Checking the Current Permissions on Installation and Services Accounts (Exchange Only)

Checking Permissions

Logging and Diagnostics

Revision History

Checking Permissions

When you run Permissions Wizard and choose the report option, Permissions Wizard checks and reports on the current status of permissions for the following Active Directory accounts:

• The account that you will use to install Cisco Unity.
• The account that Cisco Unity directory services will log on as.
• The account that Cisco Unity message store services will log on as.

Note the following:

• Before you can run Permissions Wizard to check permissions:
• You must extend the Active Directory schema with Cisco Unity schema extensions.
• Exchange must be installed.
• For a list of the rights, privileges, and group memberships that Permissions Wizard report option checks for, see Permissions Set By the Cisco Unity Permissions Wizard.
• Verifying settings with complete accuracy is not possible. In some cases, Permissions Wizard may inaccurately report that an account has permissions that it does not or report that account does not have permissions that it does.
• If you run Permissions Wizard from a computer other than the Cisco Unity server, Permissions Wizard cannot determine:
• Whether accounts belong to the local Administrators group.
• Whether accounts have the right to log on as a service, act as part of the operating system, or log on as a batch job.
• Permissions Wizard does not check whether you have delegated Exchange administrator control to the installation and directory services accounts.
• By default, Permissions Wizard checks only the containers that you specify for creating new users and groups and for importing subscribers, contacts, and public distribution lists. If you want Permissions Wizard to check the child containers of the containers you specify, in Tools Depot, run the Advanced Settings tool and change the value of Permissions Wizard - Report Mode - Check Child Containers (Unity for Exchange Only). For more information, see the online help.
  
  Note: If you change this setting and then choose to report on OUs that contain a large number of child OUs, the report may take overnight or longer to complete.
• By default, the report includes only settings that do not meet Unity requirements. If you want the report to also include the settings that do meet Unity requirements, run the Advanced Settings tool and change the value of Permissions Wizard - Report Mode - Verbose Mode (Unity for Exchange Only). For more information, see the online help.

To Check Permissions

1. Log on to the Cisco Unity server by using an account that:
• Is a member of the Domain Admins group in the domain in which the Cisco Unity server is being installed, or that has permissions equivalent to the default permissions for the Domain Admins group.
• Is either an Exchange Full Administrator or a member of the Domain Admins group in the domain that contains all of the domains from which you want to import Cisco Unity subscribers.
  
  Caution! If you try to run Permissions Wizard using an account that has less than the default permissions for a Domain Admin, Permissions Wizard may not be able to check all of the permissions for the installation and services accounts.
  
  
2. On Cisco Unity DVD 1 or CD 1, or from the location to which you saved the downloaded Cisco Unity CD 1 image files, browse to the Utilities\PermissionsWizard directory, and run PermissionsWizard.exe.
   
   Note: If Cisco Unity is already installed, you can run Permissions Wizard from Tools Depot.
3. On the Welcome to the Cisco Unity Permissions Wizard page, click Report on Current Permissions
   
   .
4. Click Next.
5. On the Choose the Message Store page, click the version of Exchange on the Cisco Unity partner Exchange server, Microsoft Exchange 2003 or Microsoft Exchange 2000.
   
   Note: If Windows Server 2003 is installed on the Cisco Unity server, the option to choose the Exchange version is not available. You must use Exchange 2003.
   
   
6. Click Next.
7. On the Choose the Cisco Unity Installation Account page, click Change and choose the account that you want to use to install Cisco Unity. Permissions Wizard will compare the current permissions for the specified account with the permissions required by the Cisco Unity installation account.
   
   
8. Click Next.
9. On the Choose the Cisco Unity Directory Services Account page, click Change and choose the account that you want Cisco Unity directory services to log on as. Permissions Wizard will compare the current permissions for the specified account with the permissions required by the Cisco Unity directory services account.
   
   
10. Click Next.
11. On the Choose the Cisco Unity Message Store Services Account page, click Change and choose the account that you want Cisco Unity message store services to log on as. Permissions Wizard will compare the current permissions for the specified account with the permissions required by the Cisco Unity message store services account.
    
    
12. Click Next.
13. On the Choose Which Objects Cisco Unity Administrator Can Create page, choose whether you want the Cisco Unity Administrator to be able to create new Active Directory users, contacts, and groups. For each object type you choose, Permissions Wizard will check the directory services account to determine whether it has the rights necessary to create that type of object in Active Directory.
    
    For example, if you check the Users check box, Permissions Wizard will check whether the directory services account can create Active Directory users. If the account does not have the permission necessary to create users, you cannot create Cisco Unity subscribers using the Cisco Unity Administrator; you can only create subscribers by importing existing Active Directory users.
    
    
14. Click Next.
15. Cisco Unity needs access to one or more Active Directory organizational units to create users (Cisco Unity subscribers) and groups (Cisco Unity distribution lists). On the Choose Active Directory Containers for New Users and Groups page, choose the following:
    • The domain in which you want new users and groups to be created.
    • The organizational unit (OU) in which you want users to be created. This is where Cisco Unity example users will be created during Cisco Unity installation.
    • The OU in which you want groups to be created.
      
