Permissions Granted by the Cisco Unity 5.0(1)+ Permissions Wizard

Contents

Permissions Granted for Cisco Unity for Exchange

How Permissions Wizard Options Affect Which Permissions Are Granted

Installation Account

Installation Account: Group Membership

Installation Account: User Privileges

Installation Account: Active Directory Permissions

Installation Account: Group Container

Installation Account: Location Container (ciscoEcsbuUMLocation)

Installation Account: Microsoft Exchange Containers

Installation Account: User Container (User)

Directory Services Account

Directory Services Account: AdminSDHolder System Object

Directory Services Account: Group Membership

Directory Services Account: User Privileges

Directory Services Account: Active Directory Permissions

Directory Services Account: Computers Container and Domain Controllers Container

Directory Services Account: Deleted Items Container

Directory Services Account: Group Container

Directory Services Account: Location Container (ciscoEcsbuUMLocation)

Directory Services Account: Microsoft Exchange Containers

Directory Services Account: User Container (Users or Contacts)

Message Store Services Account

Message Store Services Account: Group Membership

Message Store Services Account: User Privileges

Message Store Services Account: Exchange Permissions

Exchange Enterprise Servers Group

AdminSDHolder System Object

COM Security

Permissions Granted for Cisco Unity for Domino

Installation Account

Group Membership

User Privileges

Directory and Message Store Services Account

Group Membership

User Privileges

COM Security

Attributes in the ciscoEcsbuUnityInformation Property Set

List of Tables

Table 1: How Permissions Wizard Options Affect Which Permissions Are Granted for Exchange

Installation Account

Table 2: Permissions Granted to the Installation Account in the Group Container Applied onto Group Objects

Table 3: Permissions Granted to the Installation Account in the User Container Applied onto User Objects

Directory Services Account

Table 4: Permissions Granted to the Directory Services Account in the Computers Container and the Domain Controllers Container Applied onto Computer Objects

Table 5: Permissions Granted to the Directory Services Account on the Group Container

Table 6: Permissions Granted to the Directory Services Account in the User Container Applied onto User Objects

Table 7: Permissions Granted to the Directory Services Account in the User Container Applied onto Contact Objects

Exchange Enterprise Servers Group

Table 8: Permissions Granted to the Exchange Enterprise Servers Group

AdminSDHolder Object

Table 9: Permissions Granted to the Directory Services Account Applied onto the AdminSDHolder Object

Table 10: Attributes in the ciscoEcsbuUnityInformation Property Set

Permissions Granted for Cisco Unity for Exchange

The permissions that the Permissions wizard grants for Cisco Unity for Exchange are determined by the options you choose when you run the Permissions wizard. Note the following:

  • Unless otherwise specified, all of the permissions listed in this section are always granted.
  • In all tables, R = Read permission and W = Write permission.

How Permissions Wizard Options Affect Which Permissions Are Granted for Exchange

The permissions granted by the Permissions wizard for Exchange depend on the options you choose when you run the wizard. The following table summarizes the correlation between options and permissions granted.

Table 1: How Permissions Wizard Options Affect Which Permissions Are Granted for Exchange

Permissions Wizard Page

Option

Affect on Permissions

Choose the Message Store

Microsoft Exchange 2000

There is currently no difference in the permissions granted, but the option you choose here is used by other wizards later in the installation process.

Microsoft Exchange 2003

Microsoft Exchange 2007

Choose the Cisco Unity Installation Account

Installation Account

The account you select is given the permissions specified in the section Installation Account.

Choose the Cisco Unity Directory Services Account

Directory Services Account

The account you select is given the permissions specified in the section Directory Services Account.

Choose the Cisco Unity Message Store Services Account

Message Store Services Account

The account you select is given the permissions specified in the section Message Store Services Account.

Choose Whether to Enable Voice Messaging Interoperability

Set Permissions Required by AMIS, Cisco Unity Bridge, and VPIM

When you check this check box, several check boxes later in the Permissions wizard are automatically checked and disabled, so they cannot be changed:

  • On the Choose Which Objects Cisco Unity Administrator Can Create page, the following check boxes are checked.
    • Users
    • Contacts
  • On the Choose Whether Cisco Unity Can Administer Active Directory page, the Allow Cisco Unity to Administer Active Directory check box is checked.

In addition, the Exchange Enterprise Servers group is given the permissions specified in the section Exchange Enterprise Servers Group.

Choose Active Directory Containers for New Users and Groups

Domain

You must choose one domain that applies to both the users container and the groups container.

Users (Cisco Unity Subscribers)

See the following sections:

Groups (Cisco Unity Public Distribution Lists)

See the Directory Services Account: Group Container section.

Choose Which Objects Cisco Unity Administrator Can Create

Users

See the Directory Services Account: User Container (Users or Contacts) section.

Contacts

See the Directory Services Account: User Container (Users or Contacts) section.

Groups

See the Directory Services Account: Group Container section.

Choose the AD Container for ciscoEcsbuUMLocation Objects

Choose Where You Want Cisco Unity to Create Location Objects

For the installation account, see Installation Account: Location Container (ciscoEcsbuUMLocation).

For the directory services account, see Directory Services Account: Location Container (ciscoEcsbuUMLocation).

Choose Active Directory Containers for Computers

Active Directory Containers

See the Directory Services Account: Computers Container and Domain Controllers Container section.

Choose Active Directory Containers for Import

Active Directory Containers

For the containers you specify and their child containers, the Permissions wizard grants the directory services account the permissions listed under "Permissions Granted When You Do Not Allow Cisco Unity Administrator to Create [Groups|Users|Containers]" in the following tables:

The Permissions wizard also grants permission to the message store services account. See Message Store Services Account: Exchange Permissions.

