Cisco Unity Permissions Wizard

Contents

Requirements/Special Notes. 1

Running the Cisco Unity Permissions Wizard. 1

Running Permissions Wizard with a Domino Message Store. 1

To run Permissions Wizard. 1

Running Permissions Wizard with an Exchange 2000 Message Store  5

To run Permissions Wizard. 5

Running Permissions Wizard with an Exchange 5.5 Message Store  10

To run Permissions Wizard. 10

Logging and Diagnostics. 14

PWResults.html 14

PWDiag.log. 14

Revision History. 14

 

Requirements/Special Notes

*          Requires Unity 4.0.0(1) or greater.

*          The user account running the Cisco Unity Permissions Wizard must be a member of the Domain Administrators group or have permissions equivalent to the Domain Administrators group, and must have the right to act as part of the operating system.

Running the Cisco Unity Permissions Wizard

Before you run the Cisco Unity installation program, you need to:

*          Create several domain accounts. For more information, refer to the Cisco Unity Installation Guide.

*          Run Cisco Unity Permissions Wizard to assign the necessary permissions to the accounts.

*          If you are using Exchange 2000 or Exchange 5.5, manually assign Exchange permissions to the accounts. For more information, see Setting Exchange Permissions.

Permissions Wizard sets the permissions that Cisco Unity requires for the following accounts:

*          The account that you will use to install Cisco Unity.

*          For Domino and for Exchange 5.5, the account that will own Cisco Unity directory and message store services.

*          For Exchange 2000, the two accounts that will own Cisco Unity directory and message store services.

Do the appropriate procedure for your message store:

*          Running Permissions Wizard with a Domino Message Store

*          Running Permissions Wizard with an Exchange 2000 Message Store (Also do this procedure if you will be homing Cisco Unity subscribers in both Exchange 2000 and Exchange 5.5.)

*          Running Permissions Wizard with an Exchange 5.5 Message Store

If you are setting up failover, run Permissions Wizard on both the primary and secondary servers.

For a comprehensive list of all rights, privileges, and group memberships that are set by the Cisco Unity Permissions Wizard, see Permissions Set By the Cisco Unity Permissions Wizard.

Running Permissions Wizard with a Domino Message Store

Caution! The following procedure grants each account the rights to act as a part of the operating system, to log on as a service, and to log on as a batch job, and does so in the local security policy. If a domain security policy is in effect, confirm that the domain security policy does not deny the accounts these rights.

To run Permissions Wizard

  1. Log on to the Cisco Unity server by using an account that is a member of the Domain Admins group and that has the right to act as part of the operating system.

Caution! If you try to run Permissions Wizard using an account that has less than the default permissions for a Domain Admin, Permissions Wizard may not be able to set all of the permissions required by the installation account and the services accounts. If Permissions Wizard cannot set all of the required permissions, either the Cisco Unity installation will fail, or Cisco Unity will not run properly after it has been installed.

  1. Insert Cisco Unity Disc 1 in the CD-ROM drive.
  2. Browse to the Utilities\PermissionsWizard directory, and run PermissionsWizard.exe.
  3. In the Welcome to the Cisco Unity Permissions Wizard, click Lotus Domino.

  1. Click Next.
  2. Click Change and choose the account that you want to use to install Cisco Unity.

  1. Click Next.
  2. Click Change and choose the account that you want to own Cisco Unity directory and message store services.

  1. Click Next.
  2. A summary appears that lists the permissions that will be granted to each account, including membership in groups and user rights.

  1. Click Next to grant the listed permissions. Permissions Wizard may take a few minutes to grant permissions.

  1. If Permissions Wizard failed to grant one or more permissions, an error message appears that lists the number of permissions it was not able to grant. Click OK.

  1. When Permissions Wizard finishes, the You Have Completed the Cisco Unity Permissions Wizard page appears.

If any permissions are not set successfully, the following page appears.

  1. To display a report listing the operations that succeeded and those that failed, if any, click View Detailed Results. For information on interpreting the results, see Logging and Diagnostics.

  1. If one or more permissions could not be granted, fix the problems, and run Permissions Wizard again.

Caution! If Permissions Wizard failed to set any permissions, either the Cisco Unity installation will fail, or Cisco Unity will not run properly after it has been installed. You must successfully run Permissions Wizard before you can continue with installing Cisco Unity.

  1. Click Finish.
  2. If the account that you logged in with in Step 1 is also the account that you want to use to install Cisco Unity (the account that you selected in Step 6), log out of Windows and log back in so the permissions set by Permissions Wizard will take effect.

Running Permissions Wizard with an Exchange 2000 Message Store

Before you can run Permissions Wizard, the Active Directory schema must have been extended for Cisco Unity, which you should have done when you set up the message store. For more information, refer to the Cisco Unity Installation Guide.

