Permissions Granted by the Cisco Unity 5.0(1)+ Permissions Wizard

Contents

Permissions Granted for Cisco Unity for Exchange

How Permissions Wizard Options Affect Which Permissions Are Granted

Installation Account

Installation Account: Group Membership

Installation Account: User Privileges

Installation Account: Active Directory Permissions

Installation Account: Group Container

Installation Account: Location Container (ciscoEcsbuUMLocation)

Installation Account: Microsoft Exchange Containers

Installation Account: User Container (User)

Directory Services Account

Directory Services Account: AdminSDHolder System Object

Directory Services Account: Group Membership

Directory Services Account: User Privileges

Directory Services Account: Active Directory Permissions

Directory Services Account: Computers Container and Domain Controllers Container

Directory Services Account: Deleted Items Container

Directory Services Account: Group Container

Directory Services Account: Location Container (ciscoEcsbuUMLocation)

Directory Services Account: Microsoft Exchange Containers

Directory Services Account: User Container (Users or Contacts)

Message Store Services Account

Message Store Services Account: Group Membership

Message Store Services Account: User Privileges

Message Store Services Account: Exchange Permissions

Exchange Enterprise Servers Group

AdminSDHolder System Object

COM Security

Permissions Granted for Cisco Unity for Domino

Installation Account

Group Membership

User Privileges

Directory and Message Store Services Account

Group Membership

User Privileges

COM Security

Attributes in the ciscoEcsbuUnityInformation Property Set

List of Tables

Table 1: How Permissions Wizard Options Affect Which Permissions Are Granted for Exchange

Installation Account

Table 2: Permissions Granted to the Installation Account in the Group Container Applied onto Group Objects

Table 3: Permissions Granted to the Installation Account in the User Container Applied onto User Objects

Directory Services Account

Table 4: Permissions Granted to the Directory Services Account in the Computers Container and the Domain Controllers Container Applied onto Computer Objects

Table 5: Permissions Granted to the Directory Services Account on the Group Container

Table 6: Permissions Granted to the Directory Services Account in the User Container Applied onto User Objects

Table 7: Permissions Granted to the Directory Services Account in the User Container Applied onto Contact Objects

Exchange Enterprise Servers Group

Table 8: Permissions Granted to the Exchange Enterprise Servers Group

AdminSDHolder Object

Table 9: Permissions Granted to the Directory Services Account Applied onto the AdminSDHolder Object

Table 10: Attributes in the ciscoEcsbuUnityInformation Property Set

Permissions Granted for Cisco Unity for Exchange

The permissions that the Permissions wizard grants for Cisco Unity for Exchange are determined by the options you choose when you run the Permissions wizard. Note the following:

• Unless otherwise specified, all of the permissions listed in this section are always granted.
• In all tables, R = Read permission and W = Write permission.

How Permissions Wizard Options Affect Which Permissions Are Granted for Exchange

The permissions granted by the Permissions wizard for Exchange depend on the options you choose when you run the wizard. The following table summarizes the correlation between options and permissions granted.

Table 1: How Permissions Wizard Options Affect Which Permissions Are Granted for Exchange

Permissions Wizard Page	Option	Affect on Permissions
Choose the Message Store	Microsoft Exchange 2000	There is currently no difference in the permissions granted, but the option you choose here is used by other wizards later in the installation process.
	Microsoft Exchange 2003
	Microsoft Exchange 2007
Choose the Cisco Unity Installation Account	Installation Account	The account you select is given the permissions specified in the section Installation Account.
Choose the Cisco Unity Directory Services Account	Directory Services Account	The account you select is given the permissions specified in the section Directory Services Account.
Choose the Cisco Unity Message Store Services Account	Message Store Services Account	The account you select is given the permissions specified in the section Message Store Services Account.
Choose Whether to Enable Voice Messaging Interoperability	Set Permissions Required by AMIS, Cisco Unity Bridge, and VPIM	When you check this check box, several check boxes later in the Permissions wizard are automatically checked and disabled, so they cannot be changed: On the Choose Which Objects Cisco Unity Administrator Can Create page, the following check boxes are checked. Users Contacts On the Choose Whether Cisco Unity Can Administer Active Directory page, the Allow Cisco Unity to Administer Active Directory check box is checked. In addition, the Exchange Enterprise Servers group is given the permissions specified in the section Exchange Enterprise Servers Group.
Choose Active Directory Containers for New Users and Groups	Domain	You must choose one domain that applies to both the users container and the groups container.
	Users (Cisco Unity Subscribers)	See the following sections: Directory Services Account: User Container (Users or Contacts) Message Store Services Account: Exchange Permissions
	Groups (Cisco Unity Public Distribution Lists)	See the Directory Services Account: Group Container section.
Choose Which Objects Cisco Unity Administrator Can Create	Users	See the Directory Services Account: User Container (Users or Contacts) section.
	Contacts	See the Directory Services Account: User Container (Users or Contacts) section.
	Groups	See the Directory Services Account: Group Container section.
Choose the AD Container for ciscoEcsbuUMLocation Objects	Choose Where You Want Cisco Unity to Create Location Objects	For the installation account, see Installation Account: Location Container (ciscoEcsbuUMLocation). For the directory services account, see Directory Services Account: Location Container (ciscoEcsbuUMLocation).
Choose Active Directory Containers for Computers	Active Directory Containers	See the Directory Services Account: Computers Container and Domain Controllers Container section.
Choose Active Directory Containers for Import	Active Directory Containers	For the containers you specify and their child containers, the Permissions wizard grants the directory services account the permissions listed under "Permissions Granted When You Do Not Allow Cisco Unity Administrator to Create [Groups|Users|Containers]" in the following tables: Table 5: Permissions Granted to the Directory Services Account on the Group Container Table 6: Permissions Granted to the Directory Services Account in the User Container Applied onto User Objects Table 7: Permissions Granted to the Directory Services Account in the User Container Applied onto Contact Objects The Permissions wizard also grants permission to the message store services account. See Message Store Services Account: Exchange Permissions.
Choose Whether Cisco Unity Can Administer Active Directory	Allow Cisco Unity to Administer Active Directory	When you choose to allow Cisco Unity to administer Active Directory, the Permissions wizard grants the permissions listed in the "Permissions Granted When You Allow Cisco Unity to Administer Active Directory" column in the following tables: Table 5: Permissions Granted to the Directory Services Account on the Group Container Table 6: Permissions Granted to the Directory Services Account in the User Container Applied onto User Objects Table 7: Permissions Granted to the Directory Services Account in the User Container Applied onto Contact Objects Table 9: Permissions Granted to the Directory Services Account Applied onto the AdminSDHolder Object When you choose not to allow Cisco Unity to administer Active Directory, the Permissions wizard grants the permissions listed in the "Permissions Granted When You Do Not Allow Cisco Unity to Administer Active Directory" column. This option affects whether changes that you make to Cisco Unity data using Cisco Unity tools should change the corresponding values in Active Directory. For example, if you enable this option, you can use the Cisco Unity Administrator to: Change Cisco Unity public distribution list memberships, which automatically changes the corresponding group memberships in Active Directory. Change Cisco Unity subscriber and Internet subscriber settings that have corresponding values in Active Directory, for example, First Name and Last Name. Delete the Active Directory contact associated with AMIS, Bridge, Internet, or VPIM subscribers.
Choose Mailstores	Choose Mailstores	See the section Message Store Services Account: Exchange Permissions.
Choose Whether AD Admin Accounts Can Have Voice Mail	Allow Active Directory Administrator and Operator Accounts to Have Voice Mail (Not Recommended)	See the section AdminSDHolder System Object.
Choose Whether to Grant DCOM Rights	Grant DCOM Rights and Enable the MediaMaster Control	See the section COM Security.

