant | Trace3 | Symantec National Partner |