Granting Access to Exchange 2010 - 2016 Production Databases

Granting Access to Exchange 2010 - 2019 Production Databases

NOTE: As an alternative to these instructions, DigiScope includes the DigiScope Administrator Account Setup Tool, which will automatically perform all of the manual setup steps outlined here.

Connecting to a Production Exchange server version 2010 or higher with DigiScope requires the creation of a group named DSAdministrators and a group member named DSAdmin{ExchangeVersion} that will be granted explicit database and mailbox access. All members of the DSAdministrators group are considered DigiScope Operators.

NOTE: DigiScope Operators cannot be part of any Administrative group since all Administrative users and groups include Explicit Deny rights in order to limit database and mailbox access.

Create the DSAdministrators Group and DSAdmin Account

ATTENTION: DSAdmin Username Change
Previous versions DigiScope utilized an account just named "DSAdmin". To better support the different permissions requirements of different versions of Exchange, we have changed the recommended account name to be Exchange-version specific, as in "DSAdmin2013", "DSAdmin2010", "DSAdmin2007", etc.

When following these updated instructions, please substitute your matching Exchange version number wherever it says "DSAdmin{ExchangeVersion}". (For example, on Exchange 2010, use "DSAdmin2010".)

The steps below outline the process to grant the required rights for DigiScope Operators.

Create a group named DSAdministrators within Active Directory. This group will be granted rights so that all members of the group can access the databases and mailboxes as an authorized DigiScope Operator.
STOP: Ensure the DSAdministrators group is a Local Admin on:
1. The Exchange server you want to access.
2. The machine where DigiScope is installed.
Create a user / service account named DSAdmin{ExchangeVersion}.
1. Create a mailbox for the DSAdmin{ExchangeVersion} account.
2. Add DSAdmin{ExchangeVersion} to the DSAdministrators group.
Add any other existing accounts you want be DigiScope Operators to the DSAdministrators group and:
1. Ensure that Each member of the DSAdministrators group has an active Exchange mailbox.
2. However, before adding a member consider the following:
  1. Members of multiple groups will have overlapping layers of security which imposes Least-Privileged User (LUA) restrictions on that account. Therefore, even though the DSAdministrators group will be given explicit rights to have full access to all mailboxes, a member’s LUA may restrict their ability to fully operate DigiScope.
  2. If a member of the DSAdministrators group has issues operating DigiScope, try using the DSAdmin{ExchangeVersion} account instead. If the DSAdmin{ExchangeVersion} account works without error, then the issue is probably due to LUA on the other account.

Adding the DSAdministrators to the LOCAL Administrators Group

The DSAdministrators account is utilized while interacting with production Exchange server and therefore must be a member of the Local Administrators group on all Exchange servers that will be used by DigiScope. To ensure proper operation:

Add the DSAdministrators account to the Local Administrators group on:
1. All Exchange servers that DigiScope will interact with.

Grant the DSAdministrators Organization Admin rights

From a Domain Controller open up Active Directory Users & Computers.
Click on the Microsoft Exchange Security Groups organizational unit (OU).
Right click on Organization Management and click on Properties.
Click on the Members tab and click on the Add button
Add in the DSAdministrators account.
Click OK.

Granting Rights to the DSAdministrators Group via the Exchange Management Shell (EMS)

Login to the Exchange server as a Domain Admin.
Open the Exchange Management Shell.
Run each command outlined below one at a time and please note that the items in red within each command are variables. So, for example, if your Domain name is Fabrikam.Corp, then you will need to replace the Domain variable with Fabrikam.Corp

Command to enable RPC/HTTP protocol for the DSAdmin or equivalent user

When connecting to an Exchange 2013/2016/2019 server if you have blocked the use of RPC/HTTP you must unblock RPC/HTTP for the DSAdmin{ExchangeVersion} user. For the example below simply change the {ExchangeVersion} variable to match the version of Exchange your connecting to, i.e. DSAdmin2013 or DSAdmin2016 or DSAdmin2019

Set-CASMailbox -Identity “DSAdmin{ExchangeVersion}” -MAPIBlockOutlookRpcHttp $False

Commands to Add Rights to All Production/Online Mailbox Databases

Add-ADPermission –Identity “Microsoft Exchange” -User "Domain\DSAdministrators" -ExtendedRights Receive-As –InheritanceType All
Add-ADPermission -Identity “Microsoft Exchange” -User "Domain\DSAdministrators" -AccessRights GenericAll –InheritanceType All
Get-MailboxDatabase | Add-ADPermission -User "Domain\DSAdministrators" -ExtendedRights Receive-As -InheritanceType All

Commands to Add Rights to All Production/Online Public Folder Databases

If a Public Database is in use, run the following commands:

Add-RoleGroupMember -Identity "Public Folder Management" -Member "Domain\DSAdministrators"
Add-PublicFolderAdministrativePermission -Identity "\" -User "Domain\DSAdministrators" -AccessRights AllExtendedRights -InheritanceType SelfAndChildren

NOTE: It can take up to 24 hours to replicate the changes through Active Directory. For immediate results either force replication on Active Directory or restart the Microsoft Exchange Information Store service.

ATTENTION: For SBS customers ONLY, this additional step is REQUIRED:

Adding the DSAdministrators to the Built-in and Local Administrators Group

Add the DSAdministrators account to the Builtin\Administrators group within Active Directory.

Continue to Exchange Client Throttling Settings