Granting Permissions with Cisco Unity 5.0(1)+ Permissions Wizard

Running the Cisco Unity Permissions Wizard When Subscriber Mailboxes Are Homed in Exchange

Requirements

Permissions Granted by the Permissions Wizard

Configuring Cisco Unity Failover

Disabling Inheritance

Impact on Domain Controllers and Global Catalog Servers

Installing More Than One Cisco Unity Server in a Forest

To Run the Permissions Wizard When Subscriber Mailboxes Are Homed in Exchange

Running the Cisco Unity Permissions Wizard When Subscriber Mailboxes Are Homed in Domino (Cisco Unity 7.x and 5.x Only)

Requirements

Permissions Granted by the Permissions Wizard

Configuring Cisco Unity Failover

To Run the Permissions Wizard When Subscriber Mailboxes Are Homed in Domino

Logging and Diagnostics

PWResults.html

PWDiag.log

Revision History

Running Permissions Wizard When Subscriber Mailboxes Are Homed in Exchange

Requirements

Before you can run the Permissions wizard, the Active Directory schema must have been extended for Cisco Unity, which you should have done when you set up the message store. For more information, refer to the applicable Cisco Unity installation guide.

Permissions Granted by the Permissions Wizard

The Permissions wizard sets the permissions that Cisco Unity requires for the following accounts:

  • The account that you will use to install Cisco Unity.
  • The account that Cisco Unity directory services will log on as.
  • The account that Cisco Unity message store services will log on as.

For a comprehensive list of all permissions, privileges, and group memberships that are granted by the Permissions wizard, see Permissions Granted by the Cisco Unity Permissions Wizard.

Caution! Cisco Unity needs to be able to change properties of Active Directory users. The Permissions wizard grants the directory services account the right to change user accounts in the containers that you specify. Cisco Unity can only change user accounts in those containers if inheritance is enabled for the containers and for the users themselves.

Configuring Cisco Unity Failover

If you are configuring failover, run the Permissions wizard on both the primary and secondary servers.

Disabling Inheritance

If you disable inheritance for any containers or groups that include Cisco Unity subscribers, or for any users who are subscribers, Cisco Unity (using the directory services account) will not be able to change properties for the affected users. You will need to either grant permissions to those users explicitly or re-enable inheritance by checking the Allow Inheritable Permissions from Parent to Propagate to This Object check box on the Security tab in the applicable Properties dialog box.

Impact on Domain Controllers and Global Catalog Servers

We recommend that you run the Permissions wizard during off-peak hours unless you are installing a new Cisco Unity system in a Voice Messaging configuration and you are not creating subscriber accounts in the corporate directory. The new version of the Permissions wizard sets permissions at a more granular level that requires more changes to the Active Directory database than previous versions.

When the Permissions wizard completes, the Lsass.exe process updates the Active Directory database with the new permissions. While Lsass.exe is processing the updates, it uses 100 percent of available processor time on a domain controller that:

  • Hosts the domain to which the Cisco Unity server belongs.
  • Has been specified to respond to requests from the site.

Other domain controllers in the domain and other global catalog servers in the forest are also affected, but the impact is less significant. The updates take a few minutes to several hours, depending on the size of the database. Except when the Cisco Unity server is the domain controller and the Lsass.exe process slows the screen refresh, you may continue with the Cisco Unity installation while Lsass.exe is processing changes.

Installing More Than One Cisco Unity Server in a Forest

The Permissions wizard sets permissions for installation and services accounts in Active Directory, and also sets permissions on the local server. When there is more than one Cisco Unity server in the forest (including failover servers), and when you are using the same three Active Directory accounts for installation, directory services, and message store services on multiple servers, the Permissions wizard only needs to grant Active Directory permissions once for those accounts.

When you run the Permissions wizard a second or subsequent time (because, for example, you are installing a Cisco Unity failover server or installing an additional Cisco Unity server in the same forest) and specify the same three accounts, the Permissions wizard displays a message asking whether you want to reapply permissions to those accounts. If you are not changing permissions on the accounts, click No, and the Permissions wizard will apply only the permissions required by the local server.

