Problem
The Vault Service Account needs full permission to the target mailboxes, as it must not only read the contents but also modify them when archiving and synchronizing EV's hidden messages.
The Vault Service Account also needs to be able to Send on Behalf of the system mailbox you have just created; when sending the "Welcome" message, and any Quota or PST Migration messages.
Solution
In EV 9 and later, these permissions are configured using the PowerShell scripts provided on the EV media (instructions are here). However, on EV 8.0 and earlier, there are no PowerShell scripts, and Exchange 2007 does not provide an interface to modify these permissions via the Exchange Management Console or Active Directory Users and Computers. Thus we must use ADSIEdit as follows.
1. Click Start, Programs, Administrative Tools, ADSI Edit. This tool is included with the Windows Support Tools on the Windows Domain Controller or Exchange Server.
2. In ADSI Edit, connect to 'well known Naming Context' Configuration and expand the tree as follows:
a. Expand Configuration [dc.yourdomain.local]
b. Expand CN=Configuration,DC=yourdomain,DC=local
c. Expand CN=Services
d. Expand CN=Microsoft Exchange
e. Expand CN=First Organization
Note: CN=First Organization might be different in your environment. This name is the Exchange Organization name configured at the initial Exchange setup.
f. Expand CN=Administrative Groups
e. Expand CN=Exchange Administrative Group(FYDIBOHF23SPDLT)
g. Expand CN=Servers
3. Right-click the CN=EXCHANGE_SERVER_NAME object and select Properties.
Note: When reviewing all the objects under CN=Servers, you need to match the Exchange Server name from your organization.
4. In CN=EXCHANGE_SERVER_NAME Properties click the Security tab.
5. Add the Vault Service Account to the list and grant it Full Control. Click Apply.
6. Click Advanced. In Advanced Security Settings for EXCHANGE_SERVER_NAME select the row for the Vault Service Account added in the previous step and click Edit.
7. In Permission Entry for EXCHANGE_SERVER_NAME, change Apply onto to This object and all child objects and click OK.
8. Click OK to close the Advanced Security Settings window.
9. Click OK and close the Properties window.
10. Close ADSIEdit.
Next step is applying "send as" permissions over the system mailbox assigned to the Enterprise Vault Archiving Tasks:
1. Open the Exchange Management Console.
2. Expand Microsoft Exchange > Recipient Configuration > Mailbox.
3. In the right panel, do a search for the system mailbox assigned to the Enterprise Vault Archiving Tasks.
4. Right-click over the mailbox and add select "Manage Send as Permission..."
5. Add the Vault Service account and click on Manage.
6. Repeat the same steps for each system mailbox on any remaining Exchange Servers.
Applies To
Version |
EV 8.0 and earlier |
EV 9.0 and later |
Exchange 2003 |
Set permissions using Exchange Management Console | Set permissions using Exchange Management Console |
Exchange 2007 |
Use ADSIEdit to set permissions manually (this article). | EV provides PowerShell scripts to set permissions |
Exchange 2010 |
This version of EV does not support this version of Exchange | EV provides PowerShell scripts to set permissions |
Exchange 2013 |
This version of EV does not support this version of Exchange | EV provides PowerShell scripts to set permissions |
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.