Caution! The following procedure grants each account the rights to act as a part of the operating system, to log on as a service, and to log on as a batch job, and does so in the local security policy. If a domain security policy is in effect, confirm that the domain security policy does not deny the accounts these rights.

To run Permissions Wizard

  1. Log on to the Cisco Unity server by using an account that:

*          Is a member of the Domain Admins group in the domain in which the Cisco Unity server is being installed.

*          Is either an Exchange Full Administrator or a member of the Domain Admins group in the domain that contains all of the domains from which you want to import Cisco Unity subscribers.

*          Has the right to act as part of the operating system.

Caution! If you try to run Permissions Wizard using an account that has less than the default permissions for a Domain Admin, Permissions Wizard may not be able to set all of the permissions required by the installation account and the services accounts. If Permissions Wizard cannot set all of the required permissions, either the Cisco Unity installation will fail, or Cisco Unity will not run properly after it has been installed.

  1. Insert Cisco Unity Disc 1 in the CD-ROM drive.
  2. Browse to the Utilities\PermissionsWizard directory, and run PermissionsWizard.exe.
  3. In the Welcome to the Cisco Unity Permissions Wizard, click Microsoft Exchange 2000.

  1. Click Next.
  2. Click Change and choose the account that you want to use to install Cisco Unity.

  1. Click Next.
  2. Click Change and choose the account that you want to own Cisco Unity directory services.

  1. Click Next.
  2. Click Change and choose the account that you want to own Cisco Unity message store services.

Caution! The account that owns Cisco Unity message store services cannot be a member of the Domain Admins group or be an Exchange 2000 administrator.

  1. Click Next.
  2. Cisco Unity needs access to one or more Active Directory organizational units to create users (Cisco Unity subscribers) and groups (Cisco Unity distribution lists). Choose the following:

*          The domain in which you want new users and groups to be created.

*          The organizational unit in which you want users to be created. This is where Cisco Unity example users will be created during Cisco Unity installation.

*          The organizational unit in which you want groups to be created.

  1. Click Next.
  2. Choose the organizational unit where you want Cisco Unity location objects to be created.

  1. Click Next.
  2. If you do not want to use the Cisco Unity Administrator to create new Active Directory users, contacts, and groups, you may choose to not grant the Cisco Unity directory services account the necessary rights to create each type of Active Directory object.

If you clear a check box next to an Active Directory object type, you will not be able to create the associated type of Cisco Unity object using the Cisco Unity Administrator. You may only import existing objects into Cisco Unity. For example, if you clear the Users check box, you will not be able to create new Cisco Unity Subscribers using the Cisco Unity Administrator. You will only be able to import existing Active Directory users to make them Cisco Unity subscribers.

  1. Click Next.
  2. Choose the Active Directory containers from which you want to import users, contacts, and groups to make them Cisco Unity subscribers, contacts, and public distribution lists. Note the following:

*          You must choose a container for the domain that includes the Cisco Unity server.

*          Choose only one container for each domain. If you will want to import users, contacts, and groups from more than one container in a domain, choose a common parent container that includes all of the containers from which you want to import. If the common parent is the domain itself, choose the domain.

  1. Click Next.
  2. If you are using the Cisco Unity Bridge to allow Cisco Unity to exchange voice messages with other voice messaging systems that support Octel Analog Networking, check the Cisco Unity Will Use Cisco Unity Bridge check box.

Also, choose the Active Directory organizational unit in which you want Bridge contacts to be created.

  1. Click Next.
  2. A summary appears that lists the permissions that will be granted to each account. The information listed includes membership in groups, user rights, and Active Directory rights.

  1. Click Next to grant the listed permissions. Permissions Wizard may take a few minutes to grant permissions.

  1. If Permissions Wizard failed to grant one or more permissions, an error message appears that lists the number of permissions it was not able to grant. Click OK.

  1. When Permissions Wizard finishes, the You Have Completed the Cisco Unity Permissions Wizard page appears.

If any permissions are not set successfully, the following page appears.

26.                       To display a report listing the operations that succeeded and those that failed, if any, click View Detailed Results. For information on interpreting the results, see Logging and Diagnostics.

Note: In some cases, individual rights may be combined into a single entry. For example, the rights to read properties, write properties, list contents, read permissions, and modify permissions applied onto Group objects are all included in the single entry “SUCCEEDED granting Group read/modify rights.”

  1. If one or more permissions could not be granted, fix the problems, and run Permissions Wizard again.

Caution! If Permissions Wizard failed to set any permissions, either the Cisco Unity installation will fail, or Cisco Unity will not run properly after it has been installed. You must successfully run Permissions Wizard before you can continue with installing Cisco Unity.