Installation Account

The Permissions wizard grants the installation account the permissions listed in this section.

Note: If you are concerned about the installation account being available after the Cisco Unity installation is complete, you can disable the account in Active Directory Users and Computers. We recommend that you not delete it because when you upgrade to a later version of Cisco Unity you will again need an installation account with the same permissions. If you delete the current account, you will have to create another, re-run the Cisco Unity Permissions wizard to set the required permissions, and re-delegate Exchange Administrator control.

Installation Account: Group Membership

The installation account is added to the local Administrators group.

Installation Account: User Privileges

The installation account is granted the following user privileges:

• Log on as a service
• Act as part of the operating system
• Log on as a batch job

Installation Account: Active Directory Permissions

On the Choose Active Directory Containers for New Users and Groups page, you choose the container in which you want the installation account to create default groups (default Cisco Unity public distribution lists). To enable the installation account to create default groups, the Permissions wizard grants the installation account Create Objects (Group Objects) permission on the container you specify.

In addition, the Permissions wizard grants the permissions listed in Table 2.

Table 2: Permissions Granted to the Installation Account in the Group Container Applied onto Group Objects

Active Directory Attribute Name (ADSI Name)	Permissions Granted	Cisco Unity Attribute Name
cn (Name)	W	(Used internally)
ciscoEcsbuUnityInformation property set. For more information, see Attributes in the ciscoEcsbuUnityInformation Property Set.	W	See Attributes in the ciscoEcsbuUnityInformation Property Set.
displayName (Display Name)	W	AVP_DISPLAY_NAME
groupType	W	(Used internally)
mail (E-mail Address)	W	AVP_SMTP_ADDRESS
mailNickname (Alias)	W	AVP_ALIAS
member	W	AVP_MEMBERS
msExchHideFromAddressLists	W	AVP_HIDDEN_IN_DIRECTORY
name	W	(Used internally)
proxyAddresses	W	(Required by Exchange)
samAccountName (Group Name (Pre-Windows 2000))	W	AVP_ACCOUNT_NAME
showInAdvancedViewOnly	W	AVP_HIDDEN_IN_DIRECTORY

On the Choose the AD Container for ciscoEcsbuUMLocation Objects page, you choose the container where you want Cisco Unity location objects to be created. The Permission wizard grants the installation account the following permissions on the specified container:

• Create ciscoEcsbuUMLocation Objects
• Full Control (ciscoEcsbuUMLocation objects)

Note: Regardless of which container you select, the Permissions wizard automatically creates:

• An OU named Unity at the top level of the Active Directory domain that contains the Cisco Unity server.
• An OU named Locations below the Unity OU.

If you choose a different location for location objects, the Unity and Locations OUs are not deleted, but no permissions are granted on them, either.

The Permissions wizard creates Unity and Locations OUs only once in a domain. If you rerun the Permissions wizard, either on the same server or on another server (for example, because you are adding another Cisco Unity server to the same domain), the Permissions wizard does not create additional OUs. If you delete the OUs, next time you rerun the Permissions wizard, the wizard recreates them.

The Permissions wizard does not grant permissions on Microsoft Exchange containers, but Cisco Unity requires the permissions that are granted when you delegate Exchange Administrator control to the Cisco Unity installation account. For more information, refer to the Microsoft website.

On the Choose Active Directory Container for New Users and Groups page, you choose the container in which you want the installation account to create default users.

The Permissions wizard grants the installation account the following permissions on the container you choose:

• Create Objects (user objects)
• Change Password (user objects). This permission is also granted to subcontainers of the container you choose.
• Reset Password (user objects). This permission is also granted to subcontainers of the container you choose.

The Permissions wizard also grants the permissions listed in Table 3.

