Granting Permissions with Cisco Unity 4.2(1)+ Permissions Wizard

Running the Cisco Unity Permissions Wizard When Subscriber Mailboxes Are Homed in Domino

Requirements

Permissions Granted by the Permissions Wizard

Configuring Cisco Unity Failover

To Run the Permissions Wizard When Subscriber Mailboxes Are Homed in Domino

Running the Cisco Unity Permissions Wizard When Subscriber Mailboxes Are Homed in Exchange 2003 and/or Exchange 2000

Requirements

Permissions Granted by the Permissions Wizard

Configuring Cisco Unity Failover

Disabling Inheritance

Impact on Domain Controllers and Global Catalog Servers

Installing More Than One Cisco Unity Server in a Forest

To Run the Permissions Wizard When Subscriber Mailboxes Are Homed in Exchange 2003 and/or Exchange 2000

Logging and Diagnostics

PWResults.html

PWDiag.log

Revision History

Running the Cisco Unity Permissions Wizard When Subscriber Mailboxes Are Homed in Domino

Requirements

This version of the Permissions wizard requires Cisco Unity 4.2(1) or later.

Permissions Granted by the Permissions Wizard

The Permissions wizard sets the permissions that Cisco Unity requires for the following accounts:

• The account that you will use to install Cisco Unity.
• The account that Cisco Unity directory and message store services will log on as.

For a list of privileges and group memberships that are granted by the Cisco Unity Permissions wizard, see Permissions Granted by the Cisco Unity Permissions Wizard.

Configuring Cisco Unity Failover

If you are configuring failover, run the Permissions wizard on both the primary and secondary servers.

To Run Permissions Wizard When Subscriber Mailboxes Are Homed in Domino

1. If a domain security policy is in effect, confirm that the domain security policy does not deny the accounts the rights to act as a part of the operating system, to log on as a service, and to log on as a batch job.
2. Log on to the Cisco Unity server by using an account that is a member of the Domain Admins group or that has permissions equivalent to the default permissions for the Domain Admins group.
   
   Caution! If you try to run the Permissions wizard using an account that has less than the default permissions for a Domain Admin, the Permissions wizard may not be able to grant all of the permissions required by the installation account and the services accounts. If the Permissions wizard cannot grant all of the required permissions, either the Cisco Unity installation will fail, or Cisco Unity will not run properly after it has been installed.
   
   
3. On Cisco Unity DVD 1 or CD 1, or from the location to which you saved the downloaded Cisco Unity CD 1 image files, browse to the Utilities\PermissionsWizard directory, and run PermissionsWizard.exe.
4. On the Welcome to the Cisco Unity Permissions Wizard page, click Set Permissions.
   
   
   
   
5. Click Next.
6. On the Choose the Message Store page, click Lotus Domino.
   
   
7. Click Next.
8. On the Choose the Cisco Unity Installation Account page, click Change and choose the account that you want to use to install Cisco Unity.
   
   
9. Click Next.
10. On the Choose the Cisco Unity Services Account page, click Change and choose the account that you want Cisco Unity directory and message store services to log on as.
    
    
11. Click Next.
12. A summary appears that lists the permissions that will be granted to each account, including membership in groups and user rights.
    
    
13. Click Next to grant the listed permissions. The Permissions wizard will complete in under an hour, and possibly in just a few minutes.
    
    Caution! If you are running the Permissions Wizard using Windows Terminal Services (WTS), the PWDiag.Log file will be deleted at the end of the WTS session. If you want to save it, you must copy it to another location before you end the session.
    
    
14. When the Permissions wizard completes, the following page appears.
    
    
15. To display a report listing the operations that succeeded and those that failed, if any, click View Detailed Results. For information on interpreting the results, see Logging and Diagnostics.
    
    
16. If one or more permissions could not be granted, fix the problems, and run the Permissions wizard again.
    
    Caution! If the Permissions wizard failed to grant any permissions, either the Cisco Unity installation will fail, or Cisco Unity will not run properly after it has been installed. You must successfully run the Permissions wizard before you can continue with installing Cisco Unity.
    
    
17. Click Finish.
18. If the account that you logged in with is also the account that you want to use to install Cisco Unity (you selected the installation account earlier in this procedure), log out of Windows and log back in so the permissions granted by the Permissions wizard will take effect.

