Granting Access to Exchange 2007 Production Databases / Mailboxes

NOTE: As an alternative to these instructions, DigiScope® includes the DigiScope® Administrator Account Setup Tool, which will automatically perform all of the manual setup steps outlined here.

Connecting to a Production Exchange 2007 server with DigiScope® requires the creation of a group named DSAdministrators and a group member named DSAdmin that will be granted explicit database and mailbox access. All members of the DSAdministrators group are considered DigiScope® Operators.

Rights can be granted for Exchange 2007 Production database and mailbox access to the DSAdministrators group via the Exchange Management Shell (EMS) (preferred method) or alternatively via ADSI Edit.

NOTE: DigiScope® Operators can not be part of any Administrative group since all Administrative users and groups include Explicit Deny rights in order to limit database and mailbox access for Exchange 2007.

Create the DSAdministrators Group and DSAdmin Account

ATTENTION: DSAdmin Username Change
Previous versions DigiScope utilized an account just named "DSAdmin".  To better support the different permissions requirements of different versions of Exchange, we have changed the recommended account name to be Exchange-version specific, as in "DSAdmin2013", "DSAdmin2010", "DSAdmin2007", etc.

When following these updated instructions, please substitute your matching Exchange version number wherever it says "DSAdmin{ExchangeVersion}".  (For example, on Exchange 2010, use "DSAdmin2010".)

The steps below outline the process to grant the required rights for DigiScope® Operators.

  1. Create a group named DSAdministrators within Active Directory. This group will be granted rights so that all members of the group can access the databases and mailboxes as an authorized DigiScope® Operator.

  2. STOP: Ensure the DSAdministrators group is a Local Admin on:

    1. The Exchange server you want to access.

    2. The machine where DigiScope® is installed.

  3. Create a user / service account named DSAdmin{ExchangeVersion}.

    1. Create a mailbox for the DSAdmin{ExchangeVersion} account.

    2. Add DSAdmin{ExchangeVersion} to the DSAdministrators group.

  4. Add any other existing accounts you want be DigiScope® Operators to the DSAdministrators group and:

    1. Ensure that Each member of the DSAdministrators group has an active Exchange mailbox.

    2. However, before adding a member consider the following;

      1. Members of multiple groups will have overlapping layers of security which imposes Least-Privileged User (LUA) restrictions on that account. Therefore, even though the DSAdministrators group will be given explicit rights to have full access to all mailboxes, a member’s LUA may restrict their ability to fully operate DigiScope®.

      2. If a member of the DSAdministrators group has issues operating DigiScope®, try using the DSAdmin{ExchangeVersion} account instead. If the DSAdmin{ExchangeVersion} account works without error, then the issue is probably due to LUA on the other account.

Adding the DSAdministrators to the LOCAL Administrators Group

The DSAdministrators account is utilized while interacting with production Exchange server and therefore must be a member of the Local Administrators group on all Exchange servers that will be used by DigiScope®. To ensure proper operation:

  1. Add the DSAdministrators account to the Local Administrators group on:

    1. All Exchange servers that DigiScope® will interact with.

Grant the DSAdministrators Organization Admin rights
  1. From a Domain Controller open up Active Directory Users & Computers.

  2. Click on the Microsoft Exchange Security Groups organizational unit (OU).

  3. Right click on Organization Management and click on Properties.

  4. Click on the Members tab and click on the Add button

  5. Add in the DSAdministrators account.

  6. Click OK.

Granting Rights to the DSAdministrators Group via the Exchange Management Shell (EMS)
  1. Login to the Exchange server as a Domain Admin.

  2. Open the Exchange Management Shell.

  3. Run each command outlined below one at a time and please note that the items in red within each command are variables. So, for example, if your Domain name is Fabrikam.Corp, then you will need to replace the Domain variable with Fabrikam.Corp

    NOTE: if you have elected to issue rights to a specific user vs. a group (recommended), replace the Group-Name operator in the command below with the specific User-Name.

Commands to Add Rights to All Production/Online Mailbox Databases

NOTE: If you create an additional database after granting rights to existing databases, you will need to run the above commands another time in order to grant the appropriate rights to the new database.

Commands to Add Rights to All Production / Online Public Folder Databases

NOTE:  It can take up to 24 hours to replicate the changes through Active Directory.  For immediate results either force replication on Active Directory or restart the Microsoft Exchange Information Store service.

NOTE: If you experienced problems when attempting to execute the required commands within the Exchange Management Shell (EMS) or do not wish to utilize the EMS you can alternatively add the required rights via ADSI Edit.

ATTENTION: For SBS customers ONLY, this additional step is REQUIRED:

Adding the DSAdministrators to the Builtin and Local Administrators Group

The DSAdministrators account is utilized while interacting with production Exchange server and therefore must be a member of the Local Administrators group on all Exchange servers that will be used by DigiScope®. To ensure proper operation:

  1. Add the DSAdministrators account to the Builtin\Administrators group within Active Directory.

    AD_Builtin_Administrators_Dialog.png


Continue to Exchange Maximum Allowed Sessions Per User