Note: When you run the Permissions wizard on a Cisco Unity server that is in a different domain than the installation and services accounts, the Permissions wizard cannot read or write the attribute that it uses to detect that permissions have already been granted on those accounts. If you will be running the Permissions wizard on any Cisco Unity servers that are in a different domain than the installation and services accounts, we recommend that you give the account that you are using to run Permissions wizard read and write rights on the ciscoEcsbuUnityInformation property granted for the installation and services accounts.

To Run Permissions Wizard When Subscriber Mailboxes Are Homed in Exchange

  1. If a domain security policy is in effect, confirm that the domain security policy does not deny the accounts the rights to act as a part of the operating system, to log on as a service, and to log on as a batch job.
  2. Log on to the Cisco Unity server by using an account that is a member of the Enterprise Admins group.

    Or

    Log on to the Cisco Unity server by using an account that meets all of the following requirements:
    • Is a member of the Domain Admins group in the domain in which the Cisco Unity server is being installed, or that has permissions in that domain that are equivalent to the default permissions for the Domain Admins group.
    • Is a member of the Domain Admins group in all of the domains that contain OUs from which you want to import Cisco Unity subscribers, Cisco Unity contacts, or public distribution lists, or that has permissions in those domains that are equivalent to the default permissions for the Domain Admins group.
    • Has permission to grant permissions on the deleted items container in the configuration container.
    • Is an Exchange Full Administrator.

Caution! If you try to run the Permissions wizard using an account that has less than the specified permissions, the Permissions wizard may not be able to grant all of the permissions required by the installation account and the services accounts. If the Permissions wizard cannot grant all of the required permissions, either the Cisco Unity installation will fail, or Cisco Unity will not run properly after it has been installed.

  1. On Cisco Unity DVD 1, browse to the Utilities\PermissionsWizard directory, and run PermissionsWizard.exe.
  2. If you are running the Permissions Wizard from the Cisco Unity System Setup Assistant (for Cisco Unity 8.x) or from the Cisco Unity Installation and Configuration Assistant (for Cisco Unity 7.x and earlier), click Next to continue.

    If you are running the Permissions Wizard separately, on the Welcome to the Cisco Unity Permissions Wizard page, click Set Permissions, and click Next.

    Welcome to the Cisco Unity Permissions Wizard
  3. On the Choose the Message Store page, click Microsoft Exchange.

    Choose the Message Store
  4. Click Next.
  5. If you are running the Permissions wizard in an Active Directory forest that includes domain controllers running Windows 2000 Server, then setting the Active Directory permissions required by Cisco Unity may more than double the size of the Active Directory database on those servers.

    Caution! Before you continue, we recommend that you verify that the affected servers have the amount of additional space that may be required and that you read the documentation on the Microsoft website for information on mitigating ACL bloat.

    Caution! If the forest that contains the Cisco Unity server includes any domain controllers running Windows 2000 Server, running Permissions Wizard may cause the Active Directory database on those servers to grow to twice or more the current size.
  6. On the Choose the Cisco Unity Installation Account page, click Change and choose the account that you want to use to install Cisco Unity.

    Choose the Cisco Unity Installation Account
  7. Click Next.
  8. On the Choose the Cisco Unity Directory Services Account page, click Change and choose the account that you want Cisco Unity directory services to log on as.

    Choose the Cisco Unity Directory Services Account
  9. Click Next.
  10. On the Choose the Cisco Unity Message Store Services Account page, click Change and choose the account that you want Cisco Unity message store services to log on as.

    Choose the Cisco Unity Message Store Services Account
  11. Click Next.
  12. If the following message does not appear, skip this step.

    If the following message appears, you have already run permissions wizard and granted permissions on all three of the specified accounts. If you are running the Permissions wizard because you are:
    • Installing a Cisco Unity failover server or installing an additional Cisco Unity server in the same forest, and if you are not changing permissions on the accounts, click No, and the Permissions wizard will apply only the permissions required by the local server.
    • Changing permissions on the accounts, regardless of whether you have already run the Permissions wizard on this server, click Yes.


Do you want to reapply permissions to these accounts?

  1. On the Choose Whether to Enable Voice Messaging Interoperability page, if you are configuring Cisco Unity to communicate with another voice messaging system using AMIS, the Cisco Unity Bridge, VPIM, or Connection networking, check the Set Permissions Required by AMIS, Cisco Unity Bridge, VPIM, and Connection Networking check box.

