cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Veritas.com
Support

Exchange permissions

mart_g
Level 4
Partner Accredited

‎01-06-2008 10:46 PM

Hi,

Recently I performed an upgrade from EV 5 to EV 6 for a customer.
The OS is Windows 2003 standard SP2 (EV and Exchange)
The Exchange is 2003 SP2

What I understand is that the vault service account require "full control" for Exchange (under exchange server properties - security). The Installation and Configuration manual in EV 5 require that vault service account be delegated an "Exchange Full Administrator". This requirement is no longer in EV 6 manual, instead all the permissions are to be given to the vault service account under exchange server properties - security). I guess
its the same, just different procedure. I was confused with this particular bit: Before the upgrade, the vault service account was only given send as / receive as permissions. It is also a member of a group (lets call it group 1) that has other permissions and send as / receive as permissions has allow and deny checked. EV 5 was then upgraded to EV 6, this time with full control permission for the exchange server given to the vault service account, but still belonging as a member to group 1. It worked just fine.

So my question is, what is the purpose of each of the permissions for the exchange server? how is it used by vault service account? does the vault service account need all the permission ? Is there a documentation about this ?

Thanks for any input.


0 Kudos
7 REPLIES 7

mart_g
Level 4
Partner Accredited

‎01-08-2008 06:32 AM

Any indea ?
0 Kudos

payoun
Level 4

‎01-08-2008 08:46 AM

The service account must have "Send As" and "Receive As" permissions on the Exchange Server object.
You can set the permissions in a different manner like in the Admin Group, giving the delegation : Full control.
Just check that the service account is not member of domain admin, as by default Deny on all mailboxes.

Hope that help,
Peter
0 Kudos

mart_g
Level 4
Partner Accredited

‎01-08-2008 05:45 PM

Hi Peter,

Yes, as mentioned above, the vault service account has send as / receive as permission allow and deny, but still is working fine. So my question is what task is performed by the vault service account with these permissions.
0 Kudos

payoun
Level 4

‎01-09-2008 05:43 AM

Hi Mart,

You said that you have also a Deny for the Vault Service account ??? and it works ? sounds weird !
Anyway, I always set the Send As and receive As and it seems to be enought.when the task starts it checks for the permissions and then to synchronize the mailboxes, i do not see anything else.

Peter
0 Kudos

bobby_hilliard
Level 5

‎01-09-2008 06:20 AM

I'll inject what I know from running a Blackberry server.
 
Prior to Nov 06 (I think), giving the service account full mailbox access was sufficient to allow the service account to access the mailbox. Then, Microsoft changed the way the STORE.EXE module worked (for Exch2k3), and separated the Send As right from Full Mailbox Access. To recitify, I had to "manually" grant Send As to the service account for the OUs that contained Blackberry users.
 
The Receive As right isn't needed.
 
I would assume that EV requirements are the same, as it also uses MAPI to access the mailboxes.
 
 
 
 
0 Kudos

rflanary
Level 4

‎02-05-2008 07:15 AM

I have the same problem. On my exchange server on the ev account send and receive as both allow and deny are all checked. How did you resolve this?
0 Kudos

Kopfjager
Level 5
Employee Certified

‎02-05-2008 07:58 AM

Adding these real quick.  Hopefully will help with some of the questions.  Two technotes on exchange permissions and an MS article on viewing security tab.
 
 

Follow the Microsoft article listed below to allow administrators to view the Security tab for objects within Exchange System Manager at a higher level.
 http://support.microsoft.com/default.aspx?scid=kb;en-us;259221
Once this registry key is in place, within Exchange System Manager browse to the Administrative Group or Organization level, (at whatever level the account was delegated access), right-click and select Properties
Click the Security tab
Highlight the VSA and use the scroll bar on the side of the permissions window to scroll down to Send As and Receive As permissions
Select the Send As and Receive As permissions in the Allow column and confirm that they have been removed from the Deny column
Click OK
0 Kudos