|
Exchange 2007 Permissions Setup |
  
|
|
|
Exchange 2007 Permissions Setup |
|
|
|
Exchange 2007 This Appendix applies only to Exchange 2007. |
Note: In order to install Add2Exchange on a server with Exchange 2007 installed, you must download and install the Exchange MAPI/CDO subsystem from Microsoft at:
Usage of the Add2Exchange Service and Console application with Exchange 2007 is unchanged. Exchange 2007 only affects the configuration of permissions due to the new Exchange security model and the new user interface of Exchange itself (Exchange Management Console and PowerShell). The following are considerations and known issues for Exchange 2007:
Issue |
Description |
Upgrading Existing Relationships |
Relationships cannot currently be upgraded to Exchange 2007. relationships must be removed and recreated. |
Exchange Server Moves |
The Exchange server on an existing Add2Exchange installation cannot be changed to a new server. Contact your sales representative to coordinate DidItBetter Technical Support for assistance. |
Public Folder Support |
Public Folders are not necessarily installed on Exchange 2007 installations. Respond affirmatively when asked if there will be Outlook 2003 clients using your server. |
Permissions |
Permissions have been changed with the 2007 security model and require a combination of Exchange Management Console and Exchange Management Shell configuration. |
Upgrading Existing Relationships
Existing relationships cannot be upgraded to Exchange 2007 at this time. The relationships must be removed through the Add2Exchange Console prior to decommissioning the old Exchange Server. You must elect to Remove Destination Copies when prompted by the relationship removal dialog.
Once Add2Exchange is installed on the new Exchange Server, you must rebuild the relationships from scratch.
Exchange Server Moves
The following is a table of the appropriate installation scenarios with regard to upgrades of existing Add2Exchange installations:
Location |
Exchange 2007 on New Server |
Add2Exchange Does Not Change Location (Exchange Server or independent Synchronization Server) |
Contact DidItBetter for support. |
Add2Exchange on New Server (Exchange Server or independent Synchronization Server) |
Remove relationships prior to decommissioning old server, remove destination copies, install on new server, and rebuild relationships from scratch. |
Public Folders Support
Exchange 2007 attempts to do away with the Public Folder infrastructure by default on a new install, while upgrades from older versions of Exchange maintain Public Folders. For this reason, you do not need to be concerned if you are upgrading Exchange from an older version. However, Outlook 2003 as well as Add2Exchange both require Public Folder infrastructure to operate. On a new install, you must respond affirmatively that you have Outlook 2003 clients when asked during the install in order for Public Folders to be installed, allowing Add2Exchange to operate.
Permissions
Important: Because of the nature of synchronization across multiple mailboxes and the security model of Exchange 2007, the Add2Exchange Service Account must be given Organizational-level administration permissions. This level of permissions is very powerful, so take prudent security measures to protect this account and follow all Microsoft recommendations for security best practices.
Prior to Exchange 2007, the Service Account could not be a part of the official Exchange Active Directory groups. With 2007, the security model has changed so that the Service Account must now be given the Exchange Organization Administrators role. This is done through the Exchange Management Console. In addition, special permissions must be given to the Service Account through the Exchange Management Shell (PowerShell).
Integration with Active Directory Users and Computers
Exchange 2007 no longer installs an Active Directory Users and Computers Exchange Tab as did previous versions of Exchange. Exchange Management Console now performs many of the functions formerly performed in the Active Directory Users and Computers console, such as user account creation and display of Exchange account configurations. While you can still perform many of these functions from the existing Active Directory Users and Computers console, it is recommended that you use the Exchange Management Console as much as possible as this is the approach used in DidItBetter Software's documentation.
Configuration of Service Account Permissions
These steps presume you have already begun the step-by-step instructions for installing Add2Exchange. If you have not already created the Security Group, begin with the section Prerequisite 1: Create a Security Group. You will be directed to these instructions at the appropriate step.
If you are upgrading your Exchange infrastructure and have an existing Service Account, see the section Removing Old Service Account Permissions, then continue with these instructions from the point Giving the Service Account the Organizational Administrator Role.
| 1. | Log onto the Administrator account on a system with the Exchange Management Console. |
| 2. | Open Exchange Management Console. |
| 3. | Select the Recipient Configuration list item in the left-hand pane. |
Recipient Configuration in Exchange Management Console
|
| 4. | Click New Mailbox... |
New Mailbox Dialog
|
| 5. | Make sure User Mailbox is selected and click Next >. |
User Type Dialog
|
| 6. | Make sure New User is selected and click Next >. |
User Information Dialog
|
| 7. | If you need to select an Organizational Unit or Active Directory container other than the default Users, do so now. You may click Browse... to select the Active Directory Container from a list. |
User Information Dialog
|
| 8. | Enter the account information as shown, or choose your own name for the Service Account. The account will be a full Exchange Organizational Administrator, so you may want to use your standard administrative password for easy recollection. Click Next > when ready. |
Mailbox Settings Dialog
|
| 9. | Leave the Alias setting at the default and, if there are multiple storage groups or mailbox databases, choose the appropriate one. Click Next >. |
| 10. | At the New Mailbox dialog, click New. The account and mailbox are created. Click Finish. Leave the Management Console open for now. |
Active Directory Users and Computers in Administrative Tools
|
| 11. | Open the Active Directory Users and Computers console from the Administrative Tools menu. |
Add2Exchange Security Group
|
| 12. | Double-click the Security Group. |
Security Group Members
|
| 13. | Select the Members tab. Click Add... and select the Service Account. Click OK. |
| 14. | Return to the Exchange Management Console. |
Organization Configuration in Exchange Management Console
|
| 15. | Select Organization Configuration and click Add Exchange Administrator. |
|
| 16. | Click Browse... and select the Service Account. |
| 17. | Make sure Exchange Organization Administrator role is selected and click Add. |
| 18. | Click Finish. You may exit the Exchange Management Console. |
| 19. | Open Exchange Management Shell from the Start Menu. |
Exchange Management Shell in Exchange Server 2007 Program Group
|
| 20. | At the Exchange Management Shell prompt, enter the following command (use the appropriate name for the Security Group if it differs from the one shown): |
get-exchangeserver | add-adpermission -user A2ESecurityGroup -accessrights genericall
You should receive output similar to the following:
Identity User Deny Rights
-------- ---- ---- ------
TESTING-152 TSTG-152\A2ESecur... False
TESTING-152 TSTG-152\A2ESecur... False CreateChild, DeleteChild
TESTING-152 TSTG-152\A2ESecur... False Self, ReadProperty, WritePro...
TESTING-152 TSTG-152\A2ESecur... False DeleteTree, ListObject, Dele...
You may close the Exchange Management Shell with the command exit.
Exchange 2007 permissions settings are now configured. Continue with the section Conditional Prerequisite: Mailbox Management through Outlook to continue configuration and installation of Add2Exchange.