Choose Whether Cisco Unity Can Administer Active Directory

Allow Cisco Unity to Administer Active Directory

When you choose to allow Cisco Unity to administer Active Directory, the Permissions wizard grants the permissions listed in the "Permissions Granted When You Allow Cisco Unity to Administer Active Directory" column in the following tables:

When you choose not to allow Cisco Unity to administer Active Directory, the Permissions wizard grants the permissions listed in the "Permissions Granted When You Do Not Allow Cisco Unity to Administer Active Directory" column.

This option affects whether changes that you make to Cisco Unity data using Cisco Unity tools should change the corresponding values in Active Directory. For example, if you enable this option, you can use the Cisco Unity Administrator to:

  • Change Cisco Unity public distribution list memberships, which automatically changes the corresponding group memberships in Active Directory.
  • Change Cisco Unity subscriber and Internet subscriber settings that have corresponding values in Active Directory, for example, First Name and Last Name.
  • Delete the Active Directory contact associated with AMIS, Bridge, Internet, or VPIM subscribers.

Choose Mailstores

Choose Mailstores

See the section Message Store Services Account: Exchange Permissions.

Choose Whether AD Admin Accounts Can Have Voice Mail

Allow Active Directory Administrator and Operator Accounts to Have Voice Mail (Not Recommended)

See the section AdminSDHolder System Object.

Choose Whether to Grant DCOM Rights

Grant DCOM Rights and Enable the MediaMaster Control

See the section COM Security.

Installation Account

The Permissions wizard grants the installation account the permissions listed in this section.

Note: If you are concerned about the installation account being available after the Cisco Unity installation is complete, you can disable the account in Active Directory Users and Computers. We recommend that you not delete it because when you upgrade to a later version of Cisco Unity you will again need an installation account with the same permissions. If you delete the current account, you will have to create another, re-run the Cisco Unity Permissions wizard to set the required permissions, and re-delegate Exchange Administrator control.

Installation Account: Group Membership

The installation account is added to the local Administrators group.

Installation Account: User Privileges

The installation account is granted the following user privileges:

  • Log on as a service
  • Act as part of the operating system
  • Log on as a batch job

Installation Account: Active Directory Permissions

Installation Account: Group Container

On the Choose Active Directory Containers for New Users and Groups page, you choose the container in which you want the installation account to create default groups (default Cisco Unity public distribution lists). To enable the installation account to create default groups, the Permissions wizard grants the installation account Create Objects (Group Objects) permission on the container you specify.

In addition, the Permissions wizard grants the permissions listed in Table 2.

Table 2: Permissions Granted to the Installation Account in the Group Container Applied onto Group Objects

Active Directory Attribute Name
(ADSI Name)

Permissions Granted

Cisco Unity Attribute Name

cn
(Name)

W

(Used internally)

ciscoEcsbuUnityInformation property set. For more information, see Attributes in the ciscoEcsbuUnityInformation Property Set.

W

See Attributes in the ciscoEcsbuUnityInformation Property Set.

displayName
(Display Name)

W

AVP_DISPLAY_NAME

groupType

W

(Used internally)

mail
(E-mail Address)

W

AVP_SMTP_ADDRESS

mailNickname
(Alias)

W

AVP_ALIAS

member

W

AVP_MEMBERS

msExchHideFromAddressLists

W

AVP_HIDDEN_IN_DIRECTORY

name

W

(Used internally)

proxyAddresses

W

(Required by Exchange)

samAccountName
(Group Name (Pre-Windows 2000))

W

AVP_ACCOUNT_NAME

showInAdvancedViewOnly

W

AVP_HIDDEN_IN_DIRECTORY

Installation Account: Location Container (ciscoEcsbuUMLocation)

On the Choose the AD Container for ciscoEcsbuUMLocation Objects page, you choose the container where you want Cisco Unity location objects to be created. The Permission wizard grants the installation account the following permissions on the specified container:

  • Create ciscoEcsbuUMLocation Objects
  • Full Control (ciscoEcsbuUMLocation objects)

Note: Regardless of which container you select, the Permissions wizard automatically creates:

  • An OU named Unity at the top level of the Active Directory domain that contains the Cisco Unity server.
  • An OU named Locations below the Unity OU.

If you choose a different location for location objects, the Unity and Locations OUs are not deleted, but no permissions are granted on them, either.

The Permissions wizard creates Unity and Locations OUs only once in a domain. If you rerun the Permissions wizard, either on the same server or on another server (for example, because you are adding another Cisco Unity server to the same domain), the Permissions wizard does not create additional OUs. If you delete the OUs, next time you rerun the Permissions wizard, the wizard recreates them.

Installation Account: Microsoft Exchange Containers

The Permissions wizard does not grant permissions on Microsoft Exchange containers, but Cisco Unity requires the permissions that are granted when you delegate Exchange Administrator control to the Cisco Unity installation account. For more information, refer to the Microsoft website.

Installation Account: User Container (Users)

On the Choose Active Directory Container for New Users and Groups page, you choose the container in which you want the installation account to create default users.

The Permissions wizard grants the installation account the following permissions on the container you choose:

  • Create Objects (user objects)
  • Change Password (user objects). This permission is also granted to subcontainers of the container you choose.
  • Reset Password (user objects). This permission is also granted to subcontainers of the container you choose.

The Permissions wizard also grants the permissions listed in Table 3.

Table 3: Permissions Granted to the Installation Account in the User Container Applied onto User Objects

Active Directory Attribute Name
(ADSI Attribute Name)

Permissions Granted

Cisco Unity Attribute

adminDisplayName

W

(Used internally)

autoReplyMessage
(ILS Settings)

W

(Used internally)

ciscoEcsbuUnityInformation property set. For more information, see Attributes in the ciscoEcsbuUnityInformation Property Set.

