Granting Access to Exchange 2000 and 2003 Production Databases/Mailboxes

NOTE: As an alternative to these instructions, DigiScope® includes the DigiScope® Administrator Account Setup Tool, which will automatically perform all of the manual setup steps outlined here.

Connecting to a production online Exchange 2000/2003 server with DigiScope® requires the authenticated user to have been granted the role of Exchange Administrator or Exchange Full Administrator. The steps below outline the process to grant the group and users the required rights.

Create the DSAdministrators Group and DSAdmin Account

ATTENTION: DSAdmin Username Change
Previous versions DigiScope utilized an account just named "DSAdmin".  To better support the different permissions requirements of different versions of Exchange, we have changed the recommended account name to be Exchange-version specific, as in "DSAdmin2013", "DSAdmin2010", "DSAdmin2007", etc.

When following these updated instructions, please substitute your matching Exchange version number wherever it says "DSAdmin{ExchangeVersion}".  (For example, on Exchange 2010, use "DSAdmin2010".)

  1. Create a group named DSAdministrators within Active Directory. This group will be granted rights so that all members of the group can access the databases and mailboxes as an authorized DigiScope® Operator.

  2. STOP: Ensure the DSAdministrators group is a Local Admin on:

    1. The Exchange server you want to access.

    2. The machine DigiScope® is installed.

  3. Create a user / service account named DSAdmin{ExchangeVersion}.

    1. Create a mailbox for the DSAdmin{ExchangeVersion} account.

    2. Add DSAdmin{ExchangeVersion} to the DSAdministrators group.

  4. Add any other existing accounts you want be DigiScope® Operators to the DSAdministrators group and:

    1. Ensure that each member of the DSAdministrators group has an active Exchange mailbox.

    2. However, before adding a member consider the following:

      1. Members of multiple groups will have overlapping layers of security which imposes Least-Privileged User (LUA) restrictions on that account. Therefore, even though the DSAdministrators group will be given explicit rights to have full access to all mailboxes, a member’s LUA may restrict their ability to fully operate DigiScope.

      2. If a member of the DSAdministrators group has issues operating DigiScope®, try using the DSAdmin account instead. If the DSAdmin account works without error, then the issue is probably due to LUA on the other account.

Adding the DSAdministrators to the Builtin and Local Administrators Group

The DSAdministrators account is utilized while interacting with production Exchange server and therefore must be a member of the Local Administrators group on all Exchange servers that will be used by DigiScope®. It must also be a member of the Builtin\Administrators group on the domain controller. To ensure proper operation:

  1. Add the DSAdministrators account to the Local Administrators group on:

    1. All Exchange servers that DigiScope® will interact with.

  2. Add the DSAdministrators account to the Builtin\Administrators group within Active Directory.

    NOTE: This permission is required to restore a deleted mailbox to a default or alternate database.

    AD_Builtin_Administrators_Dialog.png

Granting Rights to the DSAdministrators Group
  1. Open the Exchange System Manager.

  2. Right click on the Organization and select Delegate Control....

    2k-2k3-Delgate_Control.png

  3. The Exchange Administration Delegation Wizard appears.

    2k-2k3-Delgate_Wizard.png

  4. Click Next, the Users or Groups selection dialog appears.

    2k-2k3-Delgate_Wizard-Users-Groups.png

  5. Click the Add... button, the Delegate Control dialog appears.

    2k-2k3-Delgate_Wizard-Control.png

  6. Click the Browse... button, the Select Users, Computers or Groups dialog appears.

    2k-2k3-Delgate_Control-User-Group.png

  7. Type in the name of the group / user you want to add permissions to.

  8. Click Check Names.

  9. Once you have finished adding the desired group / user names, Click OK.

  10. You will be returned to the Delegate Control dialog and the Group (recommended) or User field is populated.

  11. Click the Role field drop down and select Exchange Full Administrator.

    2k-2k3-Delgate_Control-Group-Filled.png

  12. Click OK, the updated Users or Groups Selection dialog appears.

    2k-2k3-Delgate_Control-User-Group-Updated.png

  13. Click Next, the Exchange Administration Delegation Wizard Completion dialog appears.

    2k-2k3-Delgate_Control-Finish.png

  14. Click Finish.


Continue to Exchange Maximum Allowed Sessions Per User