Table 3: Permissions Granted to the Installation Account in the User Container Applied onto User Objects

Active Directory Attribute Name (ADSI Attribute Name)	Permissions Granted	Cisco Unity Attribute
adminDisplayName	W	(Used internally)
autoReplyMessage (ILS Settings)	W	(Used internally)
ciscoEcsbuUnityInformation property set. For more information, see Attributes in the ciscoEcsbuUnityInformation Property Set.	W	See Attributes in the ciscoEcsbuUnityInformation Property Set.
cn (Name)	W	(Used internally)
displayName (Display Name)	W	AVP_DISPLAY_NAME
dLMemDefault	W	(Used internally)
facsimileTelephoneNumber (FAX Number)	W	AVP_PRIMARY_FAX_NUMBER
givenName (First Name)	W	AVP_FIRST_NAME
homeMDB (Exchange Mailbox Store)	W	AVP_MAIL_DATABASE
		AVP_MAIL_SERVER
homeMTA	W	(Used internally)
legacyExchangeDn	W	AVP_MAILBOX_ID
		AVP_EMAIL_ADDRESS
mail (E-mail Address)	W	AVP_SMTP_ADDRESS
mailNickname (Alias)	W	AVP_ALIAS
mapiRecipient	W	(Used internally)
mDBUseDefaults	W	AVP_MAILBOX_USE_DEFAULT_LIMITS
msExchADCGlobalNames	W	(Used internally)
msExchControllingZone	W	(Used internally)
msExchFBURL	W	(Used internally)
msExchHideFromAddressLists	W	AVP_HIDDEN_IN_DIRECTORY
msExchHomeServerName (Exchange Home Server)	W	(Used internally)
msExchMailboxGuid	W	(Used internally)
msExchMailboxSecurityDescriptor	W	(Used internally)
msExchMasterAccountSid	W	(Used internally)
msExchPoliciesExcluded	W	(Used internally)
msExchPoliciesIncluded	W	(Used internally)
msExchResourceGUID	W	(Used internally)
msExchUserAccountControl	W	(Used internally)
name	W	(Used internally)
proxyAddresses	W	(Used internally)
samAccountName (Logon Name (Pre-Windows 2000))	W	AVP_ACCOUNT_NAME
samAccountType	W	(Used internally)
showInAddressBook	W	(Used internally)
showInAdvancedViewOnly	W	AVP_HIDDEN_IN_DIRECTORY
sn (Last Name)	W	AVP_LAST_NAME
targetAddress	W	(Used internally)
textEncodedORAddress	W	(Used internally)
userAccountControl	R,W	(Used internally)
userPrincipalName (Logon Name)	W	(Used internally)
uSNChanged	R	AVP_OBJECT_CHANGED_ID

Directory Services Account

After Cisco Unity is installed, the directory services account is the account that Cisco Unity uses to access Active Directory. The Permissions wizard grants the directory services account the permissions listed in this section.

Note: The directory services account cannot be disabled or deleted, or Cisco Unity will not function.

Directory Services Account: AdminSDHolder System Object

See the section AdminSDHolder System Object.

Directory Services Account: Group Membership

The directory services account is added to the local Administrators group.

Directory Services Account: User Privileges

The directory services account is granted the following user privileges:

• Log on as a service
• Act as part of the operating system
• Log on as a batch job

Directory Services Account: Active Directory Permissions

By default, the Permissions wizard grants the directory services account the permissions listed in Table 4 to the Computers and the Domain Controllers containers. On the Choose Active Directory Containers for Computers page, you can choose to grant these same permissions to other containers in addition to the default containers or to other containers instead of the default containers.

Table 4: Permissions Granted to the Directory Services Account in the Computers Container and the Domain Controllers Container Applied onto Computer Objects

Active Directory Attribute Name (ADSI Name)	Permissions Granted	Cisco Unity Attribute Name
ciscoEcsbuObjectType	R,W	AVP_OBJECT_TYPE
ciscoEcsbuUMLocationObjectId	R	AVP_ENCRYPTION_PUBLIC_KEY
ciscoEcsbuUMLocationObjectId	R,W	AVP_LOCATION_OBJECT_ID
dnsHostName	R	(Used internally)
isDeleted	R	(Used internally)
name	R	AVP_RELATIVE_DISTINGUISHED_NAME
objectGUID	R	AVP_DIRECTORY_ID
samAccountName (Computer Name (Pre-Windows 2000))	R	(Used internally)
uSNChanged	R	AVP_OBJECT_CHANGED_ID

The directory services account needs to watch the pseudo-deleted items containers so it can detect users, groups, and locations being deleted and keep the Cisco Unity SQL Server database up to date. The Permissions wizard grants the following access to the deleted items container in each domain selected:

• List Contents (all objects)
• Read All Properties

For more information on the deleted items folder, see Microsoft Knowledge Base article 258310, Viewing Deleted Objects in Active Directory, available on the Microsoft website.

On the Permissions wizard Choose Active Directory Containers for New Users and Groups page, you choose the container in which Cisco Unity creates default groups. The Permissions wizard grants the directory services account the following permissions on the specified container:

• Create Objects (group objects), if you check the Groups check box on the Choose Which Objects Cisco Unity Administrator Can Create page
• Delete Objects (group objects), if you check both of the following check boxes:
• The Groups check box on the Choose Which Objects Cisco Unity Administrator Can Create page
• The Allow Cisco Unity to Administer Active Directory check box on the Choose Whether Cisco Unity Can Administer Active Directory page
• List Contents (group objects)

In addition, the Permissions wizard grants the directory services account the applicable permissions listed in Table 5 on the container you specify for groups. The permissions granted depend on whether you:

• Check the Groups check box on the Choose Which Objects Cisco Unity Administrator Can Create page.
• Check the Allow Cisco Unity to Administer Active Directory check box on the Choose Whether Cisco Unity Can Administer Active Directory page.