Running Permissions Wizard When Subscriber Mailboxes Are Homed in Exchange 2003 and/or Exchange 2000

Requirements

Before you can run the Permissions wizard, the Active Directory schema must have been extended for Cisco Unity, which you should have done when you set up the message store. For more information, refer to the applicable Cisco Unity installation guide.

Permissions Granted by the Permissions Wizard

The Permissions wizard sets the permissions that Cisco Unity requires for the following accounts:

• The account that you will use to install Cisco Unity.
• The account that Cisco Unity directory services will log on as.
• The account that Cisco Unity message store services will log on as.

For a comprehensive list of all permissions, privileges, and group memberships that are granted by the Permissions wizard, see Permissions Granted by the Cisco Unity Permissions Wizard.

Caution! Cisco Unity needs to be able to change properties of Active Directory users. The Permissions wizard grants the directory services account the right to change user accounts in the containers that you specify. Cisco Unity can only change user accounts in those containers if inheritance is enabled for the containers and for the users themselves.

Configuring Cisco Unity Failover

If you are configuring failover, run the Permissions wizard on both the primary and secondary servers.

Disabling Inheritance

If you disable inheritance for any containers or groups that include Cisco Unity subscribers, or for any users who are subscribers, Cisco Unity (using the directory services account) will not be able to change properties for the affected users. You will need to either grant permissions to those users explicitly or re-enable inheritance by checking the Allow Inheritable Permissions from Parent to Propagate to This Object check box on the Security tab in the applicable Properties dialog box.

Impact on Domain Controllers and Global Catalog Servers

We recommend that you run the Permissions wizard during off-peak hours unless you are installing a new Cisco Unity system in a Voice Messaging configuration and you are not creating subscriber accounts in the corporate directory. The new version of the Permissions wizard sets permissions at a more granular level that requires more changes to the Active Directory database than previous versions.

When the Permissions wizard completes, the Lsass.exe process updates the Active Directory database with the new permissions. While Lsass.exe is processing the updates, it uses 100 percent of available processor time on a domain controller that:

• Hosts the domain to which the Cisco Unity server belongs.
• Has been specified to respond to requests from the site.

Other domain controllers in the domain and other global catalog servers in the forest are also affected, but the impact is less significant. The updates take a few minutes to several hours, depending on the size of the database. Except when the Cisco Unity server is the domain controller and the Lsass.exe process slows the screen refresh, you may continue with the Cisco Unity installation while Lsass.exe is processing changes.

Installing More Than One Cisco Unity Server in a Forest

The Permissions wizard sets permissions for installation and services accounts in Active Directory, and also sets permissions on the local server. When there is more than one Cisco Unity server in the forest (including failover servers), and when you are using the same three Active Directory accounts for installation, directory services, and message store services on multiple servers, the Permissions wizard only needs to grant Active Directory permissions once for those accounts.

When you run the Permissions wizard a second or subsequent time (because, for example, you are installing a Cisco Unity failover server or installing an additional Cisco Unity server in the same forest) and specify the same three accounts, the Permissions wizard displays a message asking whether you want to reapply permissions to those accounts. If you are not changing permissions on the accounts, click No, and the Permissions wizard will apply only the permissions required by the local server.

Note: When you run the Permissions wizard on a Cisco Unity server that is in a different domain than the installation and services accounts, the Permissions wizard cannot read or write the attribute that it uses to detect that permissions have already been granted on those accounts. If you will be running the Permissions wizard on any Cisco Unity servers that are in a different domain than the installation and services accounts, we recommend that you give the account that you are using to run Permissions wizard read and write rights on the ciscoEcsbuUnityInformation property granted for the installation and services accounts.

To Run Permissions Wizard When Subscriber Mailboxes Are Homed in Exchange 2003 and/or Exchange 2000

1. If a domain security policy is in effect, confirm that the domain security policy does not deny the accounts the rights to act as a part of the operating system, to log on as a service, and to log on as a batch job.
2. Log on to the Cisco Unity server by using an account that:
• Is a member of the Domain Admins group in the domain in which the Cisco Unity server is being installed, or that has permissions equivalent to the default permissions for the Domain Admins group.
• Is either an Exchange Full Administrator or a member of the Domain Admins group in the domain that contains all of the domains from which you want to import Cisco Unity subscribers.
  