    Choose Whether to Enable Voice Messaging Interoperability
  2. Click Next.
  3. Cisco Unity needs access to one or more Active Directory containers to create users (Cisco Unity subscribers) and groups (Cisco Unity public distribution lists). On the Choose Active Directory Containers for New Users and Groups page, choose the following:
    • The domain in which you want new users and groups to be created.
    • The container in which you want users to be created. This is where Cisco Unity creates system accounts during installation.
    • The container in which you want groups to be created. This is where Cisco Unity creates system public distribution lists during installation.


Note: Cisco Unity also creates system users and groups in the containers you choose here.

Choose Active Directory Containers for New Users and Groups

  1. Click Next.
  2. On the Choose Which Objects Cisco Unity Administrator Can Create page, choose whether you want the Cisco Unity Administrator to be able to create new Active Directory users, contacts, and groups. For each object type you choose, the Cisco Unity directory services account is granted the rights necessary to create that type of object in Active Directory.

    If you clear a check box next to an Active Directory object type, you will not be able to create the associated type of Cisco Unity object using the Cisco Unity Administrator. For example, if you clear the Users check box, you will not be able to create new Cisco Unity Subscribers using the Cisco Unity Administrator. You will only be able to create Cisco Unity subscribers by importing existing Active Directory users.

    Note: When Exchange 2007 is the message store, Cisco Unity cannot create users in Active Directory or mailboxes in Exchange. You must create the users and mailboxes first, then import Active Directory data into Cisco Unity.

    Choose Which Objects Cisco Unity Administrator Can Create page when you did not check the Set Permissions Required by AMIS, Cisco Unity Bridge, and VPIM check box

    If you checked the Set Permissions Required by AMIS, Cisco Unity Bridge, VPIM, and Connection Networking check box on the Choose Whether to Enable Voice Messaging Interoperability page, all options are preselected and cannot be changed.

    Choose Which Objects Cisco Unity Administrator Can Create page when you checked the Set Permissions Required by AMIS, Cisco Unity Bridge, and VPIM check box
  3. Click Next.
  4. On the Choose the AD Container for ciscoEcsbuUMLocation Objects page, choose the container where you want Cisco Unity location objects to be created.

    Regardless of which container you select here, the Permissions wizard automatically creates:
    • An OU named Unity at the top level of the Active Directory domain that contains the Cisco Unity server.
    • An OU named Locations below the Unity OU.


If you choose a different location for location objects, the Unity and Locations OUs are not deleted, but no permissions are granted on them, either.

The Permissions wizard creates Unity and Locations OUs only once in a domain. If you rerun the Permissions wizard, either on the same server or on another server (for example, because you are adding another Cisco Unity server to the same domain), the Permissions wizard does not create additional OUs. If you delete the OUs, next time you rerun the Permissions wizard, the wizard recreates them.

Choose the Active Directory Container for ciscoEcsbuUMLocation Objects

  1. Click Next.
  2. On the Choose Active Directory Containers for Computers page, choose the containers in which you want to create the computer objects and domain controllers (DCs) on which Cisco Unity and Cisco Unity Voice Connectors are installed. If you create computer objects and DCs only in the default Computers and Domain Controllers containers, skip this step.

    If you want to create computer objects and DCs in other containers in addition to the default containers, click Select Alternate Locations for Computer Objects and follow the on-screen prompts to specify the additional containers.

    If you want to create computer objects and DCs in other containers instead of the default containers, uncheck the Computer and Domain Controller Objects Are Created in the Default Locations check box. Then click Select Alternate Locations for Computer Objects and follow the on-screen prompts to specify the alternate containers.