W

See Attributes in the ciscoEcsbuUnityInformation Property Set.

cn
(Name)

W

(Used internally)

displayName
(Display Name)

W

AVP_DISPLAY_NAME

dLMemDefault

W

(Used internally)

facsimileTelephoneNumber
(FAX Number)

W

AVP_PRIMARY_FAX_NUMBER

givenName
(First Name)

W

AVP_FIRST_NAME

homeMDB
(Exchange Mailbox Store)

W

AVP_MAIL_DATABASE

AVP_MAIL_SERVER

homeMTA

W

(Used internally)

legacyExchangeDn

W

AVP_MAILBOX_ID

AVP_EMAIL_ADDRESS

mail
(E-mail Address)

W

AVP_SMTP_ADDRESS

mailNickname
(Alias)

W

AVP_ALIAS

mapiRecipient

W

(Used internally)

mDBUseDefaults

W

AVP_MAILBOX_USE_DEFAULT_LIMITS

msExchADCGlobalNames

W

(Used internally)

msExchControllingZone

W

(Used internally)

msExchFBURL

W

(Used internally)

msExchHideFromAddressLists

W

AVP_HIDDEN_IN_DIRECTORY

msExchHomeServerName
(Exchange Home Server)

W

(Used internally)

msExchMailboxGuid

W

(Used internally)

msExchMailboxSecurityDescriptor

W

(Used internally)

msExchMasterAccountSid

W

(Used internally)

msExchPoliciesExcluded

W

(Used internally)

msExchPoliciesIncluded

W

(Used internally)

msExchResourceGUID

W

(Used internally)

msExchUserAccountControl

W

(Used internally)

name

W

(Used internally)

proxyAddresses

W

(Used internally)

samAccountName
(Logon Name (Pre-Windows 2000))

W

AVP_ACCOUNT_NAME

samAccountType

W

(Used internally)

showInAddressBook

W

(Used internally)

showInAdvancedViewOnly

W

AVP_HIDDEN_IN_DIRECTORY

sn
(Last Name)

W

AVP_LAST_NAME

targetAddress

W

(Used internally)

textEncodedORAddress

W

(Used internally)

userAccountControl

R,W

(Used internally)

userPrincipalName
(Logon Name)

W

(Used internally)

uSNChanged

R

AVP_OBJECT_CHANGED_ID

Directory Services Account

After Cisco Unity is installed, the directory services account is the account that Cisco Unity uses to access Active Directory. The Permissions wizard grants the directory services account the permissions listed in this section.

Note: The directory services account cannot be disabled or deleted, or Cisco Unity will not function.

Directory Services Account: AdminSDHolder System Object

See the section AdminSDHolder System Object.

Directory Services Account: Group Membership

The directory services account is added to the local Administrators group.

Directory Services Account: User Privileges

The directory services account is granted the following user privileges:

  • Log on as a service
  • Act as part of the operating system
  • Log on as a batch job

Directory Services Account: Active Directory Permissions

Directory Services Account: Computers Container and Domain Controllers Container

By default, the Permissions wizard grants the directory services account the permissions listed in Table 4 to the Computers and the Domain Controllers containers. On the Choose Active Directory Containers for Computers page, you can choose to grant these same permissions to other containers in addition to the default containers or to other containers instead of the default containers.

Table 4: Permissions Granted to the Directory Services Account in the Computers Container and the Domain Controllers Container Applied onto Computer Objects

Active Directory Attribute Name
(ADSI Name)

Permissions Granted

Cisco Unity Attribute Name

ciscoEcsbuObjectType

R,W

AVP_OBJECT_TYPE

ciscoEcsbuUMLocationObjectId

R

AVP_ENCRYPTION_PUBLIC_KEY

ciscoEcsbuUMLocationObjectId

R,W

AVP_LOCATION_OBJECT_ID

dnsHostName

R

(Used internally)

isDeleted

R

(Used internally)

name

R

AVP_RELATIVE_DISTINGUISHED_NAME

objectGUID

R

AVP_DIRECTORY_ID

samAccountName
(Computer Name (Pre-Windows 2000))

R

(Used internally)

uSNChanged

R

AVP_OBJECT_CHANGED_ID

Directory Services Account: Deleted Items Container

The directory services account needs to watch the pseudo-deleted items containers so it can detect users, groups, and locations being deleted and keep the Cisco Unity SQL Server database up to date. The Permissions wizard grants the following access to the deleted items container in each domain selected:

  • List Contents (all objects)
  • Read All Properties

For more information on the deleted items folder, see Microsoft Knowledge Base article 258310, Viewing Deleted Objects in Active Directory, available on the Microsoft website.

Directory Services Account: Group Container

On the Permissions wizard Choose Active Directory Containers for New Users and Groups page, you choose the container in which Cisco Unity creates default groups. The Permissions wizard grants the directory services account the following permissions on the specified container:

  • Create Objects (group objects), if you check the Groups check box on the Choose Which Objects Cisco Unity Administrator Can Create page
  • Delete Objects (group objects), if you check both of the following check boxes:
    • The Groups check box on the Choose Which Objects Cisco Unity Administrator Can Create page
    • The Allow Cisco Unity to Administer Active Directory check box on the Choose Whether Cisco Unity Can Administer Active Directory page
  • List Contents (group objects)

In addition, the Permissions wizard grants the directory services account the applicable permissions listed in Table 5 on the container you specify for groups. The permissions granted depend on whether you:

  • Check the Groups check box on the Choose Which Objects Cisco Unity Administrator Can Create page.
  • Check the Allow Cisco Unity to Administer Active Directory check box on the Choose Whether Cisco Unity Can Administer Active Directory page.

Table 5: Permissions Granted to the Directory Services Account on the Group Container

Active Directory Attribute Name
(ADSI Attribute Name)

Permissions Granted When You Allow Cisco Unity Administrator to Create Groups and...

Permissions Granted When You Do Not Allow Cisco Unity Administrator to Create Groups and...

Cisco Unity Attribute Name

You Allow Cisco Unity to Administer Active Directory

You Do Not Allow Cisco Unity to Administer Active Directory

You Allow Cisco Unity to Administer Active Directory

You Do Not Allow Cisco Unity to Administer Active Directory

canonicalName

R

R

R

R

(Used internally)

ciscoEcsbuUnityInformation property set. For more information, see Attributes in the ciscoEcsbuUnityInformation Property Set.

