Unsolved
This post is more than 5 years old
2 Posts
0
594
August 20th, 2007 13:00
Least permissions required
The company I work for needs to verify and check our application layout of archiving email within our environment. Within your documentation it states:
####################
On the mail server, create an email account and (if you are using
Microsoft Exchange) a MAPI profile for use on the mail client you
will install on the EmailXtender server. The account is used to
communicate with the mail server and should be an
administrative account with full Domain Administrator,
Exchange Administrator, and Service Account Administrator
permissions.
###################
In our environment this will not be allowed to have a service account with both full domain administrator and Exchange Administrator. This is strictly not allowed.
Currently we are using MailXtender 4.2 and will describe the setup that we are using for 4.2.
If we want to archive a user we move them to a specific exchange server and a specfic database within that server. On that database all mail is archived to a account called " CC Xtender". This email account has only membership to the domain users.
On the MailXtender server and account is created at the domain level called "cesaxtender". This account is a member of the domain users only. But it also has the following permissions on the "CC Xtender" mailbox.
¿ List Contents
¿ Read all properties
¿ Write all properties
¿ Read permissions
¿ Send As permissions
Please note that "cesaxtender" run and controls the services on the MailXtender server. Cesaxtender account is a member of the administrator group on the MailXtender server.
Can we use the same setup once we build a new MailXtender server using the latest version?
####################
On the mail server, create an email account and (if you are using
Microsoft Exchange) a MAPI profile for use on the mail client you
will install on the EmailXtender server. The account is used to
communicate with the mail server and should be an
administrative account with full Domain Administrator,
Exchange Administrator, and Service Account Administrator
permissions.
###################
In our environment this will not be allowed to have a service account with both full domain administrator and Exchange Administrator. This is strictly not allowed.
Currently we are using MailXtender 4.2 and will describe the setup that we are using for 4.2.
If we want to archive a user we move them to a specific exchange server and a specfic database within that server. On that database all mail is archived to a account called " CC Xtender". This email account has only membership to the domain users.
On the MailXtender server and account is created at the domain level called "cesaxtender". This account is a member of the domain users only. But it also has the following permissions on the "CC Xtender" mailbox.
¿ List Contents
¿ Read all properties
¿ Write all properties
¿ Read permissions
¿ Send As permissions
Please note that "cesaxtender" run and controls the services on the MailXtender server. Cesaxtender account is a member of the administrator group on the MailXtender server.
Can we use the same setup once we build a new MailXtender server using the latest version?
No Events found!
jskoecher
2 Intern
•
204 Posts
0
August 20th, 2007 23:00
I honestly doubt it. - First, the installation should be verified by an SVC (Solution Validation Check). You give EMC all the info about your environment and they approve the installation. The permission is one topic and I thought it a requirement.
Secondly, EMC Support got a document "Installing and Using EmailXtender with Minimal Permissions" in version 4. This unfortunately did not reflect 4.8, nor Exchange 2003 SP2 but apparently was the most recent one. - Especially around the permission changes in Exchange 2003, it was not correct and did not work. We left it with domain admins in the end.
When addressing permissions, don't forget:
- Has your CC Xtender the permissions to read out the Exchange Organization?
- The EmailXtender Contact created in AD: The service account must be able to "change" it.
- SQL permissions?
- Do you need OWA support?
Hope this helps,
Jochen.
szekelyk
2 Intern
•
129 Posts
0
August 28th, 2007 02:00
could you please give me more detail the following, two settings?
- Has your CC Xtender the permissions to read out the Exchange Organization?
- The EmailXtender Contact created in AD: The service account must be able to "change" it.
Krisztian
jskoecher
2 Intern
•
204 Posts
0
August 31st, 2007 02:00
- Exchange Organization
The EmailXtender service account needs to find the users mailboxes. Therefore EX needs to find out, which servers are part of the Exchange organization. - Setting up EmailXtender permissions or Blackberry/other FAX-Solutions is often the same, since the same actions are required (read and write information to the mailboxes).
- EmailXtender Contact in AD
How are the shortcuts resolved for the users? They find an AD contact called EmailXtender, which has an custom attribute set (URL) to find the Emailxtender-Server. - Although I wouldn't know when this is really changed after the initial installation, EX wants to have read and write permissions as well.
If you post your email address, I could send you the pdf I have.
Keep well, Jochen.
szekelyk
2 Intern
•
129 Posts
0
September 3rd, 2007 06:00
here is my e-mail address:krisztian.szekely@comparex.hu
Thank You!
Krisztian