  Caution! If you try to run the Permissions wizard using an account that has less than the default permissions for a Domain Admin, the Permissions wizard may not be able to grant all of the permissions required by the installation account and the services accounts. If the Permissions wizard cannot grant all of the required permissions, either the Cisco Unity installation will fail, or Cisco Unity will not run properly after it has been installed.
  
  
3. On Cisco Unity DVD 1 or CD 1, or from the location to which you saved the downloaded Cisco Unity CD 1 image files, browse to the Utilities\PermissionsWizard directory, and run PermissionsWizard.exe.
4. On the Welcome to the Cisco Unity Permissions Wizard page, click Set Permissions.
   
   
5. Click Next.
6. If you are running the Permissions wizard in an Active Directory forest that includes domain controllers running Windows 2000 Server, then setting the Active Directory permissions required by Cisco Unity may more than double the size of the Active Directory database on those servers.
   
   Caution! Before you continue, we recommend that you verify that the affected servers have the amount of additional space that may be required and that you read the documentation on the Microsoft website for information on mitigating ACL bloat.
   
   
7. On the Choose the Message Store page, click Microsoft Exchange 2003 or Microsoft Exchange 2000.
   
   When you run Cisco Unity Installation and Configuration Assistant, later in the installation, you will choose an Exchange partner server. This is the server where the Cisco Unity system mailbox is created. If Cisco Unity subscribers will be homed in both Exchange 2000 and Exchange 2003, Cisco recommends that you choose Exchange 2003 as the partner message store. If you choose Exchange 2000 now, when you upgrade the Cisco Unity partner Exchange server to Exchange 2003, Cisco Unity subscribers will not have access to messages during the upgrade. You will also need to upgrade to Exchange 2003 System Management Tools on the Cisco Unity server.
   
   Note: If Windows Server 2003 is installed on the Cisco Unity server, the option to choose between Exchange 2003 and Exchange 2000 is not available. You must use Exchange 2003.
   
   
8. Click Next.
9. On the Choose the Cisco Unity Installation Account page, click Change and choose the account that you want to use to install Cisco Unity.
   
   
10. Click Next.
11. On the Choose the Cisco Unity Directory Services Account page, click Change and choose the account that you want Cisco Unity directory services to log on as.
    
    
12. Click Next.
13. On the Choose the Cisco Unity Message Store Services Account page, click Change and choose the account that you want Cisco Unity message store services to log on as.
    
    
14. Click Next.
15. If the following message does not appear, skip this step.
    
    If the following message appears, you have already run permissions wizard and granted permissions on all three of the specified accounts. If you are running the Permissions wizard because you are:
    • Installing a Cisco Unity failover server or installing an additional Cisco Unity server in the same forest, and if you are not changing permissions on the accounts, click No, and the Permissions wizard will apply only the permissions required by the local server.
    • Changing permissions on the accounts, regardless of whether you have already run the Permissions wizard on this server, click Yes.
    
    
16. On the Choose Whether to Enable Voice Messaging Interoperability page, if you are configuring Cisco Unity to communicate with another voice messaging system using AMIS, the Cisco Unity Bridge, or VPIM, check the Set Permissions Required by AMIS, Cisco Unity Bridge, and VPIM check box.
    
    
17. Click Next.
18. Cisco Unity needs access to one or more Active Directory containers to create users (Cisco Unity subscribers) and groups (Cisco Unity public distribution lists). On the Choose Active Directory Containers for New Users and Groups page, choose the following:
    • The domain in which you want new users and groups to be created.
    • The container in which you want users to be created. This is where Cisco Unity creates system accounts during installation.
    • The container in which you want groups to be created. This is where Cisco Unity creates system public distribution lists during installation.
    
    Note: Cisco Unity also creates system users and groups in the containers you choose here.
    
    
19. Click Next.
20. On the Choose Which Objects Cisco Unity Administrator Can Create page, choose whether you want the Cisco Unity Administrator to be able to create new Active Directory users, contacts, and groups. For each object type you choose, the Cisco Unity directory services account is granted the rights necessary to create that type of object in Active Directory.
    
