Problem
This article describes the various accounts and users that are involved in an Enterprise Vault environment, as well as the permissions required by each. As some accounts are feature-specific, not every environment will make use of every account and permission listed here. Rather, this article is meant as a reference to double check when troubleshooting permissions-related errors. For accounts and permissions specific to the Compliance Accelerator and Discovery Accelerator products, refer to Enterprise Vault Compliance Accelerator and Discovery Accelerator Accounts and Permissions
Solution
Select from the user accounts below to view a description and the requirements for each account.
- Vault Service Account
- EV System Mailbox
- Domino Archiving User
- EV Reporting User
- Monitoring User
- Data Access Account
- PST Migrations
Description: The single most important account in Enterprise Vault is the Vault Service Account (VSA). This account is primarily responsible for running the multiple services and tasks on the Enterprise Vault server, but it also has several other responsibilities and requirements, which are detailed below. Enterprise Vault’s archiving tasks operate as this account when evaluating items eligible for archive, copying them into the archive, and replacing the items with shortcuts or placeholders in their original location; therefore, broadly speaking, the VSA requires full (read/write) access to all sources from which items are to be archived (these sources are known as “Targets”). The VSA is the only account that has complete free reign in all areas of the Vault Administration Console (VAC), and it can use the Roles-Based Administration console to assign more focused administration privileges to other accounts. Additionally, an administrator should always log in as the VSA when troubleshooting the system using Dtrace, EVSVR, or other utilities.
Requirements:
- The VSA must be a dedicated Active Directory account. Do not reuse one of the built-in Windows accounts (Administrator, Guest, etc.) for the VSA.
- The VSA’s password should be set not to expire.
- It is recommended that the VSA not be a member of the Enterprise Admins group, the Domain Admins group, or any other group that contains a default DENY permission on mailboxes. It is better to start with a standard domain user account and explicitly assign only the required permissions.
The VSA’s requirements on the Enterprise Vault server
- The VSA must belong to the Local Administrators group on all Enterprise Vault servers (even if they only run a subset of the services, such as dedicated Storage or Indexing servers).
- The installation wizard will automatically grant the VSA the following user rights assigned on the Enterprise Vault server:
- Log on as a service
- Log on as a batch
- Debug programs
- Replace a process-level token
- The VSA must have Full Control permissions (both NTFS and Share) on the PST Holding folder, and it is recommended that this folder be located on the Enterprise Vault server.
- The Indexing Admin service is responsible for starting the EVIndexVolumesProcessor, EVIndexQueryServer and IndexBroker. As part of the process a batch file is executed to start the key indexing processes.
The VSA’s requirements in SQL Server
Note: Granting the sysadmin server role to the VSA covers all of the necessary permissions. Read on for the least-privilege requirements.
- The VSA must have a SQL login with the following permissions to the SQL server ( Veritas Enterprise Vault™ Installing and Configuring - Creating a SQL login account):
Server role: dbcreator
Server permission: View server state
Server permission: Alter any login
Server permission: View any definition
- The VSA also requires the following rights on the msdb system database ( Assigning permissions and roles in SQL Server databases ):
Select permissions on the sysjobs, sysjobschedules, sysjobservers, and sysjobsteps tables.
SQLAgentUserRole database role
The VSA’s requirements in Exchange
- The VSA requires full access to all mailboxes and public folders. Choose one of the following options:
- For Exchange 2003 and earlier, grant the permissions manually using Exchange System Manager.
- For Exchange 2007 and later, grant the permissions using the PowerShell script included on the Enterprise Vault media ( instructions ).
- For any version of Exchange, grant the permissions manually using ADSIEdit ( list of the required permissions; instructions on using ADSIEdit).
- If archiving from Exchange 2010, the VSA is required to have its own mailbox with a custom Throttling Policy ( instructions ).
(Note that the mailbox receiving this Throttling Policy is the mailbox associated with the VSA, not the EV System Mailbox discussed below. They are separate mailboxes.)
