Cisco Unity Tools

Unity Permissions Wizard

Home General Tools Documents 3.x Tools CUC 2.x/7.x Tools 4.x/5.x/7.x Tools CUC 1.x Tools All Downloads Code Samples Links

 

Version 3/5/2002
Statistics 3.8 meg self installing EXE.  Download and run.
Compatibility Unity 3.1(1) through 3.1(5)

For Unity 3.1(6), 4.0(1) or 4.0(2) you should use the Permissions Wizard 4.0(1/2)

For Unity 4.0(3) through 4.1(1) use Permissions Wizard 4.0(3)+

For Unity 4.2(1) and later, use Permissions Wizard 4.2(1)
Support TAC supported

Download now 

Overview

The Cisco Unity Permissions Wizard grants permissions to Windows users that install Cisco Unity or own one or more Cisco Unity services.  The different roles a user may play are:

  • Installation Account – installs Cisco Unity by running Setup
  • Service Account – assigned as logon account for one or more Cisco Unity services
  • Failover Service Account – assigned as logon account for Cisco Unity’s Failover service

Each Windows user will be granted permissions necessary to act in the role it is associated with.  Permissions that may be granted include operating system privileges, Active Directory access rights, and membership in administrative groups.

If Microsoft Exchange 2000 is selected as the message store for use with Cisco Unity, the Cisco Unity Permissions Wizard will create a Unity organizational unit, and a Locations sub-container, in the root of the Cisco Unity server’s home domain if one does not already exist.  Windows users selected to play the roles of Cisco Unity Installation and Service Accounts will be granted access rights in the Unity container, its sub-containers, and other Active Directory containers as selected during the Cisco Unity Permissions Wizard.  For details about the Active Directory rights granted by the Cisco Unity Permissions Wizard, see Active Directory Rights.

In addition to the permissions granted by the Cisco Unity Permissions Wizard, Windows users selected to play the roles of Cisco Unity Installation and Service Accounts must also be granted Microsoft Exchange administration rights, using Microsoft Exchange System Manager tools.  For details on assigning Microsoft Exchange administration permissions, see Microsoft Exchange Permissions

Requirements/Special Notes

  • Requires Unity 3.1(1) or greater.
  • The user account running the Cisco Unity Permissions Wizard must be a member of the Domain Administrators group or have permissions equivalent to the Domain Administrators group.

Usage

Selecting the Message Store

The Cisco Unity Permissions Wizard grants different permissions to Windows user, depending on the message store Cisco Unity is connected to. 

 

Figure 1

Select the message store Cisco Unity will be connected to on the opening page of the Wizard (Figure 1).

Assigning Users to Roles

The Cisco Unity Permissions Wizard allows you to select Windows users you want to assign to play Cisco Unity Roles on the next page of the Wizard.  The currently logged in user will be displayed as the default user to play each role. 

Figure 2

Click the checkbox next to a role to activate a role for configuration.  You may choose to configure any or all of the three roles each time you run the Wizard.  You must choose to configure at least one role.

You may change the Windows user assigned to play each role by clicking the appropriate Change button. 

When you have selected the roles to configure and the Windows users to play the selected roles, click Next.

Selecting Active Directory Containers

If you choose Microsoft Exchange 2000 as the message store, Cisco Unity will need access to one or more Active Directory containers.  Active Directory containers, usually Organizational Units, may contain Active Directory users, groups, and contacts, among other objects.  Cisco Unity can create new Active Directory user objects when Cisco Unity Subscribers are created using the Cisco Unity Administrator.  Similarly, Active Directory group objects may be created if the Cisco Unity Administrator is used to create Cisco Unity Public Distribution Lists.  Active Directory contact objects may be created if the Cisco Unity Administrator is used to create AMIS Subscribers or Internet Subscribers. 

For Cisco Unity to access Active Directory objects in Active Directory containers, the Cisco Unity Permissions Wizard must grant access rights on each container Cisco Unity needs access to. You may specify one or more Active Directory containers where Cisco Unity will have access to Active Directory users, groups, and contacts.  Each container you select will be granted a number of access rights.  For detail about the rights granted on each container, see Active Directory Rights.

Figure 3

To add a container to the list of containers, click the Add button.

To remove a container from the list of containers, highlight the container and click the Remove button.

You must choose at least one container in the home domain of the Cisco Unity server.    The Cisco Unity Permissions Wizard will offer the DOMAIN\Users container of the Cisco Unity server’s home domain as the default container.

You may choose a container in each domain Cisco Unity is expected to access, but you may choose only one container for each domain.  If Cisco Unity will access users, groups, and contacts in multiple containers in a single domain, you must choose a common parent container that includes all of the containers you want to access.  If the common parent is the domain itself, choose the domain.

Once you have selected all of the containers Cisco Unity will require access to, click Next.

Toggling Creation Rights

If you choose Microsoft Exchange 2000 as the message store, and you don’t want to use the Cisco Unity Administrator to create new Active Directory users, contacts, and groups, you may choose not to grant the Cisco Unity Service Account rights to create each type of Active Directory object.