    Choose Active Directory Containers for Computers
  3. Click Next.
  4. On the Choose Active Directory Containers for Import page, choose the Active Directory containers from which you want to import users, contacts, and groups to make them Cisco Unity subscribers and public distribution lists. Note the following:
    • You must choose a container for the domain that includes the Cisco Unity server.
    • If you are using Digital Networking to connect multiple Cisco Unity servers, and:
      • If you will be importing users from the same container for every Cisco Unity server, choose that container. For example, if CiscoUnityServer1 and CiscoUnityServer2 will both be importing users from Container1 only, choose Container1.
      • If, for all of the Cisco Unity servers combined, you will be importing users from two or more containers, the Cisco Unity message store services account on each Cisco Unity server must be granted SendAs permission on every container from which users will be imported on every Cisco Unity server in the forest. For example, if CiscoUnityServer1 will import users from Container1 and Container2, and if CiscoUnityServer2 will import users from Container3 and Container4, the Cisco Unity message store services account for each Cisco Unity server must have SendAs permission for all four containers.
    • If you are using identified subscriber messaging for AMIS, Bridge, or VPIM subscribers, and:
      • If you will be importing contacts from the same container for every Cisco Unity server, choose that container. For example, if CiscoUnityServer1 and CiscoUnityServer2 will both be importing contacts from Container1 only, choose Container1.
      • If, for all of the Cisco Unity servers combined, you will be importing contacts from two or more containers, the Cisco Unity message store services account on each Cisco Unity server must be granted SendAs permission on every container from which contacts will be imported on every Cisco Unity server in the forest. For example, if CiscoUnityServer1 will import contacts from Container1 and Container2, and if CiscoUnityServer2 will import contacts from Container3 and Container4, the Cisco Unity message store services account for each Cisco Unity server must have SendAs permission for all four containers.

Choose Active Directory Containers for Import

  1. Click Next.
  2. On the Choose Whether Cisco Unity Can Administer Active Directory page, choose whether changes that you make to Cisco Unity data using Cisco Unity tools should change the corresponding values (for example, First Name and Last Name) in Active Directory.

    If you check the Allow Cisco Unity to Administer Active Directory check box, you can use Cisco Unity tools to make the changes listed in the table below, which also change the specified Active Directory settings.

Cisco Unity Setting or Feature

Corresponding Active Directory Setting or Feature

First Name

First Name

Last Name

Last Name

Display Name

Display Name

Membership in Cisco Unity public distribution lists

Membership in Active Directory groups

Prevent subscribers from appearing in Outlook address books:

o        In the Cisco Unity Administrator: Show Subscriber In E-Mail Server Address Book check box on the Profile page for the subscriber template that you plan to use when creating subscribers, or on the Profile page for individual subscribers after you have created them.

o        In Cisco Unity Bulk Edit: Hide Subscriber in E-mail Address Book

msExchHideFromAddressLists

Delete Cisco Unity AMIS, Bridge, Internet, Trusted Internet, and VPIM subscribers

Delete Active Directory contacts


Choose Whether Cisco Unity Can Administer Active Directory page when you did not check the Set Permissions Required by AMIS, Cisco Unity Bridge, and VPIM check box

If you checked the Set Permissions Required by AMIS, Cisco Unity Bridge, VPIM, and Connection Networking check box on the Choose Whether to Enable Voice Messaging Interoperability page, this option is preselected and cannot be changed.

Choose Whether Cisco Unity Can Administer Active Directory page when you checked the Set Permissions Required by AMIS, Cisco Unity Bridge, and VPIM check box

  1. Click Next.
  2. If this is a new Cisco Unity installation and if you want to home Cisco Unity subscribers in every Exchange mailstore, skip this step.

    If this is a new Unity installation and if you want to home Cisco Unity subscribers only in some Exchange mailstores, in the Choose Mailstores page, click Choose Mailstores, and choose the mailstores to which you want Cisco Unity to have access.

    Note: If the Exchange organization includes Exchange 2010 servers and also includes Exchange 2007 and/or Exchange 2003 servers, two buttons appear, as in the screenshot below.

    If you choose specific Exchange 2010 mailstores but do not choose specific Exchange 2007 and/or Exchange 2003 mailstores, Cisco Unity will be granted access to all Exchange 2007 and/or Exchange 2003 mailstores. Likewise, if you choose specific Exchange 2007 and/or Exchange 2003 mailstores but do not choose Exchange 2010 mailstores, Cisco Unity will be granted access to all Exchange 2010 mailstores.

    If you are re-running the Permissions wizard, the wizard grants access to the same Exchange mailstores that you chose last time you ran the wizard. To grant Cisco Unity access to additional Exchange mailstores (for example, because you added another Exchange server), in the Choose Mailstores page, click the applicable Choose Mailstores button, and choose the mailstores to which you want Cisco Unity to have access.

    The Permissions wizard grants the message store services account send-as and receive-as rights for the selected mailstores.