Caution! An Active Directory right being granted by Permissions Wizard may conflict with an existing right on an Active Directory container. For example, an account may be denied the right to create user objects in one of the containers selected in Permissions Wizard. The log file will explain that a conflict has been found, but Permissions Wizard will not resolve the conflict. You must resolve the conflict and then re-run Permissions Wizard.

  1. Click Finish.
  2. If the account that you logged in with in Step 1 is also the account that you want to use to install Cisco Unity (the account that you selected in Step 6), log out of Windows and log back in so the permissions set by Permissions Wizard will take effect.
  3. Set Exchange-specific permissions. See Setting Exchange Permissions.

Running Permissions Wizard with an Exchange 5.5 Message Store

Caution! The following procedure grants each account the rights to act as a part of the operating system, to log on as a service, and to log on as a batch job, and does so in the local security policy. If a domain security policy is in effect, confirm that the domain security policy does not deny the accounts these rights.

To run Permissions Wizard

  1. Log on to the Cisco Unity server by using an account that is a member of the Domain Admins group and that has the right to act as part of the operating system.

If you try to run Permissions Wizard using an account that has less than the default permissions for a Domain Admin, Permissions Wizard may not be able to set all of the permissions required by the installation account and the services accounts. If Permissions Wizard cannot set all of the required permissions, either the Cisco Unity installation will fail, or Cisco Unity will not run properly after it has been installed.

  1. Insert Cisco Unity Disc 1 in the CD-ROM drive.
  2. Browse to the Utilities\PermissionsWizard directory, and run PermissionsWizard.exe.
  3. In the Welcome to the Cisco Unity Permissions Wizard, click Exchange 5.5.

  1. Click Next.
  2. Click Change and choose the account that you want to use to install Cisco Unity.

  1. Click Next.
  2. Click Change and choose the account that you want to own Cisco Unity directory and message store services.

  1. Click Next.
  2. A summary appears that lists the permissions that will be granted to each account, including user rights and membership in groups.

  1. Click Next to grant the listed permissions. Permissions Wizard may take a few minutes to grant permissions.

  1. If Permissions Wizard failed to grant one or more permissions, an error message appears that lists the number of permissions it was not able to grant. Click OK.

  1. When Permissions Wizard finishes, the You Have Completed the Cisco Unity Permissions Wizard page appears.

If any permissions are not set successfully, the following page appears.

  1. To display a report listing the operations that succeeded and those that failed, if any, click View Detailed Results. For information on interpreting the results, see Logging and Diagnostics.

  1. If one or more permissions could not be granted, fix the problems, and run Permissions Wizard again.

Caution! If Permissions Wizard failed to set any permissions, either the Cisco Unity installation will fail, or Cisco Unity will not run properly after it has been installed. You must successfully run Permissions Wizard before you can continue with installing Cisco Unity.

  1. Click Finish.
  2. If the account that you logged in with in Step 1 is also the account that you want to use to install Cisco Unity (the account that you selected in Step 6), log out of Windows and log back in so the permissions set by Permissions Wizard will take effect.
  3. Set Exchange-specific permissions. See Setting Exchange Permissions.

Logging and Diagnostics

The Cisco Unity Permissions Wizard generates two log files and saves them in the current temp directory. The first file contains summary information and results. The second file contains low-level diagnostics and error messages.

PWResults.html

PWResults.html contains all results from the Cisco Unity Permissions Wizard.

Each operation the Cisco Unity Permissions Wizard attempts will be listed as either SUCCEEDED or FAILED.

In some cases, individual rights may be combined into a single entry. For example, the rights to read properties, write properties, list contents, read permissions, and modify permissions applied onto Group objects are all included in the single entry “SUCCEEDED granting Group read/modify rights.”

It is possible that an Active Directory right being granted will conflict with a pre-existing right on an Active Directory container. For example, the account chosen to own Cisco Unity directory services may have been specifically denied the right to create user objects in one of the containers selected in Permissions Wizard. The PWResults.html file will indicate that a conflict has been found with a direct rights denial, but Permissions Wizard will not resolve the conflict. It is your responsibility to resolve conflicts between the rights being granted by Permissions Wizard and others already in effect.

PWDiag.log

PWDiag.log contains everything in PWResults.html, supplemented by low-level engineering diagnostics and error messages that can be used by Cisco engineers to diagnose anomalous behavior.

Revision History

Version 1.0.0

*          Initial version.

Version 1.2.0.1

Version 2.0.0.1

Version 2.0.0.16

*          Fixed problem with remembering domain for new object containers

*          Fixed missing report of direct denial conflicts in html output

*          Added granting of Send-As and Receive-As rights to Microsoft Exchange 2000 mailstores

*          Added granting of read-access rights to Deleted Object containers

 

© 2002 Cisco Systems, Inc. -- Company Confidential