    If you clear a check box next to an Active Directory object type, you will not be able to create the associated type of Cisco Unity object using the Cisco Unity Administrator. For example, if you clear the Users check box, you will not be able to create new Cisco Unity Subscribers using the Cisco Unity Administrator. You will only be able to create Cisco Unity subscribers by importing existing Active Directory users.
    
    
    
    If you checked the Set Permissions Required by AMIS, Cisco Unity Bridge, and VPIM check box on the Choose Whether to Enable Voice Messaging Interoperability page, some options are preselected and cannot be changed.
    
    
21. Click Next.
22. On the Where Should Cisco Unity Create ciscoEcsbuUMLocationObjects page, choose the container where you want Cisco Unity location objects to be created.
    
    Regardless of which container you select here, the Permissions wizard automatically creates:
    
    • An OU named Unity at the top level of the Active Directory domain that contains the Cisco Unity server.
    • An OU named Locations below the Unity OU.
    
    If you choose a different location for location objects, the Unity and Locations OUs are not deleted, but no permissions are granted on them, either.
    
    The Permissions wizard creates Unity and Locations OUs only once in a domain. If you rerun the Permissions wizard, either on the same server or on another server (for example, because you are adding another Cisco Unity server to the same domain), the Permissions wizard does not create additional OUs. If you delete the OUs, next time you rerun the Permissions wizard, the wizard recreates them.
    
    
23. Click Next.
24. On the Choose Active Directory Containers for Computers page, choose the containers in which you want to create the computer objects and domain controllers (DCs) on which Cisco Unity and Cisco Unity Voice Connectors are installed. If you create computer objects and DCs only in the default Computers and Domain Controllers containers, skip this step.
    
    If you want to create computer objects and DCs in other containers in addition to the default containers, click Select Alternate Locations for Computer Objects and follow the on-screen prompts to specify the additional containers.
    
    If you want to create computer objects and DCs in other containers instead of the default containers, uncheck the Computer and Domain Controller Objects Are Created in the Default Locations check box. Then click Select Alternate Locations for Computer Objects and follow the on-screen prompts to specify the alternate containers.
    
    
25. Click Next.
26. On the Choose Active Directory Containers for Import page, choose the Active Directory containers from which you want to import users, contacts, and groups to make them Cisco Unity subscribers and public distribution lists. Note the following:
    • You must choose a container for the domain that includes the Cisco Unity server.
    • If you are using Digital Networking to connect multiple Cisco Unity servers, and:
      • If you will be importing users from the same container for every Cisco Unity server, choose that container. For example, if CiscoUnityServer1 and CiscoUnityServer2 will both be importing users from Container1 only, choose Container1.
      • If, for all of the Cisco Unity servers combined, you will be importing users from two or more containers, the Cisco Unity message store services account on each Cisco Unity server must be granted SendAs permission on every container from which users will be imported on every Cisco Unity server in the forest. For example, if CiscoUnityServer1 will import users from Container1 and Container2, and if CiscoUnityServer2 will import users from Container3 and Container4, the Cisco Unity message store services account for each Cisco Unity server must have SendAs permission for all four containers.
    • If you are using identified subscriber messaging for AMIS, Bridge, or VPIM subscribers, and:
      • If you will be importing contacts from the same container for every Cisco Unity server, choose that container. For example, if CiscoUnityServer1 and CiscoUnityServer2 will both be importing contacts from Container1 only, choose Container1.
      • If, for all of the Cisco Unity servers combined, you will be importing contacts from two or more containers, the Cisco Unity message store services account on each Cisco Unity server must be granted SendAs permission on every container from which contacts will be imported on every Cisco Unity server in the forest. For example, if CiscoUnityServer1 will import contacts from Container1 and Container2, and if CiscoUnityServer2 will import contacts from Container3 and Container4, the Cisco Unity message store services account for each Cisco Unity server must have SendAs permission for all four containers.
        
        
    
27. Click Next.
28. On the Choose Whether Cisco Unity Can Administer Active Directory page, choose whether changes that you make to Cisco Unity data using Cisco Unity tools should change the corresponding values (for example, First Name and Last Name) in Active Directory.
    
    If you check the Allow Cisco Unity to Administer Active Directory check box, you can use Cisco Unity tools to make the changes listed in the table below, which also change the specified Active Directory settings.
    