- In a multiple-domain environment, the VSA must be able to access all domains associated with any Exchange Servers that are to be archived ( further details and examples ).
- The VSA should not be a member of the built-in Exchange Organization Administrators group.
The VSA’s requirements in Domino
The Domino Server service on the Enterprise Vault Domino Gateway must run as the VSA
The VSA’s requirements on an FSA target
For a Windows file server:
- For releases before Enterprise Vault 10.0.3, the VSA must be a local administrator on each target Windows file server, and must have Full Control permission on each share that is configured as a target volume.
- From Enterprise Vault 10.0.3 the VSA can run instead as a member of the local Print Operators group on the file server and with reduced set of permissions and privileges. This change enables archiving from domain controllers and other file servers where local Administrator rights are not permitted for a service account (further details).
For a NetApp filer:
- The VSA must have administrator permissions on the NetApp filer ( instructions ).
The VSA’s requirements in Sharepoint
- The VSA must be a local administrator on each targeted SharePoint Server computer.
- The VSA must have full access to target site collections and their content.
The VSA’s requirements in Microsoft SQL Server Reporting Services
- The VSA requires a Content Manager role in Microsoft SQL Server Reporting Services.
- The VSA must be a local administrator on the Microsoft SQL Server Reporting Services computer.
Description: If archiving Microsoft Exchange, an EV System Mailbox needs to be created on each Exchange Mailbox server that will be archived. The EV System Mailbox is not the same as the System Mailbox that Exchange creates, nor is it just the mailbox associated with the VSA. The EV System Mailbox is a separate mailbox used by the Exchange Mailbox, Journaling, and Public Folder Archiving tasks when connecting to Exchange.
Requirements:
- Each EV System Mailbox should be a dedicated Active Directory account. Do not reuse one of the built-in Windows accounts (Administrator, Guest, etc.) for an EV System Mailbox.
- The EV System Mailbox must not be disabled in Active Directory or hidden from any address lists.
Requirements:
- Editor access, plus Delete Documents and Create shared folders/views
If read/unread state will affect archiving eligibility:
- Manager access ( instructions )
Requirements:
- The reporting user’s password should be set not to expire.
- The reporting user’s account must not be disabled.
- The option User Must Change Password At Logon should not be selected.
- The option User Cannot Change Password should not be selected.
- All the required SQL server roles and permissions are set up by running the Reporting Configuration Utility ( instructions ).
Requirements:
- The monitoring user’s password should be set not to expire.
- The monitoring user’s account must not be disabled.
- The option User Must Change Password At Logon should not be selected.
- The option User Cannot Change Password should not be selected.
Requirements:
The Data Access Account’s requirements in Active Directory
- The Data Access Account’s password should be set not to expire.
- The Data Access Account must not be disabled.
- The option User Must Change Password At Logon should not be selected.
- The option User Cannot Change Password should not be selected.
The Data Access Account’s requirements on the Enterprise Vault server
- Access this computer from the network
- Allow log on locally
- Log on as a batch job
- Bypass traverse checking
Description: If migrating PST files using the server driven method (Locate, Collect, Migrate), it is recommended to create a separate account to run the PST tasks, rather than running them under the Vault Service Account.
Requirements:
The PST user’s requirements in Active Directory
- The PST user must have local administrative access to all workstations, servers, and network locations on which to Locate PST files. This can be achieved by adding the PST user to the Domain Admins, Enterprise Admins, or another appropriate group.
- Using Group Policy ( instructions ), ensure that the PST user has the following user rights assigned on all computers on which it will Locate PST files.
- Log on as a service
- Replace a process level token
- Act as part of the operating system
- The PST user must have Full Control permissions to the PST Holding folder, and it is recommended that this folder be located on the Enterprise Vault server.
- The PST user must have the PST Administrator role in Enterprise Vault’s Authorization Manager ( instructions )
Related Knowledge Base Articles
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.