Table 5: Permissions Granted to the Directory Services Account on the Group Container

Active Directory Attribute Name (ADSI Attribute Name)	Permissions Granted When You Allow Cisco Unity Administrator to Create Groups and...		Permissions Granted When You Do Not Allow Cisco Unity Administrator to Create Groups and...		Cisco Unity Attribute Name
	You Allow Cisco Unity to Administer Active Directory	You Do Not Allow Cisco Unity to Administer Active Directory	You Allow Cisco Unity to Administer Active Directory	You Do Not Allow Cisco Unity to Administer Active Directory
canonicalName	R	R	R	R	(Used internally)
ciscoEcsbuUnityInformation property set. For more information, see Attributes in the ciscoEcsbuUnityInformation Property Set.	R,W	R,W	R,W	R,W	See Attributes in the ciscoEcsbuUnityInformation Property Set.
cn (Name)	R,W	R,W	R	R	(Used internally)
displayName (Display Name)	R,W	R,W	R,W	R	AVP_DISPLAY_NAME
distinguishedName (X500 Distinguished Name)	R	R	R	R	AVP_DISTINGUISHED_NAME
groupType	R,W	R,W	R	R	(Used internally)
isDeleted	R	R	R	R	(Used internally)
legacyExchangeDn	R	R	R	R	AVP_EMAIL_ADDRESS
mail (E-mail Address)	R,W	R,W	R	R	AVP_SMTP_ADDRESS
mailNickname (Alias)	R,W	R,W	R,W	R	AVP_ALIAS
member	R,W	R,W	R,W	R,W	AVP_MEMBERS
memberOf (Member Of)	R	R	R	R	(Used internally)
msExchHideFromAddressLists	R,W	R,W	R,W	R	AVP_HIDDEN_IN_DIRECTORY
msExchHomeServerName (This attribute cannot be displayed in ADSI.)	R	R	R	R	(Used internally)
name	R,W	R,W	R	R	(Used internally)
objectCategory	R	R	R	R	AVP_DIRECTORY_OBJECT_TYPE
objectClass	R	R	R	R	(Used internally)
objectGuid	R	R	R	R	AVP_DIRECTORY_ID
proxyAddresses	W	W	—	—	(Required by Exchange)
samAccountName (Group Name (Pre-Windows 2000))	R,W	R	R,W	R	AVP_ACCOUNT_NAME
showInAdvancedViewOnly	R,W	R,W	R,W	R	AVP_HIDDEN_IN_DIRECTORY
uSNChanged	R	R	R	R	AVP_OBJECT_CHANGED_ID

On the Choose the AD Container for ciscoEcsbuUMLocation Objects page, you choose the container where you want Cisco Unity location objects to be created. The Permission wizard grants the directory services account the following permissions on the specified container:

• Create ciscoEcsbuUMLocation Objects
• Full Control (ciscoEcsbuUMLocation objects)

For more information on the ciscoEcsbuUMLocation location container, see Installation Account: Location Container (ciscoEcsbuUMLocation).

The Permissions wizard does not grant permissions on Microsoft Exchange containers, but Cisco Unity requires the permissions that are granted when you delegate either Exchange Administrator or Exchange View Only Administrator control to the Cisco Unity directory services account. For more information, refer to Microsoft.com.

Note: To manage Exchange mailboxes, Microsoft requires Exchange View-Only Administrator control and write permissions on a number of attributes. Cisco Unity requires these permissions when it is configured to allow creating subscribers using the Cisco Unity Administrator. (When subscribers are created only by importing accounts from Active Directory, Cisco Unity does not require these additional permissions.) For more information, refer to Microsoft Knowledge Base article 316792, Minimum Permissions Necessary to Perform Exchange-Related Tasks, available on Microsoft.com.

On the Choose Active Directory Container for New Users and Groups page, you choose the container where you want new users (including contacts) to be created.

For more information on how Cisco Unity uses contacts, refer to the subsection “Internet Subscribers” in the section “SMTP Networking Concepts and Definitions” in the chapter “SMTP Networking” in the Networking in Cisco Unity Guide. The Networking in Cisco Unity Guide is available at http://www.cisco.com/univercd/cc/td/doc/product/voice/c_unity/unity40/net/net405/ex/index.htm.

User Objects

The Permissions wizard grants the directory services account the following permissions on the container you choose:

• Create Objects (user objects), if you check the Users check box on the Choose Which Objects Cisco Unity Administrator Can Create page.
• Delete Objects (user objects), if you check both of the following check boxes:
• The Users check box on the Choose Which Objects Cisco Unity Administrator Can Create page
• The Allow Cisco Unity to Administer Active Directory check box on the Choose Whether Cisco Unity Can Administer Active Directory page
• List Contents (user objects). This permission is also granted to subcontainers of the container you choose.
• Change Password (user objects), if you check the Users check box on the Choose Which Objects Cisco Unity Administrator Can Create page. This permission is also granted to subcontainers of the container you choose.
• Reset Password (user objects), if you check the Users check box on the Choose Which Objects Cisco Unity Administrator Can Create page. This permission is also granted to subcontainers of the container you choose.

The Permissions wizard also grants the directory services account the applicable permissions listed in Table 6. The permissions granted depend on whether you:

• Check the Users check box on the Choose Which Objects Cisco Unity Administrator Can Create page.
• Check the Allow Cisco Unity to Administer Active Directory check box on the Choose Whether Cisco Unity Can Administer Active Directory page.

Table 6: Permissions Granted to the Directory Services Account in the User Container Applied onto User Objects