    Caution! Choosing mailstores here does not prevent an administrator from creating mailboxes for subscribers in mailstores that were not selected in the Permissions wizard.

    Note: If you forget which mailstores you specified here, you can rerun the Permissions wizard up to this page. The settings will show which mailstores you selected the last time you ran the Permissions wizard.

    Choose Mailstores
  3. Click Next.
  4. On the Choose Whether AD Admin Accounts Can Have Voice Mail page, choose whether you want Active Directory accounts that are used for administration to also be used as Cisco Unity subscriber accounts.

    Choose Whether Active Directory Admin Accounts Can Have Voice Mail
  5. Click Next.
  6. Cisco Unity 8.x: The required DCOM permissions are granted automatically. Do not check the Grant DCOM Rights and Enable the Media Master Control check box.

Cisco Unity 7.x and 5.x: If the Cisco Unity server is running Windows Server 2003 with Service Pack 1 or later, DCOM security improvements prevent the Cisco Unity Media Master control from functioning except on the Cisco Unity server. If you do not grant some DCOM rights (and reverse some of the security improvements):

    • Cisco Unity subscribers cannot use the Media Master to make or play recordings in ViewMail for Microsoft Outlook, in the Cisco Unity Inbox, or in the Cisco Unity Assistant.
    • When administrators log into the Cisco Unity Administrator from another computer, they cannot use the Media Master.


If you want to be able to use the Media Master control from locations other than the Cisco Unity server, on the Choose Whether to Grant DCOM Rights page, check the Grant DCOM Rights and Enable the Media Master Control check box.

Choose Whether to Grant DCOM Rights

  1. Click Next.
  2. The Review Changes to Permissions page lists the permissions that will be granted to each account. The information listed includes membership in groups, user rights, and Active Directory rights.

    Review Changes to Permissions
  3. Click Next to grant the listed permissions. The Permissions wizard may take a few minutes to grant permissions. While it is processing, the following page displays.

    Granting Permissions
  4. When the Permissions wizard completes, the following page appears.

    You Have Completed the Cisco Unity Permissions Wizard
  5. To display a report listing the operations that succeeded and those that failed, if any, click View Detailed Results. For information on interpreting the results, see Logging and Diagnostics.

    If one or more permissions could not be granted, fix the problems, and run the Permissions wizard again.

    Caution! If the Permissions wizard failed to grant any permissions, either the Cisco Unity installation will fail, or Cisco Unity will not run properly after it has been installed. You must successfully run the Permissions wizard before you can continue with installing Cisco Unity.

    Caution! An Active Directory right being granted by the Permissions wizard may conflict with an existing right on an Active Directory container. For example, an account may be denied the right to create user objects in one of the containers selected in the Permissions wizard. The log file will explain that a conflict has been found, but the permissions wizard will not resolve the conflict. You must resolve the conflict and then re-run the Permissions wizard.

    Cisco Unity Permissions Wizard Results
  6. Click Finish.
  7. If the account that you logged in with is also the account that you want to use to install Cisco Unity (the account that you selected earlier in this procedure), log out of Windows and log back in so the permissions granted by the Permissions wizard will take effect.
  8. Delegate Exchange administrative control to the installation and directory services accounts. See Delegating Exchange Administrative Control.

Running the Cisco Unity Permissions Wizard When Subscriber Mailboxes Are Homed in Domino (Cisco Unity 7.x and 5.x Only)

Requirements

This version of the Permissions wizard requires Cisco Unity 5.0(1) or later.

Permissions Granted by the Permissions Wizard

The Permissions wizard sets the permissions that Cisco Unity requires for the following accounts:

  • The account that you will use to install Cisco Unity.
  • The account that Cisco Unity directory and message store services will log on as.

For a list of privileges and group memberships that are granted by the Cisco Unity Permissions wizard, see Permissions Granted by the Cisco Unity Permissions Wizard.

Configuring Cisco Unity Failover

If you are configuring failover, run the Permissions wizard on both the primary and secondary servers.

To Run Permissions Wizard When Subscriber Mailboxes Are Homed in Domino

  1. If a domain security policy is in effect, confirm that the domain security policy does not deny the accounts the rights to act as a part of the operating system, to log on as a service, and to log on as a batch job.
  2. Log on to the Cisco Unity server by using an account that is a member of the Domain Admins group or that has permissions equivalent to the default permissions for the Domain Admins group.