R,W

R,W

R,W

R,W

See Attributes in the ciscoEcsbuUnityInformation Property Set.

cn
(Name)

R,W

R,W

R

R

(Used internally)

displayName
(Display Name)

R,W

R,W

R,W

R

AVP_DISPLAY_NAME

distinguishedName
(X500 Distinguished Name)

R

R

R

R

AVP_DISTINGUISHED_NAME

groupType

R,W

R,W

R

R

(Used internally)

isDeleted

R

R

R

R

(Used internally)

legacyExchangeDn

R

R

R

R

AVP_EMAIL_ADDRESS

mail
(E-mail Address)

R,W

R,W

R

R

AVP_SMTP_ADDRESS

mailNickname
(Alias)

R,W

R,W

R,W

R

AVP_ALIAS

member

R,W

R,W

R,W

R,W

AVP_MEMBERS

memberOf
(Member Of)

R

R

R

R

(Used internally)

msExchHideFromAddressLists

R,W

R,W

R,W

R

AVP_HIDDEN_IN_DIRECTORY

msExchHomeServerName
(This attribute cannot be displayed in ADSI.)

R

R

R

R

(Used internally)

name

R,W

R,W

R

R

(Used internally)

objectCategory

R

R

R

R

AVP_DIRECTORY_OBJECT_TYPE

objectClass

R

R

R

R

(Used internally)

objectGuid

R

R

R

R

AVP_DIRECTORY_ID

proxyAddresses

W

W

(Required by Exchange)

samAccountName
(Group Name (Pre-Windows 2000))

R,W

R

R,W

R

AVP_ACCOUNT_NAME

showInAdvancedViewOnly

R,W

R,W

R,W

R

AVP_HIDDEN_IN_DIRECTORY

uSNChanged

R

R

R

R

AVP_OBJECT_CHANGED_ID

Directory Services Account: Location Container (ciscoEcsbuUMLocation)

On the Choose the AD Container for ciscoEcsbuUMLocation Objects page, you choose the container where you want Cisco Unity location objects to be created. The Permission wizard grants the directory services account the following permissions on the specified container:

  • Create ciscoEcsbuUMLocation Objects
  • Full Control (ciscoEcsbuUMLocation objects)

For more information on the ciscoEcsbuUMLocation location container, see Installation Account: Location Container (ciscoEcsbuUMLocation).

Directory Services Account: Microsoft Exchange Containers

The Permissions wizard does not grant permissions on Microsoft Exchange containers, but Cisco Unity requires the permissions that are granted when you delegate either Exchange Administrator or Exchange View Only Administrator control to the Cisco Unity directory services account. For more information, refer to Microsoft.com.

Note: To manage Exchange mailboxes, Microsoft requires Exchange View-Only Administrator control and write permissions on a number of attributes. Cisco Unity requires these permissions when it is configured to allow creating subscribers using the Cisco Unity Administrator. (When subscribers are created only by importing accounts from Active Directory, Cisco Unity does not require these additional permissions.) For more information, refer to Microsoft Knowledge Base article 316792, Minimum Permissions Necessary to Perform Exchange-Related Tasks, available on Microsoft.com.

Directory Services Account: Users Container (Users or Contacts)

On the Choose Active Directory Container for New Users and Groups page, you choose the container where you want new users (including contacts) to be created.

For more information on how Cisco Unity uses contacts, refer to the subsection “Internet Subscribers” in the section “SMTP Networking Concepts and Definitions” in the chapter “SMTP Networking” in the Networking in Cisco Unity Guide. The Networking in Cisco Unity Guide is available at http://www.cisco.com/univercd/cc/td/doc/product/voice/c_unity/unity40/net/net405/ex/index.htm.

User Objects

The Permissions wizard grants the directory services account the following permissions on the container you choose:

  • Create Objects (user objects), if you check the Users check box on the Choose Which Objects Cisco Unity Administrator Can Create page.
  • Delete Objects (user objects), if you check both of the following check boxes:
    • The Users check box on the Choose Which Objects Cisco Unity Administrator Can Create page
    • The Allow Cisco Unity to Administer Active Directory check box on the Choose Whether Cisco Unity Can Administer Active Directory page
  • List Contents (user objects). This permission is also granted to subcontainers of the container you choose.
  • Change Password (user objects), if you check the Users check box on the Choose Which Objects Cisco Unity Administrator Can Create page. This permission is also granted to subcontainers of the container you choose.
  • Reset Password (user objects), if you check the Users check box on the Choose Which Objects Cisco Unity Administrator Can Create page. This permission is also granted to subcontainers of the container you choose.

The Permissions wizard also grants the directory services account the applicable permissions listed in Table 6. The permissions granted depend on whether you:

  • Check the Users check box on the Choose Which Objects Cisco Unity Administrator Can Create page.
  • Check the Allow Cisco Unity to Administer Active Directory check box on the Choose Whether Cisco Unity Can Administer Active Directory page.

Table 6: Permissions Granted to the Directory Services Account in the User Container Applied onto User Objects

Active Directory Attribute Name
(ADSI Attribute Name)

Permissions Granted When You Allow Cisco Unity Administrator to Create Users and...

Permissions Granted When You Do Not Allow Cisco Unity Administrator to Create Users and...

Cisco Unity Attribute Name

You Allow Cisco Unity to Administer Active Directory

You Do Not Allow Cisco Unity to Administer Active Directory

You Allow Cisco Unity to Administer Active Directory

You Do Not Allow Cisco Unity to Administer Active Directory

adminDisplayName

W

W

(Required by Exchange)

autoReplyMessage
(ILS Settings)

W

W

(Used internally)

canonicalName

R

R

R

R

(Used internally)

ciscoEcsbuUnityInformation property set. For more information, see Attributes in the ciscoEcsbuUnityInformation Property Set.