      
    Permissions Wizard will check the installation, directory services, and message store services accounts to determine whether they have the necessary permissions on the organizational units that you select here.
    
    
16. Click Next.
17. On the Where Should Cisco Unity Create ciscoEcsbuUMLocationObjects page, choose the organizational unit where you want Cisco Unity location objects to be created.
    
    Permissions Wizard will check the installation and directory services accounts to verify that they have the necessary permissions on the organizational unit that you select here.
    
    
18. Click Next.
19. On the Choose Active Directory Containers for Import page, choose the Active Directory containers from which you want to import users, contacts, and groups to make them Cisco Unity subscribers and public distribution lists.
    
    Permissions Wizard will check the directory services and message store service accounts to determine whether they have the necessary permissions on the containers that you select here.
    
    Note the following:
    • You must choose a container for the domain that includes the Cisco Unity server.
    • If you are using Digital Networking to connect multiple Cisco Unity servers, and:
      • If you will be importing users from the same container for every Cisco Unity server, choose that container. For example, if CiscoUnityServer1 and CiscoUnityServer2 will both be importing users from Container1 only, choose Container1.
      • If, for all of the Cisco Unity servers combined, you will be importing users from two or more containers, the Cisco Unity message store services account on each Cisco Unity server must have SendAs permission on every container from which users will be imported on every Cisco Unity server in the forest. For example, if CiscoUnityServer1 will import users from Container1 and Container2, and if CiscoUnityServer2 will import users from Container3 and Container4, the Cisco Unity message store services account for each Cisco Unity server must have SendAs permission for all four containers.
    • If you are using identified subscriber messaging for AMIS, Bridge, or VPIM subscribers, and:
      • If you will be importing contacts from the same container for every Cisco Unity server, choose that container. For example, if CiscoUnityServer1 and CiscoUnityServer2 will both be importing contacts from Container1 only, choose Container1.
      • If, for all of the Cisco Unity servers combined, you will be importing contacts from two or more containers, the Cisco Unity message store services account on each Cisco Unity server must have SendAs permission on every container from which contacts will be imported on every Cisco Unity server in the forest. For example, if CiscoUnityServer1 will import contacts from Container1 and Container2, and if CiscoUnityServer2 will import contacts from Container3 and Container4, the Cisco Unity message store services account for each Cisco Unity server must have SendAs permission for all four containers.
        
        
    
20. Click Next.
21. On the Choose Whether Cisco Unity Can Administer Active Directory page, choose whether changes that you make to Cisco Unity data using Cisco Unity tools should change the corresponding values (for example, First Name and Last Name) in Active Directory.
    
    If you check the Allow Cisco Unity to Administer Active Directory check box, Permissions Wizard will check the directory services account to determine whether it has the permissions necessary to update selected values in Active Directory.
    
    
22. Click Next.
23. On the Choose Mailstores page, click Choose Mailstores, and choose the mailstores to which you want Cisco Unity to have access.
    
    Permissions Wizard checks the message store services account for send-as and receive-as rights for the selected mailstores.
    
    
24. Click Next.
25. On the Choose Whether Active Directory Admin Accounts Can Have Voice Mail page, choose whether you want Active Directory accounts that are used for administration to also be used as Cisco Unity subscriber accounts.
    
    If you check the Allow Active Directory Administrator and Operator Accounts to Have Voice Mail check box, Permissions Wizard will check the directory services and message store services accounts to determine whether they have the necessary permissions.
    
    
26. Click Next.
27. To run the report, click Next.
    
    
28. While Permissions Wizard is checking permissions on the accounts you chose using the specifications you selected, the following page displays.
    
    
29. When Permissions Wizard completes, the report appears.
    
    

Logging and Diagnostics

The Cisco Unity Permissions Wizard generates two log files and saves them in the current temp directory.

PWReportResults.html

PWResults.html contains all results from the Cisco Unity Permissions Wizard.

By default, the report includes only permission settings that do not meet Cisco Unity requirements. If you want the report include settings that do meet Cisco Unity requirements, run the Advanced Settings tool and change the value of Permissions Wizard - Report Mode - Verbose Mode (Unity for Exchange Only).

In some cases, individual rights may be combined into a single entry.

PWReportResults.xml

PWReportResults.xml contains everything in PWReportResults.html, plus low-level engineering diagnostics and error messages that can be used by Cisco engineers to diagnose anomalous behavior.

PWResults.log

PWResults.log is mainly useful if Permissions Wizard does not finish or if the report does not display. PWReportResults.html and PWReportResults.xml are only saved to disk when Permissions Wizard completes, but PWResults.log is saved as Permissions Wizard is processing.

Revision History

Version 2.2.0.34, 2/28/2006: For Cisco Unity 4.2(1), report mode added.

© 2004 - 2006 Cisco Systems, Inc. -- Company Confidential