cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Veritas.com
Support

EVault service account: need Exchange admin rights clarification

Go to solution
Zenworks2001
Level 5

‎02-27-2009 01:29 AM

Hi,

We have a Exchange 2003 Post-sp2 and I would like to know the exact rights for my Vault account.

Here list of rights I've collected from documentation (installation guide) and forum.

 

1- Grant Vault account as "Domain users"

2- Grant Vault account as local administrator of Vault server + check Assign "Log on Locally" and "Logon as a service"

3- Grant "Exchange View Only administrator" on Exchange Organization from Exchange Administration Delegation wizard

4- Grant full permissions (send-as, receive-as) at the server level for each Exchange Server server (from ESM)

5- Vault account must be added to the ev system mailbox with "send as" permissions, no other permissions are needed

(done from Active Directory Users and Computers snap-in)

Ref:

https://forums.symantec.com/syment/board/message?board.id=106&message.id=9795

http://support.microsoft.com/kb/895949/

http://support.microsoft.com/kb/912918/

I would like to discuss the last point as I'm not sure witch AD object need "send-as" permission and there's nothing on Symantec documentation.

Many thanks in advance

 

Message Edited by Zenworks2001 on 02-27-2009 01:31 AM
0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
Joseph_Rodgers
Level 6
Partner

‎02-27-2009 04:44 AM

Zen,

 

You are dealing with a minimum of 2 distinct AD account with EV.

 

1. The VSA (Vault Service Account).  This is the EV God account and needs all the rights as you've described.  The VSA does NOT need a mailbox.  There is one VSA.

 

2. The EV System Mailbox.  This is a normal user account with an Exchange mailbox on the target Exchange server.   This account has no special rights or priveleges but cannot be hidden from the GAL or disabled.  This mailbox name should be unique to the end (see below).  There will be one EV System Mailbox per target Exchange server.

 

Your #5 permissions mean that the VSA MUST have the Send-As right specifically for each of the EV system mailboxes.  This permission is necessary to send the EV messages (enable, disable, etc.) 

 

Unique to the End: 

 

System Mailboxes:

 

exch1

exch2

exch3...

exch10 

 

When exch10 is created exch1 is not longer unique to the end (it is a subset of exch10) and will cause mapi problems with EV.

 

-Joe

View solution in original post

0 Kudos
2 REPLIES 2

Go to solution
Joseph_Rodgers
Level 6
Partner

‎02-27-2009 04:44 AM

Zen,

 

You are dealing with a minimum of 2 distinct AD account with EV.

 

1. The VSA (Vault Service Account).  This is the EV God account and needs all the rights as you've described.  The VSA does NOT need a mailbox.  There is one VSA.

 

2. The EV System Mailbox.  This is a normal user account with an Exchange mailbox on the target Exchange server.   This account has no special rights or priveleges but cannot be hidden from the GAL or disabled.  This mailbox name should be unique to the end (see below).  There will be one EV System Mailbox per target Exchange server.

 

Your #5 permissions mean that the VSA MUST have the Send-As right specifically for each of the EV system mailboxes.  This permission is necessary to send the EV messages (enable, disable, etc.) 

 

Unique to the End: 

 

System Mailboxes:

 

exch1

exch2

exch3...

exch10 

 

When exch10 is created exch1 is not longer unique to the end (it is a subset of exch10) and will cause mapi problems with EV.

 

-Joe

0 Kudos

Go to solution
Zenworks2001
Level 5

‎02-27-2009 05:27 AM

Hi,

It's perfect. Your response is clear.

Many tx

KR,

0 Kudos