    

    Cisco Unity Setting or Feature	Corresponding Active Directory Setting or Feature
    First Name	First Name
    Last Name	Last Name
    Display Name	Display Name
    Membership in Cisco Unity public distribution lists	Membership in Active Directory groups
    Prevent subscribers from appearing in Outlook address books: In the Cisco Unity Administrator: Show Subscriber In E-Mail Server Address Book check box on the Profile page for the subscriber template that you plan to use when creating subscribers, or on the Profile page for individual subscribers after you have created them. In Cisco Unity Bulk Edit: Hide Subscriber in E-mail Address Book	msExchHideFromAddressLists
    Delete Cisco Unity AMIS, Bridge, Internet, and VPIM subscribers	Delete Active Directory contacts

    
    
    
    
    If you checked the Set Permissions Required by AMIS, Cisco Unity Bridge, and VPIM check box on the Choose Whether to Enable Voice Messaging Interoperability page, this option is preselected and cannot be changed.
    
    
29. Click Next.
30. If you want to home Cisco Unity subscribers in every Exchange 2003 and/or Exchange 2000 mailstore, skip this step.
    
    If you want to home Cisco Unity subscribers only in some Exchange 2003 and/or Exchange 2000 mailstores, in the Choose Mailstores page, click Choose Mailstores, and choose the mailstores to which you want Cisco Unity to have access.
    
    The Permissions wizard grants the message store services account send-as and receive-as rights for the selected mailstores.
    
    Caution! Choosing mailstores here does not prevent an administrator from creating mailboxes for subscribers in mailstores that were not selected in the Permissions wizard.
    
    Note: If you forget which mailstores you specified here, you can rerun the Permissions wizard up to this page. The settings will show which mailstores you selected the last time you ran the Permissions wizard.
    
    
31. Click Next.
32. On the Choose Whether Active Directory Admin Accounts Can Have Voice Mail page, choose whether you want Active Directory accounts that are used for administration to also be used as Cisco Unity subscriber accounts.
    
    
33. Click Next.
34. If the Cisco Unity server is running Windows Server 2003 with Service Pack 1, DCOM security improvements prevent the Cisco Unity Media Master control from functioning except on the Cisco Unity server. If you do not grant some DCOM rights (and reverse some of the SP 1 security improvements):
    • Cisco Unity subscribers cannot use the Media Master to make or play recordings in ViewMail for Microsoft Outlook, in the Cisco Unity Inbox, or in the Cisco Unity Assistant.
    • When administrators log into the Cisco Unity Administrator from another computer, they cannot use the Media Master.
    
    If you want to be able to use the Media Master control from locations other than the Cisco Unity server, on the Choose Whether to Grant DCOM Rights page, check the Grant DCOM Rights and Enable the Media Master Control check box.
    
    
35. Click Next.
36. The Review Changes to Permissions page lists the permissions that will be granted to each account. The information listed includes membership in groups, user rights, and Active Directory rights.
    
    
37. Click Next to grant the listed permissions. The Permissions wizard may take a few minutes to grant permissions. While it is processing, the following page displays.
    
    
38. When the Permissions wizard completes, the following page appears.
    
    
39. To display a report listing the operations that succeeded and those that failed, if any, click View Detailed Results. For information on interpreting the results, see Logging and Diagnostics.
    
    If one or more permissions could not be granted, fix the problems, and run the Permissions wizard again.
    
    Caution! If the Permissions wizard failed to grant any permissions, either the Cisco Unity installation will fail, or Cisco Unity will not run properly after it has been installed. You must successfully run the Permissions wizard before you can continue with installing Cisco Unity.
    
    Caution! An Active Directory right being granted by the Permissions wizard may conflict with an existing right on an Active Directory container. For example, an account may be denied the right to create user objects in one of the containers selected in the Permissions wizard. The log file will explain that a conflict has been found, but the permissions wizard will not resolve the conflict. You must resolve the conflict and then re-run the Permissions wizard.
    
    
40. Click Finish.
41. If the account that you logged in with is also the account that you want to use to install Cisco Unity (the account that you selected earlier in this procedure), log out of Windows and log back in so the permissions granted by the Permissions wizard will take effect.
42. Delegate Exchange administrative control to the installation and directory services accounts. See Delegating Exchange Administrative Control.

