How to set Exchange permissions for the Vault Service Account manually using ADSIEdit


The Vault Service Account needs full permission to the target mailboxes, as it must not only read the contents but also modify them when archiving and synchronizing EV's hidden messages.

The Vault Service Account also needs to be able to Send on Behalf of the system mailbox you have just created; when sending the "Welcome" message, and any Quota or PST Migration messages.


In EV 9 and later, these permissions are configured using the PowerShell scripts provided on the EV media (instructions are here). However, on EV 8.0 and earlier, there are no PowerShell scripts, and Exchange 2007 does not provide an interface to modify these permissions via the Exchange Management Console or Active Directory Users and Computers. Thus we must use ADSIEdit as follows.

1. Click Start, Programs, Administrative Tools, ADSI Edit. This tool is included with the Windows Support Tools on the Windows Domain Controller or Exchange Server.

2. In ADSI Edit, connect to 'well known Naming Context' Configuration and expand the tree as follows:

a. Expand Configuration [dc.yourdomain.local]
b. Expand CN=Configuration,DC=yourdomain,DC=local
c. Expand CN=Services
d. Expand CN=Microsoft Exchange
e. Expand CN=First Organization 
      Note: CN=First Organization might be different in your environment. This name is the Exchange Organization name configured at the initial Exchange setup.
f. Expand CN=Administrative Groups
e. Expand CN=Exchange Administrative Group(FYDIBOHF23SPDLT)
g. Expand CN=Servers

3. Right-click the CN=EXCHANGE_SERVER_NAME object and select Properties.
      Note: When reviewing all the objects under CN=Servers, you need to match the Exchange Server name from your organization.

4. In CN=EXCHANGE_SERVER_NAME Properties click the Security tab.

5. Add the Vault Service Account to the list and grant it Full Control. Click Apply.

6. Click Advanced. In Advanced Security Settings for EXCHANGE_SERVER_NAME select the row for the Vault Service Account added in the previous step and click Edit.

7. In Permission Entry for EXCHANGE_SERVER_NAME, change Apply onto to This object and all child objects and click OK.

8. Click OK to close the Advanced Security Settings window.

9. Click OK and close the Properties window.


10. Close ADSIEdit.

Next step is applying "send as" permissions over the system mailbox assigned to the Enterprise Vault Archiving Tasks:

1. Open the Exchange Management Console.

2. Expand Microsoft Exchange > Recipient Configuration > Mailbox.

3. In the right panel, do a search for the system mailbox assigned to the Enterprise Vault Archiving Tasks.

4. Right-click over the mailbox and add select "Manage Send as Permission..."

5. Add the Vault Service account and click on Manage.

6. Repeat the same steps for each system mailbox on any remaining Exchange Servers.

Applies To


EV 8.0 and earlier

EV 9.0 and later

Exchange 2003

Set permissions using Exchange Management ConsoleSet permissions using Exchange Management Console

Exchange 2007

Use ADSIEdit to set permissions manually (this article).EV provides PowerShell scripts to set permissions

Exchange 2010

This version of EV does not support this version of ExchangeEV provides PowerShell scripts to set permissions

Exchange 2013

This version of EV does not support this version of ExchangeEV provides PowerShell scripts to set permissions


Terms of use for this information are found in Legal Notices.



Did this article answer your question or resolve your issue?


Did this article save you the trouble of contacting technical support?


How can we make this article more helpful?

Email Address (Optional)