Cisco Unity 5.0(1)+ Permissions Wizard Report Mode Help (Exchange Only)

Checking Permissions

Logging and Diagnostics

Revision History

Checking Permissions

When you run the Permissions wizard and choose the report option, the Permissions wizard checks and reports on the current status of permissions for the following Active Directory accounts:

  • The account that you will use to install Cisco Unity.
  • The account that Cisco Unity directory services will log on as.
  • The account that Cisco Unity message store services will log on as.

Note the following:

  • Before you can run the Permissions wizard to check permissions:
    • You must extend the Active Directory schema with Cisco Unity schema extensions.
    • Exchange must be installed.
  • For a list of the rights, privileges, and group memberships that the Permissions wizard report option checks for, see Permissions Set By the Cisco Unity Permissions Wizard.
  • Verifying settings with complete accuracy is not possible. In some cases, the Permissions wizard may inaccurately report that an account has permissions that it does not or report that account does not have permissions that it does.
  • If you run the Permissions wizard from a computer other than the Cisco Unity server, the wizard cannot determine:
    • Whether accounts belong to the local Administrators group.
    • Whether accounts have the right to log on as a service, act as part of the operating system, or log on as a batch job.
  • The Permissions wizard does not check whether you have delegated Exchange administrator control to the installation and directory services accounts.
  • The Permissions wizard report option searches only for the exact permissions that the Permissions wizard grants. If you grant the installation or services accounts a higher level of permissions (for example, Domain Admin) than those granted by the Permissions wizard, the report results will be identical to the results if you had not granted the accounts any permissions at all.

To Check Permissions

  1. Log on to the Cisco Unity server by using an account that is a member of the Enterprise Admins group.

    Or

    Log on to the Cisco Unity server by using an account that meets all of the following requirements:
    • Is a member of the Domain Admins group in the domain in which the Cisco Unity server is installed, or that has permissions in that domain that are equivalent to the default permissions for the Domain Admins group.
    • Is a member of the Domain Admins group in all of the domains that contain OUs from which you want to import Cisco Unity subscribers, Cisco Unity contacts, or public distribution lists, or that has permissions in those domains that are equivalent to the default permissions for the Domain Admins group.
    • Has permission to grant permissions on the deleted items container in the configuration container.
    • Is an Exchange Full Administrator.
  2. On Cisco Unity DVD 1, browse to the Utilities\PermissionsWizard directory, and run PermissionsWizard.exe.

    If Cisco Unity is already installed, you can run the Permissions wizard from Tools Depot.
  3. On the Welcome to the Cisco Unity Permissions Wizard page, click Report on Current Permissions.

    Welcome to the Cisco Unity Permissions Wizard
  4. Click Next.
  5. On the Report Mode Is Supported Only When Exchange Is the Message Store page, click Next.

  6. On the Choose How Much Information to Include in the Report page, choose whether to include results both for settings that do meet Cisco Unity requirements and for those that do not, or to include results only for settings that do not meet Cisco Unity requirements.

    If you choose to report on all settings, depending on your Active Directory configuration and on the options you choose later in the Permissions wizard, the report may be exceptionally long.

    Choose How Much Information to Include in the Report
  7. On the Choose the Accounts Whose Permissions You Want to Determine page, choose the types of accounts for which you want to check permissions.

    Depending on which accounts you choose here and which options you choose later in the Permissions wizard, some Permissions wizard pages may not appear.

    Choose the Accounts Whose Permissions You Want to Determine
  8. Click Next.
  9. On the Choose the Cisco Unity Installation Account page, click Change and choose the account that you want to use to install Cisco Unity. The Permissions wizard will compare the current permissions for the specified account with the permissions required by the Cisco Unity installation account.

    Choose the Cisco Unity Installation Account
  10. Click Next.
  11. On the Choose the Cisco Unity Directory Services Account page, click Change and choose the account that you want Cisco Unity directory services to log on as. The Permissions wizard will compare the current permissions for the specified account with the permissions required by the Cisco Unity directory services account.

    Choose the Cisco Unity Directory Services Account
  12. Click Next.
  13. On the Choose the Cisco Unity Message Store Services Account page, click Change and choose the account that you want Cisco Unity message store services to log on as. The Permissions wizard will compare the current permissions for the specified account with the permissions required by the Cisco Unity message store services account.

