Forum Discussion

ndt's avatar
ndt
Level 4
14 years ago

Deployment Scanner error

Thank you.

When I run deployment scanner (ver 9.0.1), I find a notice:

The user DOMAIN\admin does not have the required permissions (including 'send as' and 'receive as') on the following Mailbox Stores and Public Folder stores on HCM-CCR-MAIL.DOMAIN.COM: Data mail 2;First Mailbox data;Data Mail 3;

Then, I run this command at Exchange Management Shell:

C:\Windows\System32>get-organizationconfig | add-adpermission -user admin@domain.com -extendedrights send-As,receive-As

...

...

Identity             User                 Deny  Inherited Rights
--------             ----                 ----  --------- ------
First Organization   DOMAIN\admin        False False     Send-As
First Organization   DOMAIN\admin        False False     Receive-As

 

How can I solve this problem?

 

ndt.

  • Be sure your Vault Service Account is NOT a member of the Domain Admins.  See the section Creating the Vault Service account in the Installing and Configuring guide.

    This is also from the Installing guide.

    Assigning Exchange Server permissions to the Vault Service account


    For Exchange Server 2010 and Exchange Server 2007, Enterprise Vault includes a PowerShell script which assigns the necessary permissions to the Vault Service account.

    Although you must run this script on Exchange Server 2010 or Exchange Server 2007, the script assigns permissions required by all the Exchange versions in your environment, including Exchange Server 2003 and Exchange 2000. However, if your environment contains Exchange servers no later than Exchange Server 2003, you must assign permissions manually..

    To assign Exchange Server permissions to the Vault Service account

    Log in to the Exchange Server using an account that is assigned the following management roles:

    Active Directory Permissions

    Exchange Servers

    Organization Configuration

    By default, members of the "Organization Management" role group are assigned these roles.

    On the Enterprise Vault server, locate the script called SetEVExchangePermissions.ps1 and copy it to the Exchange Server.

    The Exchange 2010 PowerShell scripts are in the PowerShellScripts subfolder of the Enterprise Vault installation folder (normally c:\Program Files\Enterprise Vault).

    On the Exchange Server, open the Exchange Management Shell.

    Run SetEVExchangePermissions.ps1.

    The syntax for this script is:

    SetEVExchangePermissions.ps1 -user domain\user_name

    where:

    domain is the Active Directory domain that the Vault Service account belongs to.

    user_name is the Vault Service account. If user_name contains spaces, enclose it in quotation marks.

    If you want to force these changes to take effect immediately, restart the Microsoft Exchange Information Store service on each Exchange mailbox server.

  • Be sure your Vault Service Account is NOT a member of the Domain Admins.  See the section Creating the Vault Service account in the Installing and Configuring guide.

    This is also from the Installing guide.

    Assigning Exchange Server permissions to the Vault Service account


    For Exchange Server 2010 and Exchange Server 2007, Enterprise Vault includes a PowerShell script which assigns the necessary permissions to the Vault Service account.

    Although you must run this script on Exchange Server 2010 or Exchange Server 2007, the script assigns permissions required by all the Exchange versions in your environment, including Exchange Server 2003 and Exchange 2000. However, if your environment contains Exchange servers no later than Exchange Server 2003, you must assign permissions manually..

    To assign Exchange Server permissions to the Vault Service account

    Log in to the Exchange Server using an account that is assigned the following management roles:

    Active Directory Permissions

    Exchange Servers

    Organization Configuration

    By default, members of the "Organization Management" role group are assigned these roles.

    On the Enterprise Vault server, locate the script called SetEVExchangePermissions.ps1 and copy it to the Exchange Server.

    The Exchange 2010 PowerShell scripts are in the PowerShellScripts subfolder of the Enterprise Vault installation folder (normally c:\Program Files\Enterprise Vault).

    On the Exchange Server, open the Exchange Management Shell.

    Run SetEVExchangePermissions.ps1.

    The syntax for this script is:

    SetEVExchangePermissions.ps1 -user domain\user_name

    where:

    domain is the Active Directory domain that the Vault Service account belongs to.

    user_name is the Vault Service account. If user_name contains spaces, enclose it in quotation marks.

    If you want to force these changes to take effect immediately, restart the Microsoft Exchange Information Store service on each Exchange mailbox server.

  • Hi ndt,

    Verify Exchange prereqs are met. Is the account member of the Exchange View Only role?

  • Hi ndt,

    One way to confirm is to use ADSIEDIT on the exchange server or the DC and dig down to the exchange server level - go to the properties and ensure the permissions are set correctly. (please see attachment). Please be extremely careful when editing ADSIEDIT.

    Make sure that permissions are replicated/inherited correctly and manually change if nescessary.

  • Thank all your advices. I solved this problem.

     

    ndt.