04-05-2011 11:24 AM
Does anyone know if the vault service account still needs to be a local server administrator on all the Exchange servers that are listed as targets? We are on 9.0 SP1.
I thought previously this was a requirement but couldn't find it in the system documentation anymore.
Thank you!
Tom
Solved! Go to Solution.
04-06-2011 05:24 AM
You should NOT need to add the VSA as a local admin to the Exchange server - do not do this. Let me see if I can get the article reviewed as this seems to be mis-information.
Going back a fair few versions EV 6.0 may have needed local admin permissions to be able to add and configure Exchange targets and tasks. This was resolved in EV 6.0 SP1 and I believe was to do with either a Windows 2003 service pack or update locking down permissions to the Service Control Manager.
Regards
Karl
04-05-2011 11:29 AM
Honestly i have no idea, if you can test that would be the best thing to do, i've always added EV as the local admin so no idea if it should have that level of access or not...
My suggestion is as above, if you have a test exchange server, remove the EVAdmin from the local admins and see what happens
04-05-2011 11:34 AM
In my lab i have a DC with Exchange 2010 on the same box. since it's a DC there is no local admin group. I just used the powershell scripts to assign the proper rights for the EV (9.02) service account and it works fine.
04-05-2011 11:37 AM
there is a local admin group on a DC, you just have to set it via AD
04-05-2011 11:42 AM
AndrewB,
So I'm assuming since it isn't a BP your Vault Service account isn't a Domain Admin. Also when you say "used the powershell scripts to assign the proper rights for the EV (9.02) service account and it works fine" that you are referring to the scripts that assign mailbox level permissions to the VSA and not specific admin rights on the server. So it would seem in your scenario the VSA is not a admin on the Exchange box and your EV is working ok. Is this correct?
JesusWept2,
I can certainly test it out, however I was hoping for a specific statement from Symantec on it, and perhaps since I can't find it in their documentation anymore than the statement is that the VSA doesn't need to be a local admin. The problem I'm having is that our Security/Compliance people want all admins removed from the Exchange servers unless there is a documented reason for them to be there. So if the VSA needs to be there I need to show them Symantec documentation showing this as a requirement.
Thanks!
04-05-2011 12:00 PM
no the VSA is not a domain admin. should be documented somewhere not to do it.
yes, the scripts i'm referring to are: SetEVExchangePermissions.ps1 and SetEVThrottlingPolicy.ps1
although i don't see it in the documentation either, i'm with JW that you should test in your environment before making such a change anyway.
04-05-2011 12:55 PM
I don't think I've ever given the VSA local admin rights on the Exchange servers, except in labs when I've done other stuff with the same server.
I'm curious to why you would need to ?
04-06-2011 05:19 AM
I did find this article:
It lists pretty much all versions from 9.0 on down and it says this "Make sure you add the VSA to the Local Administrators group on the new Exchange server(s)". So I guess that answers my question and provides the documentation I'm looking for.
It does seem odd though that I can't find this in the admin guide or the installation guide, if this is a requirement you would think it would be in one of those documents.
Thanks everyone for the comments!
04-06-2011 05:24 AM
You should NOT need to add the VSA as a local admin to the Exchange server - do not do this. Let me see if I can get the article reviewed as this seems to be mis-information.
Going back a fair few versions EV 6.0 may have needed local admin permissions to be able to add and configure Exchange targets and tasks. This was resolved in EV 6.0 SP1 and I believe was to do with either a Windows 2003 service pack or update locking down permissions to the Service Control Manager.
Regards
Karl