R,W

R,W

R,W

R,W

See Attributes in the ciscoEcsbuUnityInformation Property Set.

cn
(Name)

R,W

R,W

R

R

(Used internally)

displayName
(Display Name)

R,W

R,W

R,W

R

AVP_DISPLAY_NAME

distinguishedName
(X500 Distinguished Name)

R

R

R

R

AVP_DISTINGUISHED_NAME

dLMemDefault

W

W

(Required by Exchange)

facsimileTelephoneNumber
(FAX Number)

R,W

R,W

R,W

R

AVP_PRIMARY_FAX_NUMBER

givenName
(First Name)

R,W

R,W

R,W

R

AVP_FIRST_NAME

homeMDB
(Exchange Mailbox Store)

R,W

R,W

R,W

R

AVP_MAIL_DATABASE

AVP_MAIL_SERVER

homeMTA

R,W

R,W

R

R

(Used internally)

isDeleted

R

R

R

R

(Used internally)

legacyExchangeDn

R,W

R,W

R

R

AVP_EMAIL_ADDRESS

AVP_MAILBOX_ID

mail
(E-mail Address)

R,W

R,W

R

R

AVP_SMTP_ADDRESS

mailNickname
(Alias)

R,W

R,W

R,W

R

AVP_ALIAS

mapiRecipient

R,W

R,W

R

R

(Used internally)

mDBOverHardQuotaLimit

R

R

R

R

AVP_MAILBOX_SEND_RECEIVE_LIMIT

mDBOverQuotaLimit

R

R

R

R

AVP_MAILBOX_SEND_LIMIT

mDBStorageQuota

R

R

R

R

AVP_MAILBOX_WARNING_LIMIT

mDBUseDefaults

R,W

R,W

R

R

AVP_MAILBOX_USE_DEFAULT_LIMITS

memberOf
(Member Of)

R

R

R

R

(Used internally)

msExchADCGlobalNames

W

W

(Required by Exchange)

msExchControllingZone

W

W

(Required by Exchange)

msExchFBURL

W

W

(Required by Exchange)

msExchHideFromAddressLists

R,W

R,W

R,W

R

AVP_HIDDEN_IN_DIRECTORY

msExchHomeServerName
(Exchange Home Server)

R,W

R,W

R

R

(Used internally)

msExchMailboxGuid

W

W

(Required by Exchange)

msExchMailboxSecurityDescriptor

W

W

(Required by Exchange)

msExchMasterAccountSid

R,W

R,W

R

R

(Used internally)

msExchPoliciesExcluded

W

W

(Required by Exchange)

msExchPoliciesIncluded

W

W

(Required by Exchange)

msExchResourceGUID

W

W

(Required by Exchange)

msExchUserAccountControl

R,W

R,W

R

R

(Used internally)

name

R,W

R,W

R

R

(Used internally)

objectCategory

R

R

R

R

AVP_DIRECTORY_OBJECT_TYPE

objectClass

R

R

R

R

(Used internally)

objectGuid

R

R

R

R

AVP_DIRECTORY_ID

objectSid

R

R

R

R

AVP_SID

proxyAddresses

R,W

R,W

R

R

(Used internally)

samAccountName
(Logon Name (Pre-Windows 2000))

R,W

R,W

R

R

AVP_ACCOUNT_NAME

samAccountType

R,W

R,W

R

R

AVP_ACCOUNT_NAME

showInAddressBook

W

W

(Required by Exchange)

showInAdvancedViewOnly

R,W

R,W

R,W

R

AVP_HIDDEN_IN_DIRECTORY

sIDHistory

R

R

R

R

AVP_SID_HISTORY

sn
(Last Name)

R,W

R,W

R,W

R

AVP_LAST_NAME

targetAddress

W

W

(Required by Exchange)

textEncodedORAddress

W

W

(Required by Exchange)

userAccountControl

R,W

R,W

R,W

R

(Used internally)

userPrincipalName
(Logon Name)

R,W

R,W

R

R

(Used internally)

uSNChanged

R

R

R

R

AVP_OBJECT_CHANGED_ID



Contact Objects

The Permissions wizard grants the directory services account the following permissions on the container you choose:

  • Create Objects (contact objects), if you check the Contacts check box on the Choose Which Objects Cisco Unity Administrator Can Create page.
  • List Contents (contact objects)
  • Delete Objects (contact objects), if you check both of the following check boxes:
    • The Contacts check box on the Choose Which Objects Cisco Unity Administrator Can Create page
    • The Allow Cisco Unity to Administer Active Directory check box on the Choose Whether Cisco Unity Can Administer Active Directory page

In addition, the Permissions wizard grants the directory services account the applicable permissions listed in Table 7. The permissions granted depend on whether you:

  • Check the Contacts check box on the Choose Which Objects Cisco Unity Administrator Can Create page.
  • Check the Allow Cisco Unity to Administer Active Directory check box on the Choose Whether Cisco Unity Can Administer Active Directory page.

Note: Active Directory contacts are used for Cisco Unity Internet subscribers, or AMIS, Bridge, or VPIM subscribers.

Table 7: Permissions Granted to the Directory Services Account in the User Container Applied onto Contact Objects

Active Directory Attribute Name
(ADSI Attribute Name)

Permissions Granted When You Allow Cisco Unity Administrator to Create Contacts and...

Permissions Granted When You Do Not Allow Cisco Unity Administrator to Create Contacts and...

Cisco Unity Attribute Name

You Allow Cisco Unity to Administer Active Directory

You Do Not Allow Cisco Unity to Administer Active Directory

You Allow Cisco Unity to Administer Active Directory

You Do Not Allow Cisco Unity to Administer Active Directory

canonicalName

R

R

R

R

(Used internally)

ciscoEcsbuUnityInformation property set. For more information, see Attributes in the ciscoEcsbuUnityInformation Property Set.

