Permissions Set By the Cisco Unity Permissions Wizard

Contents

Permissions Set By the Cisco Unity Permissions Wizard When Subscribers Are Homed in Domino. 2

Permissions Set for the Installation Account 2

User Rights. 2

Group Membership. 2

Permissions Set for the Directory and Message Store Services Account 2

User Rights. 2

Group Membership. 2

Permissions Set By the Cisco Unity Permissions Wizard When Subscribers Are Homed in Exchange 2003 or Exchange 2000 (With or Without Exchange 5.5)  2

Permissions Set for the Installation Account 2

User Rights. 2

Group Membership. 3

Active Directory Permissions. 3

Permissions Set for the Directory Services Account 3

User Rights. 3

Group Membership. 4

Active Directory Permissions. 4

Permissions Set for the Message Store Services Account 5

User Rights. 5

Group Membership. 5

Exchange Permissions. 6

Permissions Set By the Cisco Unity Permissions Wizard When Subscribers Are Homed Only in Exchange 5.5. 6

Permissions Set for the Installation Account 6

User Rights. 6

Group Membership. 6

Permissions Set for the Directory and Message Store Services Account 7

User Rights. 7

Group Membership. 7

Revision History. 7

 

Permissions Set By the Cisco Unity Permissions Wizard When Subscribers Are Homed in Domino

Permissions Set for the Installation Account

User Rights

The installation account is granted the following user rights:

*          Log on as a service

*          Act as part of the operating system

*          Log on as a batch job

Group Membership

The installation account is added to one of the following groups:

*          The Administrators group, when the Cisco Unity server is a domain controller

*          The Local Administrators group, when the Cisco Unity server is not a domain controller

Permissions Set for the Directory and Message Store Services Account

User Rights

The directory and message store services account is granted the following user rights:

*          Log on as a service

*          Act as part of the operating system

*          Log on as a batch job

Group Membership

The directory and message store services account is added to one of the following groups:

*          The Administrators group, when the Cisco Unity server is a domain controller

*          The Local Administrators group, when the Cisco Unity server is not a domain controller

Permissions Set By the Cisco Unity Permissions Wizard When Subscribers Are Homed in Exchange 2003 and/or Exchange 2000 (With or Without Exchange 5.5)

Permissions Set for the Installation Account

User Rights

The installation account is granted the following user rights:

*          Log on as a service

*          Act as part of the operating system

*          Log on as a batch job

Group Membership

The installation account is added to one of the following groups:

*          The Administrators group, when the Cisco Unity server is a domain controller

*          The Local Administrators group, when the Cisco Unity server is not a domain controller

Active Directory Permissions

If any Exchange 2000 users will be Cisco Unity subscribers (regardless of whether any Exchange 5.5 users will also be Cisco Unity subscribers), Cisco Unity Permissions Wizard sets the following permissions for the installation account.

Container
 

Where new users are created
Applied onto this object only

*          Create User objects

Applied onto User objects

*          Read properties

*          Write properties

*          List contents

*          Change password

*          Reset password

Where new groups are created
Applied onto this object only

*          Create Group objects

Applied onto Group objects

*          Read properties

*          Write properties

*          List contents

Where Cisco Unity location objects are created
Applied onto this object and all child objects

*          Create CiscoEcsbuUMLocation objects

Applied onto CiscoEcsbuUMLocation objects

*          Full control

Permissions Set for the Directory Services Account

User Rights

The directory services account is granted the following user rights:

*          Log on as a service

*          Act as part of the operating system

*          Log on as a batch job

Group Membership

The directory services account is added to one of the following groups:

*          The Administrators group, when the Cisco Unity server is a domain controller

*          The Local Administrators group, when the Cisco Unity server is not a domain controller

Active Directory Permissions

If any Exchange 2003 and/or 2000 users will be Cisco Unity subscribers (regardless of whether any Exchange 5.5 users will also be Cisco Unity subscribers), Cisco Unity Permissions Wizard sets the following permissions for the service account.

Container

Permissions

Where new users are created

Applied onto this object only. Set only if creating users via Cisco Unity Administrator is allowed.

*          Create User objects

*          Delete User objects

Applied onto this object only. Set only if creating contacts via Cisco Unity Administrator is allowed.

*          Create Contact objects

*          Delete Contact objects

Applied onto User objects

*          Read properties

*          Write properties

*          List contents

*          Change Password. Set only if creating users via Cisco Unity Administrator is allowed.

*          Reset Password. Set only if creating users via Cisco Unity Administrator is allowed.

Applied onto Contact objects

*          Read properties

*          Write properties

*          List contents

Where new groups are created

Applied onto this object only. Set only if creating groups via Cisco Unity Administrator is allowed.