Active Directory Attribute Name (ADSI Attribute Name)	Permissions Granted When You Allow Cisco Unity Administrator to Create Users and...		Permissions Granted When You Do Not Allow Cisco Unity Administrator to Create Users and...		Cisco Unity Attribute Name
	You Allow Cisco Unity to Administer Active Directory	You Do Not Allow Cisco Unity to Administer Active Directory	You Allow Cisco Unity to Administer Active Directory	You Do Not Allow Cisco Unity to Administer Active Directory
adminDisplayName	W	W	—	—	(Required by Exchange)
autoReplyMessage (ILS Settings)	W	W	—	—	(Used internally)
canonicalName	R	R	R	R	(Used internally)
ciscoEcsbuUnityInformation property set. For more information, see Attributes in the ciscoEcsbuUnityInformation Property Set.	R,W	R,W	R,W	R,W	See Attributes in the ciscoEcsbuUnityInformation Property Set.
cn (Name)	R,W	R,W	R	R	(Used internally)
displayName (Display Name)	R,W	R,W	R,W	R	AVP_DISPLAY_NAME
distinguishedName (X500 Distinguished Name)	R	R	R	R	AVP_DISTINGUISHED_NAME
dLMemDefault	W	W	—	—	(Required by Exchange)
facsimileTelephoneNumber (FAX Number)	R,W	R,W	R,W	R	AVP_PRIMARY_FAX_NUMBER
givenName (First Name)	R,W	R,W	R,W	R	AVP_FIRST_NAME
homeMDB (Exchange Mailbox Store)	R,W	R,W	R,W	R	AVP_MAIL_DATABASE
					AVP_MAIL_SERVER
homeMTA	R,W	R,W	R	R	(Used internally)
isDeleted	R	R	R	R	(Used internally)
legacyExchangeDn	R,W	R,W	R	R	AVP_EMAIL_ADDRESS
					AVP_MAILBOX_ID
mail (E-mail Address)	R,W	R,W	R	R	AVP_SMTP_ADDRESS
mailNickname (Alias)	R,W	R,W	R,W	R	AVP_ALIAS
mapiRecipient	R,W	R,W	R	R	(Used internally)
mDBOverHardQuotaLimit	R	R	R	R	AVP_MAILBOX_SEND_RECEIVE_LIMIT
mDBOverQuotaLimit	R	R	R	R	AVP_MAILBOX_SEND_LIMIT
mDBStorageQuota	R	R	R	R	AVP_MAILBOX_WARNING_LIMIT
mDBUseDefaults	R,W	R,W	R	R	AVP_MAILBOX_USE_DEFAULT_LIMITS
memberOf (Member Of)	R	R	R	R	(Used internally)
msExchADCGlobalNames	W	W	—	—	(Required by Exchange)
msExchControllingZone	W	W	—	—	(Required by Exchange)
msExchFBURL	W	W	—	—	(Required by Exchange)
msExchHideFromAddressLists	R,W	R,W	R,W	R	AVP_HIDDEN_IN_DIRECTORY
msExchHomeServerName (Exchange Home Server)	R,W	R,W	R	R	(Used internally)
msExchMailboxGuid	W	W	—	—	(Required by Exchange)
msExchMailboxSecurityDescriptor	W	W	—	—	(Required by Exchange)
msExchMasterAccountSid	R,W	R,W	R	R	(Used internally)
msExchPoliciesExcluded	W	W	—	—	(Required by Exchange)
msExchPoliciesIncluded	W	W	—	—	(Required by Exchange)
msExchResourceGUID	W	W	—	—	(Required by Exchange)
msExchUserAccountControl	R,W	R,W	R	R	(Used internally)
name	R,W	R,W	R	R	(Used internally)
objectCategory	R	R	R	R	AVP_DIRECTORY_OBJECT_TYPE
objectClass	R	R	R	R	(Used internally)
objectGuid	R	R	R	R	AVP_DIRECTORY_ID
objectSid	R	R	R	R	AVP_SID
proxyAddresses	R,W	R,W	R	R	(Used internally)
samAccountName (Logon Name (Pre-Windows 2000))	R,W	R,W	R	R	AVP_ACCOUNT_NAME
samAccountType	R,W	R,W	R	R	AVP_ACCOUNT_NAME
showInAddressBook	W	W	—	—	(Required by Exchange)
showInAdvancedViewOnly	R,W	R,W	R,W	R	AVP_HIDDEN_IN_DIRECTORY
sIDHistory	R	R	R	R	AVP_SID_HISTORY
sn (Last Name)	R,W	R,W	R,W	R	AVP_LAST_NAME
targetAddress	W	W	—	—	(Required by Exchange)
textEncodedORAddress	W	W	—	—	(Required by Exchange)
userAccountControl	R,W	R,W	R,W	R	(Used internally)
userPrincipalName (Logon Name)	R,W	R,W	R	R	(Used internally)
uSNChanged	R	R	R	R	AVP_OBJECT_CHANGED_ID

Contact Objects

The Permissions wizard grants the directory services account the following permissions on the container you choose:

• Create Objects (contact objects), if you check the Contacts check box on the Choose Which Objects Cisco Unity Administrator Can Create page.
• List Contents (contact objects)
• Delete Objects (contact objects), if you check both of the following check boxes:
• The Contacts check box on the Choose Which Objects Cisco Unity Administrator Can Create page
• The Allow Cisco Unity to Administer Active Directory check box on the Choose Whether Cisco Unity Can Administer Active Directory page

In addition, the Permissions wizard grants the directory services account the applicable permissions listed in Table 7. The permissions granted depend on whether you:

• Check the Contacts check box on the Choose Which Objects Cisco Unity Administrator Can Create page.
• Check the Allow Cisco Unity to Administer Active Directory check box on the Choose Whether Cisco Unity Can Administer Active Directory page.

Note: Active Directory contacts are used for Cisco Unity Internet subscribers, or AMIS, Bridge, or VPIM subscribers.