Figure 4

If you clear a checkbox next to an Active Directory object type, Cisco Unity will be unable to create the associated type of Cisco Unity object through the Cisco Unity Administrator.  You may only import existing objects into Cisco Unity.  For example, if you clear the Users checkbox, you will not be able to create new Cisco Unity Subscribers using the Cisco Unity Administrator.  You will only be able to import existing Active Directory users to become Cisco Unity Subscribers.

The settings on this page apply only the Cisco Unity Service Account. The Cisco Unity Installation account will be granted rights to create user and group objects in all selected containers, regardless of the settings of the checkboxes on this page.

Once you have made selections for each object type, click Next.

Verifying Permission Assignments

After assigning Windows users to Cisco Unity roles and selecting Active Directory containers, the Cisco Unity Permissions Wizard will present a summary of the permissions the will be granted to each of the Windows users selected.

Figure 5

The information listed includes:

  • Creation of a Unity container (organizational unit)
  • Membership in groups
  • Operating system privileges
  • Active directory rights (Microsoft Exchange 2000 only)

See Permission Detail for a comprehensive list of all rights, privileges, and group memberships the Cisco Unity Permissions Wizard will grant.

Granting Permissions

While the Cisco Unity Permissions Wizard works to grant all necessary permissions, a status display and progress bar will be shown.  The process of granting permissions may take a few seconds to several minutes, depending on the number of accounts being configured, the number of Active Directory containers selected, and other factors.

 

Figure 6

Viewing Results

When all permissions have been granted, the Cisco Unity Permissions Wizard will present a summary of what was done, noting what operations were successful and what operations failed.

Figure 7

If there is a failure to grant one or more permissions to any Windows user, an error message will be generated with a count of the number of errors encountered.  You may examine the information presented in this dialog, fix any problems, and run the Cisco Unity Permissions Wizard again.  You may also fix any problems, then click the Back button and reattempt the permission assignments.

To view the summary as a text file, click the Review Log File button.  Details about log files created by the Cisco Unity Permissions Wizard can be found in Logging and Diagnostics.

Permission Detail

The Cisco Unity Permissions Wizard grants up to three different types of permissions to each Windows account selected for configuration.

Operating System Privileges

Each Windows user chosen to play a Cisco Unity role will be granted the following operating system privileges:

  • Log on as a service
  • Act as part of the operating system

Group Membership

Each Windows user chosen to play a Cisco Unity role will be added to the local computer’s Administrators group.

Active Directory Rights

If Microsoft Exchange 2000 is selected as the message store for Cisco Unity, Windows users chosen to play the role of Cisco Unity Installation Account or Cisco Unity Service Account will be granted access rights on Active Directory containers.  The rights granted depend on the Cisco Unity role each user is playing, the Active Directory containers selected, and the selections made for the creation of users (Cisco Unity Subscribers), groups (Cisco Unity Public Distribution Lists), and contacts.

Cisco Unity Installation Account

For every container selected and all children of those containers, the following permissions will be granted:

Permissions granted in all cases 

Applied onto this object and all child objects

·         Create User objects

·         Create Group objects

Applied onto User objects

·         Read properties

·         Write properties

·         List contents

·         Read permissions

·         Modify permissions

·         Change password

·         Reset Password

Applied onto Group objects

·         Read properties

·         Write properties

·         List contents

·         Read permissions

·         Modify permissions

Applied onto Contact objects

·         Read properties

·         Write properties

·         List contents

·         Read permissions

·         Modify permissions

 

Permissions granted if you allow creating contact from the Cisco Unity Administrator 

Applied onto this object and all child objects

·         Create Contact objects

 

For the Unity\Locations container in the Cisco Unity server’s home domain, the following permissions will be granted: 

Applied onto this object and all child objects

·         Create ciscoEcsbuUMLocation objects

Applied onto ciscoEcsbuUmLocationObjects

·         Full control

 

For the root container in the Cisco Unity server’s home domain, the following permissions will be granted: 

Applied onto this object and all child objects

·         Create organizational unit objects 

Cisco Unity Service Account

For every container selected and all children of those containers, the following permissions will be granted:

Permissions granted in all cases

Applied onto User objects

·         Read properties

·         Write properties

·         List contents

·         Read permissions

·         Modify permissions

·         Change password

·         Reset Password

Applied onto Group objects

·         Read properties

·         Write properties

·         List contents

·         Read permissions

·         Modify permissions

Applied onto Contact objects

·         Read properties

·         Write properties

·         List contents

·         Read permissions

·         Modify permissions

Permissions granted if you allow creating objects from the Cisco Unity Administrator

Applied onto this object and all child objects

·         Create User objects

·         Create Group objects

·         Create Contact objects

 

For the Unity\Locations container in the Cisco Unity server’s home domain, the following permissions will be granted: 

Applied onto this object and all child objects

·         Create ciscoEcsbuUMLocation objects

Applied onto ciscoEcsbuUmLocationObjects

·         Full control

Logging and Diagnostics

The Cisco Unity Permissions Wizard generates two log files to the root of the Cisco Unity server’s C: drive.  The first file contains summary information and results.  The second file contains low-level diagnostics and error messages.