    Choose the Cisco Unity Message Store Services Account
  14. Click Next.
  15. On the Choose Whether to Enable Voice Messaging Interoperability page, if you are configuring Cisco Unity to communicate with another voice messaging system using AMIS, the Cisco Unity Bridge, or VPIM, check the Set Permissions Required by AMIS, Cisco Unity Bridge, VPIM, and Connection Networking check box.

  16. Click Next.
  17. On the Choose Which Objects Cisco Unity Administrator Can Create page, choose whether you want the Cisco Unity Administrator to be able to create new Active Directory users, contacts, and groups. For each object type you choose, the Permissions wizard will check the directory services account to determine whether it has the rights necessary to create that type of object in Active Directory.

    For example, if you check the Users check box, the Permissions wizard will check whether the directory services account can create Active Directory users. If the account does not have the permission necessary to create users, you cannot create Cisco Unity subscribers using the Cisco Unity Administrator; you can only create subscribers by importing existing Active Directory users.

    If you checked the Set Permissions Required by AMIS, Cisco Unity Bridge, VPIM, and Connection Networking check box on the Choose Whether to Enable Voice Messaging Interoperability page, all options are mandatory and cannot be changed.

    Note: When Exchange 2007 is the message store, Cisco Unity cannot create users in Active Directory or mailboxes in Exchange. You must create the users and mailboxes first, then import Active Directory data into Cisco Unity.

  18. Click Next.
  19. Cisco Unity needs access to one or more Active Directory containers to create users (Cisco Unity subscribers) and groups (Cisco Unity public distribution lists). On the Choose Active Directory Containers for New Users and Groups page, choose the following:
    • The domain in which you want new users and groups to be created.
    • The container in which you want users to be created. This is where Cisco Unity creates system accounts during installation.
    • The container in which you want groups to be created. This is where Cisco Unity creates system public distribution lists during installation.

The Permissions wizard will check the installation, directory services, and message store services accounts you specified to determine whether they have the necessary permissions on the containers that you choose here.

Note: Cisco Unity also creates system users and groups in the containers you choose here.

Choose Active Directory Containers for New Users and Groups

  1. Click Next.
  2. On the Choose the AD Container for ciscoEcsbuUMLocation Objects page, choose the container where you want Cisco Unity location objects to be created.

    The Permissions wizard will check the installation and directory services accounts to determine whether they have the necessary permissions on the container that you choose here.

    Choose the Active Directory Container for ciscoEcsbuUMLocation Objects
  3. Click Next.
  4. On the Choose Active Directory Containers for Computers page, choose the containers in which you want to create the computer objects and domain controllers (DCs) on which Cisco Unity and Cisco Unity Voice Connectors are installed. If you create computer objects and DCs only in the default Computers and Domain Controllers containers, skip this step.

    If you want to create computer objects and DCs in other containers in addition to the default containers, click Select Alternate Locations for Computer Objects and follow the on-screen prompts to specify the additional containers.

    If you want to create computer objects and DCs in other containers instead of the default containers, uncheck the Computer and Domain Controller Objects Are Created in the Default Locations check box. Then click Select Alternate Locations for Computer Objects and follow the on-screen prompts to specify the alternate containers.

    Choose Active Directory Containers for Computers
  5. Click Next.
  6. On the Choose Active Directory Containers for Import page, choose the Active Directory containers from which you want to import users, contacts, and groups to make them Cisco Unity subscribers and public distribution lists.

    The Permissions wizard will check the directory services and message store service accounts to determine whether they have the necessary permissions on the containers that you choose here.

    Note the following:
    • You must choose a container for the domain that includes the Cisco Unity server.
    • By default, the Permissions wizard checks only the containers that you specify for creating new users and groups and for importing subscribers, contacts, and public distribution lists. If you want the Permissions wizard to check the child containers of the containers you specify, check the Confirm that Cisco Unity Has Permissions to Import from Child Containers check box.