Table 7: Permissions Granted to the Directory Services Account in the User Container Applied onto Contact Objects

Active Directory Attribute Name (ADSI Attribute Name)	Permissions Granted When You Allow Cisco Unity Administrator to Create Contacts and...		Permissions Granted When You Do Not Allow Cisco Unity Administrator to Create Contacts and...		Cisco Unity Attribute Name
	You Allow Cisco Unity to Administer Active Directory	You Do Not Allow Cisco Unity to Administer Active Directory	You Allow Cisco Unity to Administer Active Directory	You Do Not Allow Cisco Unity to Administer Active Directory
canonicalName	R	R	R	R	(Used internally)
ciscoEcsbuUnityInformation property set. For more information, see Attributes in the ciscoEcsbuUnityInformation Property Set.	R,W	R,W	R,W	R,W	See Attributes in the ciscoEcsbuUnityInformation Property Set.
cn (Name)	R,W	R,W	R	R	(Used internally)
displayName (Display Name)	R,W	R,W	R,W	R	AVP_DISPLAY_NAME
distinguishedName (X500 Distinguished Name)	R	R	R	R	AVP_DISTINGUISHED_NAME
facsimileTelephoneNumber (FAX Number)	R,W	R,W	R,W	R	AVP_PRIMARY_FAX_NUMBER
givenName (First Name)	R,W	R,W	R,W	R	AVP_FIRST_NAME
homeMTA	R	R	R	R	(Used internally)
isDeleted	R	R	R	R	(Used internally)
legacyExchangeDn	R,W	R,W	R	R	AVP_EMAIL_ADDRESS
mail (E-mail Address)	R,W	R,W	R,W	R	AVP_SMTP_ADDRESS
mailNickname (Alias)	R,W	R,W	R,W	R	AVP_ALIAS
mapiRecipient	W	W	W	—	(Required by Exchange)
memberOf (Member Of)	R	R	R	R	(Used internally)
msExchHideFromAddressLists	R,W	R	R,W	R	AVP_HIDDEN_IN_DIRECTORY
msExchHomeServerName (This attribute cannot be displayed in ADSI.)	R	R	R	R	(Used internally)
msExchUserAccountControl	R,W	R,W	R	R	(Used internally)
objectCategory	R	R	R	R	AVP_DIRECTORY_OBJECT_TYPE
objectClass	R	R	R	R	(Used internally)
objectGuid	R	R	R	R	AVP_DIRECTORY_ID
proxyAddresses	R,W	R,W	R,W	R	(Used internally)
showInAddressBook	R,W	R,W	R	R	(Used internally)
showInAdvancedViewOnly	R,W	R	R,W	R	AVP_HIDDEN_IN_DIRECTORY
sn (Last Name)	R,W	R,W	R,W	R	AVP_LAST_NAME
targetAddress (E-Mail Address (External))	R,W	R,W	R,W	R	AVP_REMOTE_ADDRESS
uSNChanged	R	R	R	R	AVP_OBJECT_CHANGED_ID

Message Store Services Account

After Cisco Unity is installed, the message store services account is the account that Cisco Unity uses to access Exchange. The Permissions wizard grants the message store services account the permissions listed in this section.

Note: The message store services account cannot be disabled or deleted, or Cisco Unity will not function.

Message Store Services Account: Group Membership

The message store services account is added to the local Administrators group.

Message Store Services Account: User Privileges

The message store services account is granted the following user privileges:

• Log on as a service
• Act as part of the operating system
• Log on as a batch job

Message Store Services Account: Exchange Permissions

The Permissions wizard grants the following permissions to the message store services account on each mailbox store (msExchPrivateMDB) object that you specify on the Choose Mailstores page:

• Administer Information Store, which enables the message store services account to change the information with the Exchange message store.
• Receive-As, which enables the message store services account to log on to subscribers' mailboxes and play messages.
• Send-As, which enables the message store services account to send messages on behalf of Cisco Unity subscribers.
• View Information Store Status, which ensures that the message store services account does not exceed the maximum number of MAPI sessions that can be open at one time. The permission is only required for Exchange 2003 with Service Pack 1 and later, but the Permissions wizard grants it both for Exchange 2003 and Exchange 2000.

The Permissions wizard grants the following permissions to the message store services account on each storage group that contains a mailbox store (msExchPrivateMDB) object that you specify on the Choose Mailstores page:

• List Objects
• Read All Properties
• Read Permissions

The Permissions wizard grants the following permissions to the message store services account on all global address lists and all address lists:

• List Objects
• Open Address List
• Read
• Read All Properties

The Permissions wizard also grants Send-As permissions to the message store services account applied onto:

• User and contact objects on the container you specify for users on the Choose Active Directory Containers for New Users and Groups page. This permission addresses the issues described in Microsoft Knowledge Base article 327174, Full Mailbox Access Permission Grants the Send As Permission, or the Send-As Permission Is Denied.
• The containers you specify on the Choose Active Directory Containers for Import page, and their child containers.

For more information, see the following Microsoft Knowledge Base articles:

• Article 262054, XADM: How to Get Service Account Access to All Mailboxes in Exchange 2000.
• Article 821897, How to Assign Service Account Access to All Mailboxes in Exchange Server 2003.

Exchange Enterprise Servers Group

When you run the Permissions wizard to grant permissions, if you check the Set Permissions Required by AMIS, Cisco Unity Bridge, and VPIM check box (on the Choose Whether to Enable Voice Messaging Interoperability page), Cisco Unity grants the Exchange Enterprise Servers group the permissions listed in Table 8. These permissions are required to use secure messaging with AMIS, the Bridge, or VPIM.

Table 8: Permissions Granted to the Exchange Enterprise Servers Group

Active Directory Attribute Name (ADSI Name)	Permissions Granted
ciscoEcsbuObjectType	R,W
ciscoEcsbuUMLocationObjectId	R
ciscoEcsbuUMLocationObjectId	R,W
dnsHostName	R
isDeleted	R
name	R
objectGUID	R
samAccountName (Logon Name (Pre-Windows 2000))	R
uSNChanged	R

AdminSDHolder System Object

When you run the Permissions wizard to grant permissions, if you check the Allow Active Directory Administrator and Operator Accounts to Have Voice Mail check box (on the Choose Whether AD Admin Accounts Can Have Voice Mail page), Cisco Unity:

• Adds List Contents (This Object Only) permission to the ntSecurityDescriptor attribute on the AdminSDHolder object in every domain Cisco Unity creates users in or imports users from.
• Grants the applicable permissions listed in Table 9, depending on whether you check the Allow Cisco Unity to Administer Active Directory check box on the Choose Whether Cisco Unity Can Administer Active Directory page. These permissions allow the directory services account to update attributes for members of administrative groups.