PermWizResults.txt

PermWizResults.txt will echo the contents of the Results page of the Cisco Unity Permissions Wizard.  For example:

Figure 8

Each operation the Cisco Unity Permissions Wizard attempts will be listed as either SUCCEEDED or FAILED.

In some cases, individual rights may be combined into a single entry.  For example, the rights to read properties, write properties, list contents, read permissions, and modify permissions applied onto Group objects are all included in the single entry “SUCCEEDED granting Group read/modify rights”.

It is possible that an Active Directory right being granted will conflict with a pre-existing right on an Active Directory container.  For example, a Windows user chosen to play the role of the Cisco Unity Service Account may have been specifically DENIED the right to create user objects in one of the containers selected during the Permissions Wizard.  When the Permissions Wizard discovers such a situation, the PermWizResults.txt file will contain a note that a conflict has been found with a direct rights denial.  The Permissions Wizard will not resolve conflicts with direct rights denials.  It is your responsibility to resolve conflicts between the rights being granted by the Permissions Wizard and others already in effect.

PermWizLog.txt

PermWizLog.txt will contain everything in the PermWizResults.txt files, supplemented by low-level engineering diagnostics and error messages that can be used by Cisco engineers to diagnose anomalous behavior.

Microsoft Exchange Permissions

Microsoft Exchange 5.5

In addition to the permissions granted by the Cisco Unity Permissions Wizard, you must grant additional Microsoft Exchange 5.5 permissions to any Windows user assigned to play the role of Cisco Unity Installation Account or Cisco Unity Service Account.  Microsoft Exchange 5.5 includes its own capability for assigning Exchange administration permissions to Windows users.  To grant the appropriate level of Exchange administration permission to the users assigned to play Cisco Unity roles, follow these steps.

  1. Log on to an Exchange server in the site that the Cisco Unity server will be joining by using an Exchange Services Account Administration account.
  2. On the Windows Start menu, click Programs > Microsoft Exchange > Microsoft Exchange Administrator.
  3. In the tree, click the site name.
  4. On the File menu, click Properties.
  5. Click the Permissions tab.
  6. Click Add.
  7. Under List Names From, click the Cisco Unity server domain.
  8. In the list of names, select the installation account or the service account.
  9. Click Add.
  10. Click OK to close the Add Users and Groups dialog box.
  11. Under Roles, click Services Account Admin.
  12. Click OK to close the Properties dialog box.
  13. In the left pane, under the name of the site, click Configuration.
  14. Repeat Steps 4 through 12 for the Configuration container, which also appears in the tree.
  15. Repeat Steps 3 through 14 for Windows user chosen to play the role of Cisco Unity Installation Account or Cisco Unity Service Account.

Microsoft Exchange 2000

In addition to the permissions granted by the Cisco Unity Permissions Wizard, you must grant additional Microsoft Exchange 2000 permissions to any Windows user assigned to play the role of Cisco Unity Installation Account or Cisco Unity Service Account.  Microsoft Exchange 2000 includes its own wizard, the Exchange Administration Delegation Wizard, for assigning Exchange administration permissions to Windows users.  To grant the appropriate level of Exchange administration permission to the users assigned to play Cisco Unity roles, follow these steps.

  1. On the Cisco Unity server, on the Windows Start menu, click Programs > Microsoft Exchange > System Manager.
  2. In the left pane of the Exchange System Manager MMC, right-click the organization name at the top of the tree control, and click Delegate Control to start the Exchange Administration Delegation Wizard.
  3. In the Welcome to the Exchange Administration Delegation Wizard dialog, click Next.
  4. In the Users or Groups dialog box, click Add.
  5. In the Delegate Control dialog box, click Browse.
  6. In the Select Users, Computers, or Groups dialog box, in the Look In list, click the name of the domain to which the Cisco Unity sesrver belongs.
  7. In the list of users, computers, and groups, double-click the name of the installation or service account, and the Delegate Control dialog box reappears. The account you selected appears in the Group (recommended) or User box.
  8. If you are adding a Windows user to play the role of Cisco Unity Installation Account, click Exchange Full Administrator in the Role list.
  9. If you are adding a Windows user to play the role of Cisco Unity Service Account, click the applicable option in the Role list:
    1. Exchange Full Administrator - If you want to create Cisco Unity subscribers by using the Cisco Unity Administrator.
    2. Exchange View Only Administrator - If you do not want to create Cisco Unity subscribers by using the Cisco Unity Administrator (meaning that you will create Cisco Unity subscribers only by importing Active Directory accounts).
  10. Click OK to close the Delegate Control dialog box.
  11. Repeat Steps 4 through 10 for each Windows user chosen to play the role of Cisco Unity Installation Account or Cisco Unity Service Account.
  12. Click Next.
  13. Click Finish.
  14. Close the Exchange System Manager MMC.

 

Home | General Tools | Documents | 3.x Tools | 4.x/5.x/7.x Tools | CUC 1.x Tools |CUC 2.x/7.x Tools | All Downloads | Code Samples | Links

 

Questions or problems regarding this web site should be directed to lindborg@cisco.com
Copyright © 2009 Cisco Systems, Inc.  All rights reserved.

Last modified: 03/27/09.