Granting Access to Exchange 2010 - 2016 Production Databases

NOTE: As an alternative to these instructions, DigiScope® includes the DigiScope® Administrator Account Setup Tool, which will automatically perform all of the manual setup steps outlined here.

Connecting to a Production Exchange server version 2010 or higher with DigiScope® requires the creation of a group named DSAdministrators and a group member named DSAdmin{ExchangeVersion} that will be granted explicit database and mailbox access.  All members of the DSAdministrators group are considered DigiScope® Operators.

NOTE: DigiScope® Operators cannot be part of any Administrative group since all Administrative users and groups include Explicit Deny rights in order to limit database and mailbox access.

Create the DSAdministrators Group and DSAdmin Account

ATTENTION: DSAdmin Username Change
Previous versions DigiScope utilized an account just named "DSAdmin".  To better support the different permissions requirements of different versions of Exchange, we have changed the recommended account name to be Exchange-version specific, as in "DSAdmin2013", "DSAdmin2010", "DSAdmin2007", etc.

When following these updated instructions, please substitute your matching Exchange version number wherever it says "DSAdmin{ExchangeVersion}".  (For example, on Exchange 2010, use "DSAdmin2010".)

The steps below outline the process to grant the required rights for DigiScope® Operators.

  1. Create a group named DSAdministrators within Active Directory. This group will be granted rights so that all members of the group can access the databases and mailboxes as an authorized DigiScope® Operator.

  2. STOP: Ensure the DSAdministrators group is a Local Admin on:

    1. The Exchange server you want to access.

    2. The machine where DigiScope® is installed.

  3. Create a user / service account named DSAdmin{ExchangeVersion}.

    1. Create a mailbox for the DSAdmin{ExchangeVersion} account.

    2. Add DSAdmin{ExchangeVersion} to the DSAdministrators group.

  4. Add any other existing accounts you want be DigiScope® Operators to the DSAdministrators group and:

    1. Ensure that Each member of the DSAdministrators group has an active Exchange mailbox.

    2. However, before adding a member consider the following:

      1. Members of multiple groups will have overlapping layers of security which imposes Least-Privileged User (LUA) restrictions on that account. Therefore, even though the DSAdministrators group will be given explicit rights to have full access to all mailboxes, a member’s LUA may restrict their ability to fully operate DigiScope®.

      2. If a member of the DSAdministrators group has issues operating DigiScope®, try using the DSAdmin{ExchangeVersion} account instead. If the DSAdmin{ExchangeVersion} account works without error, then the issue is probably due to LUA on the other account.

Adding the DSAdministrators to the LOCAL Administrators Group

The DSAdministrators account is utilized while interacting with production Exchange server and therefore must be a member of the Local Administrators group on all Exchange servers that will be used by DigiScope®. To ensure proper operation:

  1. Add the DSAdministrators account to the Local Administrators group on:

    1. All Exchange servers that DigiScope® will interact with.

Grant the DSAdministrators Organization Admin rights
  1. From a Domain Controller open up Active Directory Users & Computers.

  2. Click on the Microsoft Exchange Security Groups organizational unit (OU).

  3. Right click on Organization Management and click on Properties.

  4. Click on the Members tab and click on the Add button

  5. Add in the DSAdministrators account.

  6. Click OK.

Granting Rights to the DSAdministrators Group via the Exchange Management Shell (EMS)
  1. Login to the Exchange server as a Domain Admin.

  2. Open the Exchange Management Shell.

  3. Run each command outlined below one at a time and please note that the items in red within each command are variables. So, for example, if your Domain name is Fabrikam.Corp, then you will need to replace the Domain variable with Fabrikam.Corp

Commands to Add Rights to All Production/Online Mailbox Databases
Commands to Add Rights to All Production/Online Public Folder Databases

If a Public Database is in use, run the following commands:

NOTE:  It can take up to 24 hours to replicate the changes through Active Directory.  For immediate results either force replication on Active Directory or restart the Microsoft Exchange Information Store service.

ATTENTION: For SBS customers ONLY, this additional step is REQUIRED:

Adding the DSAdministrators to the Builtin and Local Administrators Group

The DSAdministrators account is utilized while interacting with production Exchange server and therefore must be a member of the Local Administrators group on all Exchange servers that will be used by DigiScope®. To ensure proper operation:

  1. Add the DSAdministrators account to the Builtin\Administrators group within Active Directory.

    AD_Builtin_Administrators_Dialog.png


Continue to Exchange Client Throttling Settings