*          Create Group objects

*          Delete Group onjects

Applied onto Group objects

*          Read properties

*          Write properties

*          List contents

Where Cisco Unity location objects are created
Applied onto this object and all child objects

*          Create CiscoEcsbuUMLocation objects

Applied onto CiscoEcsbuUMLocation objects

*          Full control

Where imported objects are imported from
Applied onto User objects

*          Read properties

*          Write properties

*          List contents

Applied onto Group objects

*          Read properties

*          Write properties

*          List contents

Applied onto Contact objects

*          Read properties

*          Write properties

*          List contents

Deleted Objects
Applied onto child objects in every domain that contains Cisco Unity subscribers or groups

*          Read properties

*          List contents

System\AdminSDHolder object *
Applied on “This object only” in every domain that contains Cisco Unity subscribers.

*          Read properties

*          Write properties

*          List contents

If any Active Directory or Windows NT user accounts that are members of administrative groups will also be Cisco Unity subscribers, these permissions must be set. Otherwise, the permissions are optional. For more information about the AdminSDHolder object, refer to the Microsoft website.

To prevent Permissions Wizard from setting these permissions, create a DWORD value in the registry:

HKLM\Software\Active Voice\PermissionsWizard\AdminSDHolder

and set it to 0.

Permissions Set for the Message Store Services Account

User Rights

The message store services account is granted the following user rights:

*          Log on as a service

*          Act as part of the operating system

*          Log on as a batch job

Group Membership

The message store services account is added to one of the following groups:

*          The Administrators group, when the Cisco Unity server is a domain controller

*          The Local Administrators group, when the Cisco Unity server is not a domain controller

Active Directory Permissions

Container

Permissions

Where new users are created
Applied onto User objects

*          Send-As

Applied onto Contact objects

*          Send-As

Where imported objects are imported from

Applied onto User objects

*          Send-As

Applied onto Contact objects

*          Send-As

System\AdminSDHolder object *
Applied on “This object only” in every domain that contains Cisco Unity subscribers.

*          Send-As

If any Active Directory or Windows NT user accounts that are members of administrative groups will also be Cisco Unity subscribers, this permission must be set. Otherwise, the permission is optional. For more information about the AdminSDHolder object, refer to the Microsoft website.

To prevent Permissions Wizard from setting this permission, create a DWORD value in the registry:

HKLM\Software\Active Voice\PermissionsWizard\AdminSDHolder

and set it to 0.

Exchange Permissions

The message store services account is granted the following permissions on the Exchange 2003 and/or Exchange 2000 mailstores that are selected in Permissions wizard.

*          Send-As

*          Receive-As

*          Administer Information Store

*          View Information Store Status

Permissions Set By the Cisco Unity Permissions Wizard When Subscribers Are Homed Only in Exchange 5.5

Permissions Set for the Installation Account

User Rights

The installation account is granted the following user rights:

*          Log on as a service

*          Act as part of the operating system

*          Log on as a batch job

When the Cisco Unity server is a Windows 2000 Server domain controller, or is a member of a Windows 2000 Server or Windows Server 2003 domain, the installation account is granted the following rights on the Users container:

Applied onto this object only. Set only if creating users via Cisco Unity Administrator is allowed.

*          Create User objects

Applied onto User objects

*          Read properties

*          Write properties

*          List contents

*          Change Password. Set only if creating users via Cisco Unity Administrator is allowed.

*          Reset Password. Set only if creating users via Cisco Unity Administrator is allowed.

Group Membership

The installation account is added to one of the following groups:

*          The Administrators group, when the Cisco Unity server is a domain controller in a Windows 2000 Server domain

*          The Local Administrators group, when the Cisco Unity server is a member server in a Windows 2000 Server or Windows Server 2003 domain

*          The Domain Admins group, when the Cisco Unity server is not a Windows 2000 Server domain controller, and is not a member of either a Windows 2000 Server or Windows Server 2003 domain

Permissions Set for the Directory and Message Store Services Account

User Rights

The directory and message store services account is granted the following user rights:

*          Log on as a service

*          Act as part of the operating system

*          Log on as a batch job

When the Cisco Unity server is a Windows 2000 Server domain controller, or is a member of a Windows 2000 Server or Windows Server 2003 domain, the directory and message store services account is granted the following rights on the Users container:

Applied onto this object only

*          Create User objects

*          Delete User objects

Applied onto User objects

*          Read properties

*          Write properties

*          List contents

*          Change Password

*          Reset Password

When the Cisco Unity server is not a Windows 2000 Server domain controller, and is not a member of either a Windows 2000 Server or Windows Server 2003 domain, the directory and message store services account is added to the Domain Admins group.

Group Membership

The directory and message store services account is added to one of the following groups:

*          The Administrators group, when the Cisco Unity server is a domain controller

*          The Local Administrators group, when the Cisco Unity server is not a domain controller

Revision History

1.0.0 – Initial version.

1.1.0 – Updated for Cisco Unity 4.0(3)

© 2003 Cisco Systems, Inc. -- Company Confidential