If you do not check the check box, the Permissions wizard does not change permissions on the AdminSDHolder object and does not grant the permissions listed in Table 9.

Caution! If you check the Allow Active Directory Administrator and Operator Accounts to Have Voice Mail (Not Recommended) check box and if Cisco Unity service accounts are compromised, then security in the entire forest is compromised.

The changes are required to resolve issues noted in Microsoft Knowledge Base article 232199, Description and Update of the Active Directory AdminSDHolder Object, available on the Microsoft website. This issue is also addressed in the Cisco document Overcoming Protected Groups Permissions Problems with the Cisco Unity Permissions Wizard, http://www.cisco.com/en/US/products/sw/voicesw/ps2237/products_tech_note09186a00801c3224.shtml. For more information on the AdminSDHolder object, search Microsoft.com for AdminSDHolder.

For the AdminSDHolder object, few attributes can be displayed in ADSI, so ADSI attribute names are not included in the following table.

Table 9: Permissions Granted to the Directory Services Account Applied onto the AdminSDHolder Object

Active Directory Attribute Name	Permissions Granted When You Allow Cisco Unity to Administer Active Directory	Permissions Granted When You Do Not Allow Cisco Unity to Administer Active Directory	Cisco Unity Attribute Name
canonicalName	R	R	(Used internally)
ciscoEcsbuUnityInformation property set. For more information, see Attributes in the ciscoEcsbuUnityInformation Property Set.	R,W	R,W	See Attributes in the ciscoEcsbuUnityInformation Property Set.
cn	R	R	(Used internally)
displayName	R,W	R	AVP_DISPLAY_NAME
distinguishedName	R	R	AVP_DISTINGUISHED_NAME
facsimileTelephoneNumber	R,W	R	AVP_PRIMARY_FAX_NUMBER
givenName	R,W	R	AVP_FIRST_NAME
homeMDB	R,W	R	AVP_MAIL_DATABASE
			AVP_MAIL_SERVER
homeMTA	R	R	(Used internally)
isDeleted	R	R	(Used internally)
legacyExchangeDn	R	R	AVP_EMAIL_ADDRESS
			AVP_MAILBOX_ID
mail	R	R	AVP_SMTP_ADDRESS
mailNickname	R,W	R	AVP_ALIAS
mapiRecipient	R	R	(Used internally)
mDBOverHardQuotaLimit	R	R	AVP_MAILBOX_SEND_RECEIVE_LIMIT
mDBOverQuotaLimit	R	R	AVP_MAILBOX_SEND_LIMIT
mDBStorageQuota	R	R	AVP_MAILBOX_WARNING_LIMIT
mDBUseDefaults	R	R	AVP_MAILBOX_USE_DEFAULT_LIMITS
memberOf	R	R	(Used internally)
msExchHideFromAddressLists	R,W	R	AVP_HIDDEN_IN_DIRECTORY
msExchHomeServerName	R	R	(Used internally)
msExchMasterAccountSid	R	R	(Used internally)
msExchUserAccountControl	R	R	(Used internally)
name	R	R	(Used internally)
objectCategory	R	R	AVP_DIRECTORY_OBJECT_TYPE
objectClass	R	R	(Used internally)
objectGuid	R	R	AVP_DIRECTORY_ID
objectSid	R	R	AVP_SID
proxyAddresses	R	R	(Used internally)
samAccountName	R	R	AVP_ACCOUNT_NAME
samAccountType	R	R	AVP_ACCOUNT_NAME
showInAdvancedViewOnly	R,W	R	AVP_HIDDEN_IN_DIRECTORY
sIDHistory	R	R	AVP_SID_HISTORY
sn	R,W	R	AVP_LAST_NAME
userAccountControl	R,W	R	(Used internally)
userPrincipalName	R	R	(Used internally)
uSNChanged	R	R	AVP_OBJECT_CHANGED_ID

COM Security

If the Cisco Unity server is running Windows Server 2003 with Service Pack 1 or later, DCOM security improvements prevent the Cisco Unity Media Master control from functioning except on the Cisco Unity server. If you do not grant some DCOM rights (and reverse some of the SP 1 security improvements):

• Cisco Unity subscribers cannot use the Media Master to make or play recordings in ViewMail for Microsoft Outlook, in the Cisco Unity Inbox, or in the Cisco Unity Assistant.
• When administrators log into the Cisco Unity Administrator from another computer, they cannot use the Media Master.

In the Permissions wizard, on the Choose Whether to Grant DCOM Rights page, if you check the Grant DCOM Rights and Enable the Media Master Control check box, the Permissions wizard makes the following changes to the Launch and Activation Permissions on the COM Security tab in the My Computer Properties dialog box in the Component Services MMC:

·         Changes the limits for Anonymous Logon to allow Remote Activation.

·         Changes the limits for Network to allow Remote Activation.

·         Changes the default for Anonymous Logon to allow Remote Activation.

·         Changes the default for Network to allow Remote Activation.

·         Changes the default for Network Service to allow Local Activation.

·         Changes the default for Authenticated Users to allow Local Activation.

If you do not check the Grant DCOM Rights and Enable the Media Master Control check box, the Permissions wizard makes no changes to DCOM permissions. However, when you install Cisco Unity, Cisco Unity Setup makes the following changes to the Launch and Activation Permissions on the COM Security tab in the My Computer Properties dialog box in the Component Services MMC:

• Changes the limits for Anonymous Logon to allow Remote Activation.
• Changes the limits for Network to allow Remote Activation.

Permissions Granted for Cisco Unity for Domino

Installation Account

The Permissions wizard grants the installation account the group membership and user privileges listed in this section.

Note: If you are concerned about the installation account being available after the Cisco Unity installation is complete, you can disable the account in Active Directory Users and Computers. We recommend that you not delete it because when you upgrade to a later version of Cisco Unity you will again need an installation account with the same permissions. If you delete the current account, you will have to create another and re-run the Cisco Unity Permissions wizard to set the required permissions.