      Note: If you check this check box and choose to report on containers that contain a large number of child containers, the report may take several hours to complete.
    • If you are using Digital Networking to connect multiple Cisco Unity servers, and:
      • If you will be importing users from the same container for every Cisco Unity server, choose that container. For example, if CiscoUnityServer1 and CiscoUnityServer2 will both be importing users only from Container1, choose Container1.
      • If, for all of the Cisco Unity servers combined, you will be importing users from two or more containers, the Cisco Unity message store services account on each Cisco Unity server must have SendAs permission on every container from which users will be imported on every Cisco Unity server in the forest. For example, if CiscoUnityServer1 will import users from Container1 and Container2, and if CiscoUnityServer2 will import users from Container3 and Container4, the Cisco Unity message store services account for each Cisco Unity server must have SendAs permission for all four containers.
    • If you are using identified subscriber messaging for AMIS, Bridge, or VPIM subscribers, and:
      • If you will be importing contacts from the same container for every Cisco Unity server, choose that container. For example, if CiscoUnityServer1 and CiscoUnityServer2 will both be importing contacts only from Container1, choose Container1.
      • If, for all of the Cisco Unity servers combined, you will be importing contacts from two or more containers, the Cisco Unity message store services account on each Cisco Unity server must have SendAs permission on every container from which contacts will be imported on every Cisco Unity server in the forest. For example, if CiscoUnityServer1 will import contacts from Container1 and Container2, and if CiscoUnityServer2 will import contacts from Container3 and Container4, the Cisco Unity message store services account for each Cisco Unity server must have SendAs permission for all four containers.

  1. Click Next.
  2. On the Choose Whether Cisco Unity Can Administer Active Directory page, choose whether changes that you make to Cisco Unity data using Cisco Unity tools should change the corresponding values (for example, First Name and Last Name) in Active Directory.

    If you check the Allow Cisco Unity to Administer Active Directory check box, the Permissions wizard will check the directory services account to determine whether it has the permissions necessary to update selected values in Active Directory.

    If you checked the Set Permissions Required by AMIS, Cisco Unity Bridge, VPIM, and Connection Networking check box on the Choose Whether to Enable Voice Messaging Interoperability page, all options are mandatory and cannot be changed.

  3. Click Next.
  4. On the Choose Mailstores page, click the applicable Choose Mailstores button, and choose the mailstores to which you want Cisco Unity to have access.

    The Permissions wizard checks the message store services account for the required permissions for the selected mailstores.

  5. Click Next.
  6. On the Choose Whether AD Admin Accounts Can Have Voice Mail page, choose whether you want Active Directory accounts that are used for administration to also be used as Cisco Unity subscriber accounts.

    If you check the Allow Active Directory Administrator and Operator Accounts to Have Voice Mail check box, the Permissions wizard will check the directory services and message store services accounts to determine whether they have the necessary permissions.

    Choose Whether Active Directory Admin Accounts Can Have Voice Mail
  7. Click Next.
  8. To run the report, click Next.

    Run the Report
  9. While the Permissions wizard is checking permissions on the accounts you chose using the specifications you selected, the following page displays.

    Checking Permissions
  10. When the Permissions wizard completes, the report appears.

    Cisco Unity Permissions Wizard Report Results

Logging and Diagnostics

The Cisco Unity Permissions wizard generates the following files and saves them in the current temp directory.

PWReportResults.html

PWResults.html contains all results from the Cisco Unity Permissions wizard.

In some cases, individual rights may be combined into a single entry.

PWReportResults.xml

PWReportResults.xml contains everything in PWReportResults.html, plus low-level engineering diagnostics and error messages that can be used by Cisco engineers to diagnose anomalous behavior.

PWResults.log

PWResults.log is mainly useful if the Permissions wizard does not finish or if the report does not display. PWReportResults.html and PWReportResults.xml are only saved to disk when the wizard completes, but PWResults.log is saved as the wizard is processing.

Revision History

Version 2.2.0.34, 2/28/2006: For Cisco Unity 4.2(1), report mode added.

Version 2.2.0.35, 8/1/2006: Added the option to choose containers for computers and domain controllers. Added options for the amount of information to include in the report and for checking child containers. Also added a summary of options selected to the beginning of the report.

© 2010 Cisco Systems, Inc. -- Company Confidential