Cisco Unity 5.0(1)+ Permissions Wizard Report Mode Help
(Exchange Only)
Checking Permissions
Logging and Diagnostics
Revision History
When you run the Permissions wizard and choose the report
option, the Permissions wizard checks and reports on the current status of
permissions for the following Active Directory accounts:
- The
account that you will use to install Cisco Unity.
- The
account that Cisco Unity directory services will log on as.
- The
account that Cisco Unity message store services will log on as.
Note the following:
- Before
you can run the Permissions wizard to check permissions:
- You
must extend the Active Directory schema with Cisco Unity schema
extensions.
- Exchange
must be installed.
- For
a list of the rights, privileges, and group memberships that the
Permissions wizard report option checks for, see Permissions Set By the Cisco Unity Permissions
Wizard.
- Verifying
settings with complete accuracy is not possible. In some cases, the
Permissions wizard may inaccurately report that an account has permissions
that it does not or report that account does not have permissions that it
does.
- If
you run the Permissions wizard from a computer other than the Cisco Unity
server, the wizard cannot determine:
- Whether
accounts belong to the local Administrators group.
- Whether
accounts have the right to log on as a service, act as part of the
operating system, or log on as a batch job.
- The
Permissions wizard does not check whether you have delegated Exchange
administrator control to the installation and directory services accounts.
- The
Permissions wizard report option searches only for the exact permissions
that the Permissions wizard grants. If you grant the installation or
services accounts a higher level of permissions (for example, Domain
Admin) than those granted by the Permissions wizard, the report results
will be identical to the results if you had not granted the accounts any
permissions at all.
To Check Permissions
- Log
on to the Cisco Unity server by using an account that is a member of the
Enterprise Admins group.
Or
Log on to the Cisco Unity server by using an account that meets all of the
following requirements:
- Is
a member of the Domain Admins group in the domain in which the Cisco
Unity server is installed, or that has permissions in that domain that
are equivalent to the default permissions for the Domain Admins group.
- Is
a member of the Domain Admins group in all of the domains that contain
OUs from which you want to import Cisco Unity subscribers, Cisco Unity
contacts, or public distribution lists, or that has permissions in those
domains that are equivalent to the default permissions for the Domain
Admins group.
- Has
permission to grant permissions on the deleted items container in the
configuration container.
- Is an Exchange Full Administrator.
- On
Cisco Unity DVD 1, browse to the Utilities\PermissionsWizard directory,
and run PermissionsWizard.exe.
If Cisco Unity is already installed, you can run the Permissions wizard
from Tools Depot.
- On
the Welcome to the Cisco Unity Permissions Wizard page, click Report on
Current Permissions.
- Click
Next.
- On
the Report Mode Is Supported Only When Exchange Is the Message Store page,
click Next.
- On the Choose How Much Information to Include in the Report page, choose
whether to include results both for settings that do meet Cisco Unity
requirements and for those that do not, or to include results only for
settings that do not meet Cisco Unity requirements.
If you choose to report on all settings, depending on your Active
Directory configuration and on the options you choose later in the
Permissions wizard, the report may be exceptionally long.
- On
the Choose the Accounts Whose Permissions You Want to Determine page,
choose the types of accounts for which you want to check permissions.
Depending on which accounts you choose here and which options you choose
later in the Permissions wizard, some Permissions wizard pages may not
appear.
- Click
Next.
- On
the Choose the Cisco Unity Installation Account page, click Change
and choose the account that you want to use to install Cisco Unity. The
Permissions wizard will compare the current permissions for the specified
account with the permissions required by the Cisco Unity installation
account.
- Click
Next.
- On
the Choose the Cisco Unity Directory Services Account page, click Change
and choose the account that you want Cisco Unity directory services to log
on as. The Permissions wizard will compare the current permissions for the
specified account with the permissions required by the Cisco Unity
directory services account.
- Click
Next.
- On the
Choose the Cisco Unity Message Store Services Account page, click Change
and choose the account that you want Cisco Unity message store services to
log on as. The Permissions wizard will compare the current permissions for
the specified account with the permissions required by the Cisco Unity
message store services account.