R,W

R,W

R,W

R,W

See Attributes in the ciscoEcsbuUnityInformation Property Set.

cn
(Name)

R,W

R,W

R

R

(Used internally)

displayName
(Display Name)

R,W

R,W

R,W

R

AVP_DISPLAY_NAME

distinguishedName
(X500 Distinguished Name)

R

R

R

R

AVP_DISTINGUISHED_NAME

facsimileTelephoneNumber
(FAX Number)

R,W

R,W

R,W

R

AVP_PRIMARY_FAX_NUMBER

givenName
(First Name)

R,W

R,W

R,W

R

AVP_FIRST_NAME

homeMTA

R

R

R

R

(Used internally)

isDeleted

R

R

R

R

(Used internally)

legacyExchangeDn

R,W

R,W

R

R

AVP_EMAIL_ADDRESS

mail
(E-mail Address)

R,W

R,W

R,W

R

AVP_SMTP_ADDRESS

mailNickname
(Alias)

R,W

R,W

R,W

R

AVP_ALIAS

mapiRecipient

W

W

W

(Required by Exchange)

memberOf
(Member Of)

R

R

R

R

(Used internally)

msExchHideFromAddressLists

R,W

R

R,W

R

AVP_HIDDEN_IN_DIRECTORY

msExchHomeServerName
(This attribute cannot be displayed in ADSI.)

R

R

R

R

(Used internally)

msExchUserAccountControl

R,W

R,W

R

R

(Used internally)

objectCategory

R

R

R

R

AVP_DIRECTORY_OBJECT_TYPE

objectClass

R

R

R

R

(Used internally)

objectGuid

R

R

R

R

AVP_DIRECTORY_ID

proxyAddresses

R,W

R,W

R,W

R

(Used internally)

showInAddressBook

R,W

R,W

R

R

(Used internally)

showInAdvancedViewOnly

R,W

R

R,W

R

AVP_HIDDEN_IN_DIRECTORY

sn
(Last Name)

R,W

R,W

R,W

R

AVP_LAST_NAME

targetAddress
(E-Mail Address (External))

R,W

R,W

R,W

R

AVP_REMOTE_ADDRESS

uSNChanged

R

R

R

R

AVP_OBJECT_CHANGED_ID

Message Store Services Account

After Cisco Unity is installed, the message store services account is the account that Cisco Unity uses to access Exchange. The Permissions wizard grants the message store services account the permissions listed in this section.

Note: The message store services account cannot be disabled or deleted, or Cisco Unity will not function.

Message Store Services Account: Group Membership

The message store services account is added to the local Administrators group.

Message Store Services Account: User Privileges

The message store services account is granted the following user privileges:

  • Log on as a service
  • Act as part of the operating system
  • Log on as a batch job

Message Store Services Account: Exchange Permissions

The Permissions wizard grants the following permissions to the message store services account on each mailbox store (msExchPrivateMDB) object that you specify on the Choose Mailstores page:

  • Administer Information Store, which enables the message store services account to change the information with the Exchange message store.
  • Receive-As, which enables the message store services account to log on to subscribers' mailboxes and play messages.
  • Send-As, which enables the message store services account to send messages on behalf of Cisco Unity subscribers.
  • View Information Store Status, which ensures that the message store services account does not exceed the maximum number of MAPI sessions that can be open at one time. The permission is only required for Exchange 2003 with Service Pack 1 and later, but the Permissions wizard grants it both for Exchange 2003 and Exchange 2000.

The Permissions wizard grants the following permissions to the message store services account on each storage group that contains a mailbox store (msExchPrivateMDB) object that you specify on the Choose Mailstores page:

  • List Objects
  • Read All Properties
  • Read Permissions

The Permissions wizard grants the following permissions to the message store services account on all global address lists and all address lists:

  • List Objects
  • Open Address List
  • Read
  • Read All Properties

The Permissions wizard also grants Send-As permissions to the message store services account applied onto:

  • User and contact objects on the container you specify for users on the Choose Active Directory Containers for New Users and Groups page. This permission addresses the issues described in Microsoft Knowledge Base article 327174, Full Mailbox Access Permission Grants the Send As Permission, or the Send-As Permission Is Denied.
  • The containers you specify on the Choose Active Directory Containers for Import page, and their child containers.

For more information, see the following Microsoft Knowledge Base articles:

  • Article 262054, XADM: How to Get Service Account Access to All Mailboxes in Exchange 2000.
  • Article 821897, How to Assign Service Account Access to All Mailboxes in Exchange Server 2003.

Exchange Enterprise Servers Group

When you run the Permissions wizard to grant permissions, if you check the Set Permissions Required by AMIS, Cisco Unity Bridge, and VPIM check box (on the Choose Whether to Enable Voice Messaging Interoperability page), Cisco Unity grants the Exchange Enterprise Servers group the permissions listed in Table 8. These permissions are required to use secure messaging with AMIS, the Bridge, or VPIM.

Table 8: Permissions Granted to the Exchange Enterprise Servers Group

Active Directory Attribute Name
(ADSI Name)

Permissions Granted

ciscoEcsbuObjectType

R,W

ciscoEcsbuUMLocationObjectId

R

ciscoEcsbuUMLocationObjectId

R,W

dnsHostName

R

isDeleted

R

name

R

objectGUID

R

samAccountName
(Logon Name (Pre-Windows 2000))

R

uSNChanged

R

AdminSDHolder System Object

When you run the Permissions wizard to grant permissions, if you check the Allow Active Directory Administrator and Operator Accounts to Have Voice Mail check box (on the Choose Whether AD Admin Accounts Can Have Voice Mail page), Cisco Unity:

  • Adds List Contents (This Object Only) permission to the ntSecurityDescriptor attribute on the AdminSDHolder object in every domain Cisco Unity creates users in or imports users from.
  • Grants the applicable permissions listed in Table 9, depending on whether you check the Allow Cisco Unity to Administer Active Directory check box on the Choose Whether Cisco Unity Can Administer Active Directory page. These permissions allow the directory services account to update attributes for members of administrative groups.