    Caution! If you try to run the Permissions wizard using an account that has less than the default permissions for a Domain Admin, the Permissions wizard may not be able to grant all of the permissions required by the installation account and the services account. If the Permissions wizard cannot grant all of the required permissions, either the Cisco Unity installation will fail, or Cisco Unity will not run properly after it has been installed.
  3. On Cisco Unity DVD 1, browse to the Utilities\PermissionsWizard directory, and run PermissionsWizard.exe.
  4. On the Welcome to the Cisco Unity Permissions Wizard page, click Set Permissions.

    Welcome to the Cisco Unity Permissions Wizard
  5. Click Next.
  6. On the Choose the Message Store page, click Lotus Domino.

    Choose the Message Store
  7. Click Next.
  8. On the Choose the Cisco Unity Installation Account page, click Change and choose the account that you want to use to install Cisco Unity.

    Choose the Cisco Unity Installation Account
  9. Click Next.
  10. On the Choose the Cisco Unity Services Account page, click Change and choose the account that you want Cisco Unity directory and message store services to log on as.

    Choose the Cisco Unity Services Account
  11. Click Next.
  12. If the Cisco Unity server is running Windows Server 2003 with Service Pack 1 or later, DCOM security improvements prevent the Cisco Unity Media Master control from functioning except on the Cisco Unity server. If you do not grant some DCOM rights (and reverse some of the security improvements):
    • Cisco Unity subscribers cannot use the Media Master to make or play recordings in the Cisco Unity Assistant.
    • When administrators log into the Cisco Unity Administrator from another computer, they cannot use the Media Master.


If you want to be able to use the Media Master control from locations other than the Cisco Unity server, on the Choose Whether to Grant DCOM Rights page, check the Grant DCOM Rights and Enable the Media Master Control check box.

Choose Whether to Grant DCOM Rights

  1. Click Next.
  2. A summary appears that lists the permissions that will be granted to each account, including membership in groups and user rights.

    Review Changes to Permissions
  3. Click Next to grant the listed permissions. The Permissions wizard will complete in under an hour, and possibly in just a few minutes.

    Caution! If you are running the Permissions Wizard using Windows Terminal Services (WTS), the PWDiag.Log file will be deleted at the end of the WTS session. If you want to save it, you must copy it to another location before you end the session.

    Granting Permissions
  4. When the Permissions wizard completes, the following page appears.

    You Have Completed the Cisco Unity Permissions Wizard
  5. To display a report listing the operations that succeeded and those that failed, if any, click View Detailed Results. For information on interpreting the results, see Logging and Diagnostics.

    Cisco Unity Permissions Wizard Results
  6. If one or more permissions could not be granted, fix the problems, and run the Permissions wizard again.

    Caution! If the Permissions wizard failed to grant any permissions, either the Cisco Unity installation will fail, or Cisco Unity will not run properly after it has been installed. You must successfully run the Permissions wizard before you can continue with installing Cisco Unity.
  7. Click Finish.
  8. If the account that you logged in with is also the account that you want to use to install Cisco Unity (you selected the installation account earlier in this procedure), log out of Windows and log back in so the permissions granted by the Permissions wizard will take effect.

Logging and Diagnostics

The Cisco Unity Permissions wizard generates two log files and saves them in the current temp directory. The first file contains summary information and results. The second file contains low-level diagnostics and error messages.

PWResults.html

PWResults.html contains all results from the Cisco Unity Permissions wizard.

Each operation the Cisco Unity Permissions wizard attempts will be listed as either SUCCEEDED or FAILED.

In some cases, individual rights may be combined into a single entry. For example, the rights to read properties, write properties, list contents, read permissions, and modify permissions applied onto Group objects are all included in the single entry “SUCCEEDED granting Group read/modify rights.”

It is possible that an Active Directory right being granted will conflict with a pre-existing right on an Active Directory container. For example, the account that Cisco Unity directory services log on as may have been specifically denied the right to create user objects in one of the containers selected in the Permissions wizard. The PWResults.html file will indicate that a conflict has been found with a direct rights denial, but the Permissions wizard will not resolve the conflict. It is your responsibility to resolve conflicts between the rights being granted by the Permissions wizard and others already in effect.