Group Membership

The installation account is added to the Administrators group.

User Privileges

The installation account is granted the following user privileges:

• Log on as a service
• Act as part of the operating system
• Log on as a batch job

Directory and Message Store Services Account

The Permissions wizard grants the directory and message store services account the group membership and user privileges listed in this section.

Note: The directory and message store services account cannot be disabled or deleted, or Cisco Unity will not function.

Group Membership

The directory and message store services account is added to the Administrators group.

User Privileges

The directory and message store services account is granted the following user privileges:

• Log on as a service
• Act as part of the operating system
• Log on as a batch job

COM Security

If the Cisco Unity server is running Windows Server 2003 with Service Pack 1 or later, DCOM security improvements prevent the Cisco Unity Media Master control from functioning except on the Cisco Unity server. If you do not grant some DCOM rights (and reverse some of the SP 1 security improvements):

• Cisco Unity subscribers cannot use the Media Master to make or play recordings in in the Cisco Unity Inbox or in the Cisco Unity Assistant.
• When administrators log into the Cisco Unity Administrator from another computer, they cannot use the Media Master.

In the Permissions wizard, on the Choose Whether to Grant DCOM Rights page, if you check the Grant DCOM Rights and Enable the Media Master Control check box, the Permissions wizard makes the following changes to the Launch and Activation Permissions on the COM Security tab in the My Computer Properties dialog box in the Component Services MMC:

• Changes the limits for Anonymous Logon to allow Remote Activation.
• Changes the limits for Network to allow Remote Activation.
• Changes the default for Anonymous Logon to allow Remote Activation.
• Changes the default for Network to allow Remote Activation.
• Changes the default for Network Service to allow Local Activation.
• Changes the default for Authenticated Users to allow Local Activation.

Attributes in the ciscoEcsbuUnityInformation Property Set

In general, permissions for ciscoEcsbu... attributes in Active Directory are granted on the ciscoEcsbuUnityInformation property set, not on the individual attributes. Table 10 lists the attributes that appear in the property set and the type of object to which each attribute applies.

Permissions that are granted to the directory services account on attributes in the Computers container and the Domain Controllers container are granted on individual attributes. For more information, see Directory Services Account: Computers Container and Domain Controllers Container.

Table 10: Attributes in the ciscoEcsbuUnityInformation Property Set

Active Directory Schema Extensions	Active Directory Attribute Name	Cisco Unity Attribute Name	Object Type
Cisco Unity	ciscoEcsbuAddressingMaxScope	AVP_ADDRESSING_MAX_SCOPE	Location
	ciscoEcsbuAllowBlindAddressing	AVP_ALLOW_BLIND_ADDRESSING	Location
	ciscoEcsbuAlternateDTMFIds	AVP_ALTERNATE_DTMF_IDS	Subscriber
	ciscoEcsbuAmisDialId	AVP_AMIS_DIAL_ID	Location
	ciscoEcsbuAmisDisableOutbound	AVP_AMIS_DISABLE_OUTBOUND	Location
	ciscoEcsbuAmisNodeActive	AVP_AMIS_NODE_ACTIVE	Location
	ciscoEcsbuAmisNodeId	AVP_AMIS_NODE_ID	Location
	ciscoEcsbuBlindAddressingMaxScope	AVP_BLIND_ADDRESSING_MAX_SCOPE	Location
	ciscoEcsbuDialingDomainName	AVP_DIALING_DOMAIN_NAME	Location
	ciscoEcsbuDirectoryAlias	AVP_ALIAS	Location, subscriber
	ciscoEcsbuDtmfId	AVP_DTMF_ACCESS_ID	Location, subscriber
	ciscoEcsbuIncludeLocations	AVP_INCLUDE_LOCATIONS	Location
	ciscoEcsbuListInUMDirectory	AVP_LIST_IN_DIRECTORY	Subscriber
	ciscoEcsbuObjectType	AVP_OBJECT_TYPE	Location, subscriber
	ciscoEcsbuSubscriberDestinationType	AVP_DESTINATION_TYPE	Location
	ciscoEcsbuTransferId	AVP_XFER_STRING	Subscriber
	ciscoEcsbuUMDomain	AVP_SMTP_DOMAIN	Location
	ciscoEcsbuUMDomainId	Used internally	Location
	ciscoEcsbuUMLocationObjectId	AVP_LOCATION_OBJECT_ID	Location, subscriber
	ciscoEcsbuUMSchemaVersion	Used internally	Location
	ciscoEcsbuUMServer	AVP_HOME_SERVER	Location
	ciscoEcsbuUMSystemId	AVP_SYSTEM_ID	Location
	ciscoEcsbuUndeletable	AVP_UNDELETABLE	Location, subscriber
	ciscoEcsbuVoiceEnabled	AVP_VOICE_ENABLED	Location, subscriber
	msExchRecordedName	AVP_VOICE_NAME_DATA	Location, subscriber
Cisco Unity Bridge	ciscoEcsbuLegacyMailbox	AVP_LEGACY_MAILBOX	Subscriber
	ciscoEcsbuOptionFlags	AVP_OPTION_FLAGS	Location
	ciscoEcsbuPrefixes	AVP_PREFIXES	Location
	ciscoEcsbuRemoteMailboxLength	AVP_REMOTE_MAILBOX_LENGTH	Location
	ciscoEcsbuRemoteNodeID	AVP_REMOTE_NODE_ID	Subscriber
	ciscoEcsbuRemoteServer	AVP_REMOTE_SERVER	Location
VPIM	ciscoEcsbuLocalPhonePrefix	AVP_LOCAL_PHONE_PREFIX	Location
	ciscoEcsbuOptionFlags	AVP_OPTION_FLAGS	Location
	ciscoEcsbuRemotePhonePrefix	AVP_REMOTE_PHONE_PREFIX	Location
	ciscoEcsbuRemoteServer	AVP_REMOTE_SERVER	Location

 

© 2009 Cisco Systems, Inc.