Forum Discussion

mickelingon's avatar
mickelingon
Level 5
17 years ago

VSA permission

Hi
 
If not creating VSA as Domain admin, what permissions does it need.
Local admin on Exchange and fileservers. MSMQ permissions
What else?
 
Mike
Enterprise Vault
Information Governance
  • TonySterling's avatar
    TonySterling
    17 years ago
    See the section called Creating the Vault Service account in the Installing and Configuring Guide.
     
    Creating the Vault Service account

    The Vault Service account is used by Enterprise Vault processes to access the Windows server operating system. The account is shared by all the Enterprise Vault computers in the Enterprise Vault directory. If you are managing multiple Enterprise Vault sites, you can use the same Vault Service account for more than one Enterprise Vault site.

    The Vault Service account must be a domain-based Windows security account that belongs to the local Administrators group on all computers in the Enterprise Vault directory. The account password must not be blank.

    We recommend that you do not make this account a Domain Administrator. It is better to assign required permissions explicitly. This section describes the basic permissions that you need to set for this account. Different types of archiving require additional permissions for the Vault Service account. For details of these, see the section on the type of archiving that you are implementing.

    If possible, create the account so that it is in the same domain as the Enterprise Vault computers. If it is necessary for the Vault Service account and the Enterprise Vault computers to be in different domains, create the account so that it is in a domain that is trusted by the Enterprise Vault computers’ domain.

    Ensure that the Microsoft Message Queue security has been set up to grant the Administrators group access to the Enterprise Vault queues.

    During configuration, you are asked to provide the name and password of the Vault Service account. Enterprise Vault automatically grants the account the following advanced user rights:

    • Log On As a Service

    • Act As Part Of The Operating System

    • Debug programs

    • Replace a process-level token

    Note that it may take some time for the Vault Service account to be registered in the Active Directory for the computer that is going to run Enterprise Vault. The account cannot be used until the registration is complete.

    You are recommended to be logged in to the Vault Service account when you install Enterprise Vault. You must be logged in to the Vault Service account when you run the Enterprise Vault configuration wizard.

     

    Also see the section for assigning Exchange permissions:

    Assigning permissions on Microsoft Exchange Server

    The Vault Service account needs to be able to access mailboxes on the Exchange Servers that Enterprise Vault is to archive. You need to grant permissions explicitly on each Exchange Server, as described in this section. If you later add another Exchange Server, you need to repeat the procedure on the new server to enable mailbox access for the Vault Service account.

     

    Regards,

     

1 Reply

Sort By
  • TonySterling's avatar
    TonySterling
    Moderator
    17 years ago
    See the section called Creating the Vault Service account in the Installing and Configuring Guide.
     
    Creating the Vault Service account

    The Vault Service account is used by Enterprise Vault processes to access the Windows server operating system. The account is shared by all the Enterprise Vault computers in the Enterprise Vault directory. If you are managing multiple Enterprise Vault sites, you can use the same Vault Service account for more than one Enterprise Vault site.

    The Vault Service account must be a domain-based Windows security account that belongs to the local Administrators group on all computers in the Enterprise Vault directory. The account password must not be blank.

    We recommend that you do not make this account a Domain Administrator. It is better to assign required permissions explicitly. This section describes the basic permissions that you need to set for this account. Different types of archiving require additional permissions for the Vault Service account. For details of these, see the section on the type of archiving that you are implementing.

    If possible, create the account so that it is in the same domain as the Enterprise Vault computers. If it is necessary for the Vault Service account and the Enterprise Vault computers to be in different domains, create the account so that it is in a domain that is trusted by the Enterprise Vault computers’ domain.

    Ensure that the Microsoft Message Queue security has been set up to grant the Administrators group access to the Enterprise Vault queues.

    During configuration, you are asked to provide the name and password of the Vault Service account. Enterprise Vault automatically grants the account the following advanced user rights:

    • Log On As a Service

    • Act As Part Of The Operating System

    • Debug programs

    • Replace a process-level token

    Note that it may take some time for the Vault Service account to be registered in the Active Directory for the computer that is going to run Enterprise Vault. The account cannot be used until the registration is complete.

    You are recommended to be logged in to the Vault Service account when you install Enterprise Vault. You must be logged in to the Vault Service account when you run the Enterprise Vault configuration wizard.

     

    Also see the section for assigning Exchange permissions:

    Assigning permissions on Microsoft Exchange Server

    The Vault Service account needs to be able to access mailboxes on the Exchange Servers that Enterprise Vault is to archive. You need to grant permissions explicitly on each Exchange Server, as described in this section. If you later add another Exchange Server, you need to repeat the procedure on the new server to enable mailbox access for the Vault Service account.

     

    Regards,