- Click
Next.
- On
the Choose Whether to Enable Voice Messaging Interoperability page, if you
are configuring Cisco Unity to communicate with another voice messaging
system using AMIS, the Cisco Unity Bridge,
or VPIM, check the Set Permissions Required by AMIS, Cisco Unity
Bridge, VPIM, and
Connection Networking check box.
- Click
Next.
- On
the Choose Which Objects Cisco Unity Administrator Can Create page, choose
whether you want the Cisco Unity Administrator to be able to create new
Active Directory users, contacts, and groups. For each object type you
choose, the Permissions wizard will check the directory services account
to determine whether it has the rights necessary to create that type of
object in Active Directory.
For example, if you check the Users check box, the Permissions
wizard will check whether the directory services account can create Active
Directory users. If the account does not have the permission necessary to
create users, you cannot create Cisco Unity subscribers using the Cisco
Unity Administrator; you can only create subscribers by importing existing
Active Directory users.
If you checked the Set Permissions Required by AMIS, Cisco Unity
Bridge, VPIM, and
Connection Networking check box on the Choose Whether to Enable Voice
Messaging Interoperability page, all options are mandatory and cannot be
changed.
Note: When Exchange 2007 is the message store, Cisco Unity cannot
create users in Active Directory or mailboxes in Exchange. You must create
the users and mailboxes first, then import Active Directory data into
Cisco Unity.
- Click
Next.
- Cisco
Unity needs access to one or more Active Directory containers to create
users (Cisco Unity subscribers) and groups (Cisco Unity public
distribution lists). On the Choose Active Directory Containers for New
Users and Groups page, choose the following:
- The
domain in which you want new users and groups to be created.
- The
container in which you want users to be created. This is where Cisco
Unity creates system accounts during installation.
- The container in which you want groups to be created.
This is where Cisco Unity creates system public distribution lists during
installation.
The Permissions wizard will check the installation,
directory services, and message store services accounts you specified to determine
whether they have the necessary permissions on the containers that you choose
here.
Note: Cisco Unity also creates system users and groups in the containers
you choose here.
- Click
Next.
- On
the Choose the AD Container for ciscoEcsbuUMLocation Objects page, choose
the container where you want Cisco Unity location objects to be created.
The Permissions wizard will check the installation and directory services
accounts to determine whether they have the necessary permissions on the
container that you choose here.
- Click
Next.
- On
the Choose Active Directory Containers for Computers page, choose the
containers in which you want to create the computer objects and domain controllers
(DCs) on which Cisco Unity and Cisco Unity Voice Connectors are installed.
If you create computer objects and DCs only in the default Computers and
Domain Controllers containers, skip this step.
If you want to create computer objects and DCs in other containers in
addition to the default containers, click Select Alternate
Locations for Computer Objects and follow the on-screen prompts to
specify the additional containers.
If you want to create computer objects and DCs in other containers instead
of the default containers, uncheck the Computer and Domain
Controller Objects Are Created in the Default Locations check box.
Then click Select Alternate Locations for Computer Objects and
follow the on-screen prompts to specify the alternate containers.
- Click
Next.
- On
the Choose Active Directory Containers for Import page, choose the Active
Directory containers from which you want to import users, contacts, and
groups to make them Cisco Unity subscribers and public distribution lists.
The Permissions wizard will check the directory services and message store
service accounts to determine whether they have the necessary permissions
on the containers that you choose here.
Note the following:
- You
must choose a container for the domain that includes the Cisco Unity
server.
- By
default, the Permissions wizard checks only the containers that you
specify for creating new users and groups and for importing subscribers,
contacts, and public distribution lists. If you want the Permissions
wizard to check the child containers of the containers you specify, check
the Confirm that Cisco Unity Has Permissions to Import from Child
Containers check box.
Note: If you check this check box and choose to report on
containers that contain a large number of child containers, the report
may take several hours to complete.