Logging and Diagnostics

The Cisco Unity Permissions wizard generates two log files and saves them in the current temp directory. The first file contains summary information and results. The second file contains low-level diagnostics and error messages.

PWResults.html

PWResults.html contains all results from the Cisco Unity Permissions wizard.

Each operation the Cisco Unity Permissions wizard attempts will be listed as either SUCCEEDED or FAILED.

In some cases, individual rights may be combined into a single entry. For example, the rights to read properties, write properties, list contents, read permissions, and modify permissions applied onto Group objects are all included in the single entry “SUCCEEDED granting Group read/modify rights.”

It is possible that an Active Directory right being granted will conflict with a pre-existing right on an Active Directory container. For example, the account that Cisco Unity directory services log on as may have been specifically denied the right to create user objects in one of the containers selected in the Permissions wizard. The PWResults.html file will indicate that a conflict has been found with a direct rights denial, but the Permissions wizard will not resolve the conflict. It is your responsibility to resolve conflicts between the rights being granted by the Permissions wizard and others already in effect.

PWDiag.log

PWDiag.log contains everything in PWResults.html, supplemented by low-level engineering diagnostics and error messages that can be used by Cisco engineers to diagnose anomalous behavior.

Revision History

Version 1.0.0: Initial version

Version 1.2.0.1

Version 2.0.0.1

Version 2.0.0.16

• Fixed problem with remembering domain for new object containers
• Fixed missing report of direct denial conflicts in html output
• Added granting of Send-As and Receive-As rights to Microsoft Exchange 2000 mailstores
• Added granting of read-access rights to Deleted Object containers

Version 2.1.0.13, 08/01/2003: CSCeb75785

Version 2.1.0.14, 08/11/2003: Reconcile summary of granted rights with actual granted rights

Version 2.1.0.15, 10/20/2003: Add checks to distinguish Exchange 2000 from 2003

Version 2.1.0.16, 12/2/2003

• Changes to support localized help
• Defect fix: CSCec86667

Version 2.1.0.17, 12/4/2003: Changes to apply Send-As on contact objects in new user container

Version 2.1.0.18, 1/7/2004: Defect fix: CSCed31963

Version 2.1.0.19, 1/27/2004: Added Send-As rights granted on contact objects

Version 2.1.0.20, 2/17/2004: Fix problem during AdminSDHolder rights assignment

Version 2.1.0.21, 2/23/2004: Allow for localized display of Exchange help file

Version 2.1.0.22, 4/9/2004: Defect fixes: CSCee17852, CSCed78363

Version 2.1.0.23, 7/7/2004: Add timing diags around critical MS code

Version 2.1.0.24, 8/9/2004: Defect Fixes: CSCee77212, CSCee90611

Version 2.1.0.25, 9/8/2004: Defect Fixes: CSCef01633

Version 2.1.0.26, 11/1/2004: Add registry disable of AdminSDHolder permission setting

Version 2.1.0.27, 1/5/2005: Change to only write DACL on AD objects

Version 2.1.0.28, 1/20/2005: Added write property rights on computer objects

Version 2.1.0.29, 3/14/2005: Typo fix in diags

Version 2.1.0.30, 5/26/2005: Localization updates

Version 2.1.0.31, 5/27/2005: Defect fix: CSCsb01328

Version 2.1.0.32, 7/15/2005: Support for Windows Server 2003 SP 1 and later

Version 2.2.0.34, 2/28/2006: For Cisco Unity 4.2(1), permissions granted at a more granular level, Report Mode added.

Version 2.2.0.35, 8/1/2006: Added the option to choose containers for computers and domain controllers. Added options for the amount of information to include in the report and for checking child containers. Also added a summary of options selected to the beginning of the report.

Version 2.2.0.36, 2/6/2007: Added support for setting Lotus Domino permissions on Microsoft Windows 2003.

Version 2.2.1.35, 5/24/2007: Added support for 1000+ Exchange databases.

Version 2.2.1.36, 2/21/2008: Defect Fix: CSCsk28195 - Changing permissions on GAL can prevent message delivery, so we grant Message store account the appropiate permission on GAL.

© 2004 - 2006 Cisco Systems, Inc.