PWDiag.log

PWDiag.log contains everything in PWResults.html, supplemented by low-level engineering diagnostics and error messages that can be used by Cisco engineers to diagnose anomalous behavior.

Revision History

Version 1.0.0: Initial version

Version 1.2.0.1

Version 2.0.0.1

Version 2.0.0.16

  • Fixed problem with remembering domain for new object containers
  • Fixed missing report of direct denial conflicts in html output
  • Added granting of Send-As and Receive-As rights to Microsoft Exchange 2000 mailstores
  • Added granting of read-access rights to Deleted Object containers

Version 2.1.0.13, 08/01/2003: CSCeb75785

Version 2.1.0.14, 08/11/2003: Reconcile summary of granted rights with actual granted rights

Version 2.1.0.15, 10/20/2003: Add checks to distinguish Exchange 2000 from 2003

Version 2.1.0.16, 12/2/2003

  • Changes to support localized help
  • Defect fix: CSCec86667

Version 2.1.0.17, 12/4/2003: Changes to apply Send-As on contact objects in new user container

Version 2.1.0.18, 1/7/2004: Defect fix: CSCed31963

Version 2.1.0.19, 1/27/2004: Added Send-As rights granted on contact objects

Version 2.1.0.20, 2/17/2004: Fix problem during AdminSDHolder rights assignment

Version 2.1.0.21, 2/23/2004: Allow for localized display of Exchange help file

Version 2.1.0.22, 4/9/2004: Defect fixes: CSCee17852, CSCed78363

Version 2.1.0.23, 7/7/2004: Add timing diags around critical MS code

Version 2.1.0.24, 8/9/2004: Defect Fixes: CSCee77212, CSCee90611

Version 2.1.0.25, 9/8/2004: Defect Fixes: CSCef01633

Version 2.1.0.26, 11/1/2004: Add registry disable of AdminSDHolder permission setting

Version 2.1.0.27, 1/5/2005: Change to only write DACL on AD objects

Version 2.1.0.28, 1/20/2005: Added write property rights on computer objects

Version 2.1.0.29, 3/14/2005: Typo fix in diags

Version 2.1.0.30, 5/26/2005: Localization updates

Version 2.1.0.31, 5/27/2005: Defect fix: CSCsb01328

Version 2.1.0.32, 7/15/2005: Support for Windows Server 2003 SP 1 and later

Version 2.2.0.34, 2/28/2006: For Cisco Unity 4.2(1), permissions granted at a more granular level, Report Mode added

Version 2.2.0.35, 8/1/2006: Added the option to choose containers for computers and domain controllers. Added options for the amount of information to include in the report and for checking child containers. Also added a summary of options selected to the beginning of the report.

Version 2.2.0.36, 5/31/2007: Added support for Unity 5.0.

Version 2.2.0.38, 10/30/2007: Added support for 1000+ Exchange Databases.

Version 2.2.0.39, 2/11/2008: Defect fix:CSCsk28195 - Changing permissions on GAL can prevent message delivery, so we grant Message store account the appropiate permission on GAL.

Version 2.2.0.40, 4/10/2008: Added a flage /nousercreate when run in PW if user choose to create users manually. Also added the ability in PW report mode to check the appropiate permissions of installer account in AD for the no user create mode

Version 3.0.0.1, 4/22/2008: Defect fix:CSCso18872 - Permissions Wizard Report Mode should check Voice Connector Permissions.

Version 3.0.0.2, 7/16/2008: Added AD2008 support.

Version 3.0.0.3, 2/20/2009: Added option to disable Domino option.

Version 3.0.0.4, 6/26/2009: Defect fix CSCsz22230:Permissions Wizard needs to say DCOM check box not needed for 8.0

Version 3.0.0.5, 11/20/2009

  • Defect fix CSCtc62556:UCI Permissions Wizard needs text and update for UCI8
  • Defect fix CSCtd37545:Permission Wizard hung when encountering error while reading AD server

Version 3.0.0.6, 2/9/2010

  • CSCtd34455 - PW - Need to set messaging permissions for Ex2010
  • CSCtf14369 - Exch 2010: Permission wizard picking up deleted object containers

Version 3.0.0.7, 7/28/2010: Defect fix CSCti03991 - Exchange 2007 Sp3 is not being detected

 

© 2010 Cisco Systems, Inc.