If you do not check the check box, the Permissions wizard does not change permissions on the AdminSDHolder object and does not grant the permissions listed in Table 9.

Caution! If you check the Allow Active Directory Administrator and Operator Accounts to Have Voice Mail (Not Recommended) check box and if Cisco Unity service accounts are compromised, then security in the entire forest is compromised.

The changes are required to resolve issues noted in Microsoft Knowledge Base article 232199, Description and Update of the Active Directory AdminSDHolder Object, available on the Microsoft website. This issue is also addressed in the Cisco document Overcoming Protected Groups Permissions Problems with the Cisco Unity Permissions Wizard, http://www.cisco.com/en/US/products/sw/voicesw/ps2237/products_tech_note09186a00801c3224.shtml. For more information on the AdminSDHolder object, search Microsoft.com for AdminSDHolder.

For the AdminSDHolder object, few attributes can be displayed in ADSI, so ADSI attribute names are not included in the following table.

Table 9: Permissions Granted to the Directory Services Account Applied onto the AdminSDHolder Object

Active Directory Attribute Name

Permissions Granted When You Allow Cisco Unity to Administer Active Directory

Permissions Granted When You Do Not Allow Cisco Unity to Administer Active Directory

Cisco Unity Attribute Name

canonicalName

R

R

(Used internally)

ciscoEcsbuUnityInformation property set. For more information, see Attributes in the ciscoEcsbuUnityInformation Property Set.

R,W

R,W

See Attributes in the ciscoEcsbuUnityInformation Property Set.

cn

R

R

(Used internally)

displayName

R,W

R

AVP_DISPLAY_NAME

distinguishedName

R

R

AVP_DISTINGUISHED_NAME

facsimileTelephoneNumber

R,W

R

AVP_PRIMARY_FAX_NUMBER

givenName

R,W

R

AVP_FIRST_NAME

homeMDB

R,W

R

AVP_MAIL_DATABASE

AVP_MAIL_SERVER

homeMTA

R

R

(Used internally)

isDeleted

R

R

(Used internally)

legacyExchangeDn

R

R

AVP_EMAIL_ADDRESS

AVP_MAILBOX_ID

mail

R

R

AVP_SMTP_ADDRESS

mailNickname

R,W

R

AVP_ALIAS

mapiRecipient

R

R

(Used internally)

mDBOverHardQuotaLimit

R

R

AVP_MAILBOX_SEND_RECEIVE_LIMIT

mDBOverQuotaLimit

R

R

AVP_MAILBOX_SEND_LIMIT

mDBStorageQuota

R

R

AVP_MAILBOX_WARNING_LIMIT

mDBUseDefaults

R

R

AVP_MAILBOX_USE_DEFAULT_LIMITS

memberOf

R

R

(Used internally)

msExchHideFromAddressLists

R,W

R

AVP_HIDDEN_IN_DIRECTORY

msExchHomeServerName

R

R

(Used internally)

msExchMasterAccountSid

R

R

(Used internally)

msExchUserAccountControl

R

R

(Used internally)

name

R

R

(Used internally)

objectCategory

R

R

AVP_DIRECTORY_OBJECT_TYPE

objectClass

R

R

(Used internally)

objectGuid

R

R

AVP_DIRECTORY_ID

objectSid

R

R

AVP_SID

proxyAddresses

R

R

(Used internally)

samAccountName

R

R

AVP_ACCOUNT_NAME

samAccountType

R

R

AVP_ACCOUNT_NAME

showInAdvancedViewOnly

R,W

R

AVP_HIDDEN_IN_DIRECTORY

sIDHistory

R

R

AVP_SID_HISTORY

sn

R,W

R

AVP_LAST_NAME

userAccountControl

R,W

R

(Used internally)

userPrincipalName

R

R

(Used internally)

uSNChanged

R

R

AVP_OBJECT_CHANGED_ID

COM Security

If the Cisco Unity server is running Windows Server 2003 with Service Pack 1 or later, DCOM security improvements prevent the Cisco Unity Media Master control from functioning except on the Cisco Unity server. If you do not grant some DCOM rights (and reverse some of the SP 1 security improvements):

  • Cisco Unity subscribers cannot use the Media Master to make or play recordings in ViewMail for Microsoft Outlook, in the Cisco Unity Inbox, or in the Cisco Unity Assistant.
  • When administrators log into the Cisco Unity Administrator from another computer, they cannot use the Media Master.

In the Permissions wizard, on the Choose Whether to Grant DCOM Rights page, if you check the Grant DCOM Rights and Enable the Media Master Control check box, the Permissions wizard makes the following changes to the Launch and Activation Permissions on the COM Security tab in the My Computer Properties dialog box in the Component Services MMC:

·         Changes the limits for Anonymous Logon to allow Remote Activation.

·         Changes the limits for Network to allow Remote Activation.

·         Changes the default for Anonymous Logon to allow Remote Activation.

·         Changes the default for Network to allow Remote Activation.

·         Changes the default for Network Service to allow Local Activation.

·         Changes the default for Authenticated Users to allow Local Activation.

If you do not check the Grant DCOM Rights and Enable the Media Master Control check box, the Permissions wizard makes no changes to DCOM permissions. However, when you install Cisco Unity, Cisco Unity Setup makes the following changes to the Launch and Activation Permissions on the COM Security tab in the My Computer Properties dialog box in the Component Services MMC:

  • Changes the limits for Anonymous Logon to allow Remote Activation.
  • Changes the limits for Network to allow Remote Activation.

Permissions Granted for Cisco Unity for Domino

Installation Account

The Permissions wizard grants the installation account the group membership and user privileges listed in this section.

Note: If you are concerned about the installation account being available after the Cisco Unity installation is complete, you can disable the account in Active Directory Users and Computers. We recommend that you not delete it because when you upgrade to a later version of Cisco Unity you will again need an installation account with the same permissions. If you delete the current account, you will have to create another and re-run the Cisco Unity Permissions wizard to set the required permissions.