- If
you are using Digital Networking to connect multiple Cisco Unity servers,
and:
- If
you will be importing users from the same container for every Cisco
Unity server, choose that container. For example, if CiscoUnityServer1
and CiscoUnityServer2 will both be importing users only from Container1,
choose Container1.
- If,
for all of the Cisco Unity servers combined, you will be importing users
from two or more containers, the Cisco Unity message store services
account on each Cisco Unity server must have SendAs permission on every
container from which users will be imported on every Cisco Unity server
in the forest. For example, if CiscoUnityServer1 will import users from
Container1 and Container2, and if CiscoUnityServer2 will import users
from Container3 and Container4, the Cisco Unity message store services
account for each Cisco Unity server must have SendAs permission for all
four containers.
- If
you are using identified subscriber messaging for AMIS, Bridge, or VPIM
subscribers, and:
- If
you will be importing contacts from the same container for every Cisco
Unity server, choose that container. For example, if CiscoUnityServer1
and CiscoUnityServer2 will both be importing contacts only from
Container1, choose Container1.
- If, for all of the Cisco Unity servers combined, you
will be importing contacts from two or more containers, the Cisco Unity
message store services account on each Cisco Unity server must have
SendAs permission on every container from which contacts will be
imported on every Cisco Unity server in the forest. For example, if
CiscoUnityServer1 will import contacts from Container1 and Container2,
and if CiscoUnityServer2 will import contacts from Container3 and
Container4, the Cisco Unity message store services account for each
Cisco Unity server must have SendAs permission for all four containers.
- Click
Next.
- On
the Choose Whether Cisco Unity Can Administer Active Directory page,
choose whether changes that you make to Cisco Unity data using Cisco Unity
tools should change the corresponding values (for example, First Name and
Last Name) in Active Directory.
If you check the Allow Cisco Unity to Administer Active Directory
check box, the Permissions wizard will check the directory services
account to determine whether it has the permissions necessary to update
selected values in Active Directory.
If you checked the Set Permissions Required by AMIS, Cisco Unity
Bridge, VPIM, and
Connection Networking check box on the Choose Whether to Enable Voice
Messaging Interoperability page, all options are mandatory and cannot be changed.
- Click
Next.
- On
the Choose Mailstores page, click the applicable Choose Mailstores button,
and choose the mailstores to which you want Cisco Unity to have access.
The Permissions wizard checks the message store services account for the required
permissions for the selected mailstores.
- Click
Next.
- On
the Choose Whether AD Admin Accounts Can Have Voice Mail page, choose
whether you want Active Directory accounts that are used for
administration to also be used as Cisco Unity subscriber accounts.
If you check the Allow Active Directory Administrator and Operator
Accounts to Have Voice Mail check box, the Permissions wizard will
check the directory services and message store services accounts to
determine whether they have the necessary permissions.
- Click
Next.
- To
run the report, click Next.
- While
the Permissions wizard is checking permissions on the accounts you chose
using the specifications you selected, the following page displays.
- When
the Permissions wizard completes, the report appears.
Logging and Diagnostics
The Cisco Unity Permissions wizard generates the following
files and saves them in the current temp directory.
PWReportResults.html
PWResults.html contains all results from the Cisco Unity
Permissions wizard.
In some cases, individual rights may be combined into a single
entry.
PWReportResults.xml
PWReportResults.xml contains everything in
PWReportResults.html, plus low-level engineering diagnostics and error messages
that can be used by Cisco engineers to diagnose anomalous behavior.
PWResults.log
PWResults.log is mainly useful if the Permissions wizard does
not finish or if the report does not display. PWReportResults.html and PWReportResults.xml
are only saved to disk when the wizard completes, but PWResults.log is saved as
the wizard is processing.
Revision History
Version 2.2.0.34, 2/28/2006: For Cisco Unity 4.2(1), report
mode added.
Version 2.2.0.35, 8/1/2006: Added the option to choose
containers for computers and domain controllers. Added options for the amount
of information to include in the report and for checking child containers. Also
added a summary of options selected to the beginning of the report.
© 2010 Cisco Systems, Inc. -- Company Confidential