cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Veritas.com
Support

Exchange 2010 RBAC roles instead of VSA Powershell script

Go to solution
ericeng
Level 2

‎03-21-2012 09:31 AM

Has anyone successfully assigned the vault service account exchange permissions in 2010 via RBAC vs running the powershell script included with the software?  Enterprise Vault is only deployed to our US Region and not deployed globally.  With Exchange 2007 you can apply the permissions strictly to your exchange server but with Exchange 2010 the "Administrative Information Store" permissions are granted at the Server and Database container which may include servers that EV does not affect.

I believe I was able to get EV to work properly with RBAC if I used the 'Organizational Management" role, but that has rights on the entire org which is the same problem with the powershell script.  Even if I limit the scope of the 'Organization Manamgnet" role to strictly the affected Exchange servers for EV I can not even apply a simply EVPM policy.

Any thoughts?

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
Prone2Typos
Moderator
Moderator
Partner    VIP    Accredited Certified

‎03-26-2012 12:28 PM

I have used powershell to set them more granularly prior to EV shipping with a PS1 file. the manual instructions never worked for me despite my best efforts.... and the options in the guide did not match that in the utility the guide was telling you to use (ADSIEDIT).

As suggested, I do not think RBAC rights themselves are sufficient because of the Send and recieve as permissions. So ... using RBAC permissions are not sufficient IMHO.

If you want to see what some other options are .... EV permission requirements are similiar to those of Blackberry Enterprise Server. As BES seems to have a wider distribution and greater security conciousness, you can look at what people have done for BES and mimic it for your VSA.

View solution in original post

0 Kudos
3 REPLIES 3

Go to solution
ZeRoC00L
Level 6
Partner Accredited

‎03-21-2012 01:04 PM

The permissions of "Organizational Management" are not sufficient. For example the PowerShell script also applies the "Send-As" and "Receive-As" rights.

If you realy dont want to run the script, open it in notepad, and reverse engineer the exact rights that are required on the VSA.

0 Kudos

Go to solution
ericeng
Level 2

‎03-22-2012 05:45 AM

I forgot to mention that I ran another script to apply "Send-As" and "Receive-As" rights.  The push back I am receiving is granting the "administrative information store" permissions within the script which I have removed.  

I was asking if anyone has successfully applied the VSA permissions with more granular rights or if using the RBAC permissions were sufficient.

0 Kudos

Go to solution
Prone2Typos
Moderator
Moderator
Partner    VIP    Accredited Certified

‎03-26-2012 12:28 PM

I have used powershell to set them more granularly prior to EV shipping with a PS1 file. the manual instructions never worked for me despite my best efforts.... and the options in the guide did not match that in the utility the guide was telling you to use (ADSIEDIT).

As suggested, I do not think RBAC rights themselves are sufficient because of the Send and recieve as permissions. So ... using RBAC permissions are not sufficient IMHO.

If you want to see what some other options are .... EV permission requirements are similiar to those of Blackberry Enterprise Server. As BES seems to have a wider distribution and greater security conciousness, you can look at what people have done for BES and mimic it for your VSA.

0 Kudos