Group Membership

The installation account is added to the Administrators group.

User Privileges

The installation account is granted the following user privileges:

  • Log on as a service
  • Act as part of the operating system
  • Log on as a batch job

Directory and Message Store Services Account

The Permissions wizard grants the directory and message store services account the group membership and user privileges listed in this section.

Note: The directory and message store services account cannot be disabled or deleted, or Cisco Unity will not function.

Group Membership

The directory and message store services account is added to the Administrators group.

User Privileges

The directory and message store services account is granted the following user privileges:

  • Log on as a service
  • Act as part of the operating system
  • Log on as a batch job

COM Security

If the Cisco Unity server is running Windows Server 2003 with Service Pack 1 or later, DCOM security improvements prevent the Cisco Unity Media Master control from functioning except on the Cisco Unity server. If you do not grant some DCOM rights (and reverse some of the SP 1 security improvements):

  • Cisco Unity subscribers cannot use the Media Master to make or play recordings in in the Cisco Unity Inbox or in the Cisco Unity Assistant.
  • When administrators log into the Cisco Unity Administrator from another computer, they cannot use the Media Master.

In the Permissions wizard, on the Choose Whether to Grant DCOM Rights page, if you check the Grant DCOM Rights and Enable the Media Master Control check box, the Permissions wizard makes the following changes to the Launch and Activation Permissions on the COM Security tab in the My Computer Properties dialog box in the Component Services MMC:

  • Changes the limits for Anonymous Logon to allow Remote Activation.
  • Changes the limits for Network to allow Remote Activation.
  • Changes the default for Anonymous Logon to allow Remote Activation.
  • Changes the default for Network to allow Remote Activation.
  • Changes the default for Network Service to allow Local Activation.
  • Changes the default for Authenticated Users to allow Local Activation.

Attributes in the ciscoEcsbuUnityInformation Property Set

In general, permissions for ciscoEcsbu... attributes in Active Directory are granted on the ciscoEcsbuUnityInformation property set, not on the individual attributes. Table 10 lists the attributes that appear in the property set and the type of object to which each attribute applies.

Permissions that are granted to the directory services account on attributes in the Computers container and the Domain Controllers container are granted on individual attributes. For more information, see Directory Services Account: Computers Container and Domain Controllers Container.

Table 10: Attributes in the ciscoEcsbuUnityInformation Property Set

Active Directory Schema Extensions

Active Directory Attribute Name

Cisco Unity Attribute Name

Object Type

Cisco Unity

ciscoEcsbuAddressingMaxScope

AVP_ADDRESSING_MAX_SCOPE

Location

ciscoEcsbuAllowBlindAddressing

AVP_ALLOW_BLIND_ADDRESSING

Location

ciscoEcsbuAlternateDTMFIds

AVP_ALTERNATE_DTMF_IDS

Subscriber

ciscoEcsbuAmisDialId

AVP_AMIS_DIAL_ID

Location

ciscoEcsbuAmisDisableOutbound

AVP_AMIS_DISABLE_OUTBOUND

Location

ciscoEcsbuAmisNodeActive

AVP_AMIS_NODE_ACTIVE

Location

ciscoEcsbuAmisNodeId

AVP_AMIS_NODE_ID

Location

ciscoEcsbuBlindAddressingMaxScope

AVP_BLIND_ADDRESSING_MAX_SCOPE

Location

ciscoEcsbuDialingDomainName

AVP_DIALING_DOMAIN_NAME

Location

ciscoEcsbuDirectoryAlias

AVP_ALIAS

Location, subscriber

ciscoEcsbuDtmfId

AVP_DTMF_ACCESS_ID

Location, subscriber

ciscoEcsbuIncludeLocations

AVP_INCLUDE_LOCATIONS

Location

ciscoEcsbuListInUMDirectory

AVP_LIST_IN_DIRECTORY

Subscriber

ciscoEcsbuObjectType

AVP_OBJECT_TYPE

Location, subscriber

ciscoEcsbuSubscriberDestinationType

AVP_DESTINATION_TYPE

Location

ciscoEcsbuTransferId

AVP_XFER_STRING

Subscriber

ciscoEcsbuUMDomain

AVP_SMTP_DOMAIN

Location

ciscoEcsbuUMDomainId

Used internally

Location

ciscoEcsbuUMLocationObjectId

AVP_LOCATION_OBJECT_ID

Location, subscriber

ciscoEcsbuUMSchemaVersion

Used internally

Location

ciscoEcsbuUMServer

AVP_HOME_SERVER

Location

ciscoEcsbuUMSystemId

AVP_SYSTEM_ID

Location

ciscoEcsbuUndeletable

AVP_UNDELETABLE

Location, subscriber

ciscoEcsbuVoiceEnabled

AVP_VOICE_ENABLED

Location, subscriber

msExchRecordedName

AVP_VOICE_NAME_DATA

Location, subscriber

Cisco Unity Bridge

ciscoEcsbuLegacyMailbox

AVP_LEGACY_MAILBOX

Subscriber

ciscoEcsbuOptionFlags

AVP_OPTION_FLAGS

Location

ciscoEcsbuPrefixes

AVP_PREFIXES

Location

ciscoEcsbuRemoteMailboxLength

AVP_REMOTE_MAILBOX_LENGTH

Location

ciscoEcsbuRemoteNodeID

AVP_REMOTE_NODE_ID

Subscriber

ciscoEcsbuRemoteServer

AVP_REMOTE_SERVER

Location

VPIM

ciscoEcsbuLocalPhonePrefix

AVP_LOCAL_PHONE_PREFIX

Location

ciscoEcsbuOptionFlags

AVP_OPTION_FLAGS

Location

ciscoEcsbuRemotePhonePrefix

AVP_REMOTE_PHONE_PREFIX

Location

ciscoEcsbuRemoteServer

AVP_REMOTE_SERVER

Location

 

© 2009 Cisco Systems, Inc.