Granting the Enterprise Vault Vault Service Account the correct permissions for Microsoft Exchange

  • Article ID:100018180
  • Modified Date:
  • Product(s):

Problem

Granting the Enterprise Vault (EV) Vault Service Account (VSA) the correct permissions for Microsoft Exchange

Solution

When deploying Enterprise Vault to archive from an Exchange server, a prerequisite is to grant the Vault Service Account the proper rights to Exchange. To grant these rights, you can use either the Exchange System Manager or the Exchange Management Shell (PowerShell).

The PowerShell method can only be used if the Exchange Organization is at least Exchange 2007 (i.e. a mixed environment where Exchange 2003 servers coexist with Exchange 2007) and the scripts are run from an Exchange 2007/2010 console and remotely executed against the Exchange 2003 server.

If the Exchange environment contains Exchange 2003 servers within an Exchange 2007/2010 organization, the PowerShell scripts can be used.

To assign Exchange Server permissions to the Vault Service account using PowerShell:

  1. Log in to the Exchange Server using an account that is assigned the following management roles:

    • Active Directory Permissions

    • Exchange Servers

    • Organization Configuration

    By default, members of the "Organization Management" role group are assigned these roles.

  2. Copy the script called SetEVExchangePermissions.ps1 from the \Veritas Enterprise Vault\PowerShell Scripts folder on the Enterprise Vault media to the Exchange Server.

    The Exchange PowerShell scripts are also in the  PowerShellScripts  sub folder of the Enterprise Vault installation folder (for example  C:\Program Files (x86)\Enterprise Vault ).

  3. On the Exchange Server, open the Exchange Management Shell.

  4. Run  SetEVExchangePermissions.ps1 .

    The syntax for this script is:

    .\SetEVExchangePermissions.ps1 -User domain\user_name [-Server exchange_server] [-Action ] [-Level ] [-Verbose ]

    The parameters are as follows:

    User (required) domain\user_name is the Vault Service account and the domain that it belongs to. If user_name contains spaces, enclose the whole domain\user_name string in quotation marks.
    -Server exchange_server is the name of the Exchange Server. The default is the Exchange Server on which the script is running.
    -Action Add permissions ( Add ) or remove them ( Remove ). The default value is Add .
    -Level Apply permissions that are required by the mailbox and provisioning task ( All ), or apply read-only permissions that are required by the provisioning task ( Provisioning ). The default value is All .
    This parameter is ignored if the Action parameter is set to Remove .
    -Verbose Show all script output ( $True ) or minimal information ( $False ). The default value is $False .
  5. If you want to force these changes to take effect immediately, restart the Microsoft Exchange Information Store service on each Exchange mailbox server.

If the Exchange environment contains only Exchange 2003 and/or Exchange 2000 the PowerShell scripts cannot be used. Follow the steps below for Exchange 2003/2000 environments:

  1. Start the Microsoft Exchange System Manager.

  2. Expand the Servers container.

  3. Right-click your Exchange Server and, on the shortcut menu, click Properties .

  4. Click the Security tab.

  5. Click Add .

  6. Double-click the Vault Service account to add it to the list.

  7. Click OK to go back to the Security tab. The Vault Service account has been added to the Name list.

  8. In the Name list, click the Vault Service account.

  9. In the Permissions list, make sure that all check boxes in the Allow column are selected. Select any check boxes that are not already selected.

  10. Click OK .

Was this content helpful?

Get Support