Enterprise Vault Whitepaper

Similar documents
Enterprise Vault.cloud Feature Briefing

W H I T E P A P E R : T E C H N I C A L. Enterprise Vault 8.0 Security Model for Microsoft SharePoint Archiving

How Enterprise Vault Supports Exchange 2007 High Availability Options

Data Insight Feature Briefing Box Cloud Storage Support

Enterprise Vault Best Practices

Oracle Intelligent Policy

Plug-in for VMware vcenter

Clearwell ediscovery Platform Feature Briefing

Administration of Symantec Enterprise Vault 9.0 for Exchange Study Guide

Enterprise Vault 8.0 Security Model for Lotus Domino Archiving. Rob Forgione Technical Field Enablement March 2009

QUICK START: SYMANTEC ENDPOINT PROTECTION FOR AMAZON EC2

Security Model for Discovery Accelerator 8.0. Rob Forgione Technical Field Enablement April 2009

Secondary operation windows in SLPs

QUICK START: VERITAS STORAGE FOUNDATION BASIC FOR AMAZON EC2

NetBackup for vcloud Director

Technical Brief Enterprise Vault SMTP Enhancements

Veritas Enterprise Vault Managing Retention 12.1

METADATA FRAMEWORK. On-Premises Exchange Permissions

Enterprise Vault 12 Feature Briefing Classification

Enterprise Vault Whitepaper Enterprise Vault Integration with Veritas Products

Technical Brief Enterprise Vault Privileged Delete

Migrating BlackBerry-enabled mailboxes from Microsoft Exchange 5.5 to Microsoft Exchange 2000

Three Steps to Protect Your Virtual Systems

Enterprise Vault 11 Whitepaper Deploying IMAP Access to Enterprise Vault

Veritas Enterprise Vault PST Migration 12.2

Symantec Enterprise Vault

Symantec Enterprise Vault

Administration of Symantec Messaging Gateway 10.5 Study Guide

Symantec Enterprise Vault

PST Migration with Enterprise Vault 8.0:

Enterprise Vault.cloud Archive Migrator Guide. Archive Migrator versions 1.2 and 1.3

Exchange Server 2010 Permissions Document

: Administration of Symantec Endpoint Protection 14 Exam

Symantec Exam Administration of Symantec Enterprise Vault 8.0 for Microsoft Exchange Version: 6.0 [ Total Questions: 265 ]

Technical Brief Veritas Technical Education Services

HPE Security ArcSight Connectors

Enterprise Vault.cloud Folder Sync 1.11 Administration Guide

Partner Information. Integration Overview. Remote Access Integration Architecture

Technical Brief Veritas Technical Education Services

Symantec Validation and ID Protection. VIP Credential Development Kit Release Notes. Version May 2017

Enterprise Vault.cloud Folder Sync 1.13 Administration Guide

Enterprise Vault Overview Nedeljko Štefančić

Enterprise Vault Guide for Outlook Users

Enterprise Vault 12.4 OData Reporting for Auditing

Symantec Validation and ID Protection. VIP Credential Development Kit Release Notes. Version January 2017

Veritas Enterprise Vault 6.0 What s New

Symantec Enterprise Vault

Symantec Enterprise Vault

Symantec Enterprise Vault Technical Note

Veritas Enterprise Vault Setting up Exchange Server Archiving 12.2

Veritas Enterprise Vault Setting up SharePoint Server Archiving 12.2

Partner Information. Integration Overview Authentication Methods Supported

Symantec. Administration of Symantec Enterprise Vault 9 for Exchange

Enterprise Vault Setting up Exchange Server and Office 365 for SMTP Archiving and later

Symantec Enterprise Vault Technical Note

Office 365 Best Practices: Protocols

IT Analytics 7.1 for Altiris IT Management Suite from Symantec

DocAve. Release Notes. Governance Automation Online. Service Pack 9, Cumulative Update 6

SymantecTM Desktop and Laptop Option. Symantec DLO s Storage in Cloud (Amazon Web Services)

DocAve. Release Notes. Governance Automation Online. Service Pack 8, Cumulative Update 1

AvePoint Cloud Governance. Release Notes

Veritas Enterprise Vault Setting up IMAP 12.1

Symantec Workflow 7.1 MP1 Release Notes

Symantec VIP Quick Start Guide. Enabling Help Desk. Version 1.0. Author Travis Harmon Symantec. All rights reserved.

Symantec Enterprise Vault

CA IT Client Manager / CA Unicenter Desktop and Server Management

Technical White Paper Information Map. Taking Action on Information Map Insights

Enterprise Vault Setting up Exchange Server and Office 365 for SMTP Archiving and later

Enterprise Vault.cloud CloudLink Google Account Synchronization Guide. CloudLink to 4.0.3

Tzunami Deployer Confluence Exporter Guide

Altiris Software Management Solution 7.1 from Symantec User Guide

Enterprise Vault Requesting and Applying an SSL Certificate and later

Administration of Altiris Client Management Suite 7.0 Study Guide

AvePoint Cloud Governance. Release Notes

Tzunami Deployer Confluence Exporter Guide

Symantec ediscovery Platform

Enterprise Vault Setting up IMAP 12.3

Veritas Enterprise Vault Setting up SMTP Archiving 12.1

Symantec Enterprise Vault 2007 Installation & Configuration

2012 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Excel, Lync, Outlook, SharePoint, Silverlight, SQL Server, Windows,

W H I T E P A P E R : T E C H N I C AL. Symantec High Availability Solution for Oracle Enterprise Manager Grid Control 11g and Cloud Control 12c

EMC SourceOne Management Pack for Microsoft System Center Operations Manager

Siebel Server Sync Guide. Siebel Innovation Pack 2016 May 2016

AvePoint Cloud Governance. Release Notes

Actual4Test. Actual4test - actual test exam dumps-pass for IT exams

BraindumpsIT. BraindumpsIT - IT Certification Company provides Braindumps pdf!

Symantec Patch Management Solution for Windows 8.5 powered by Altiris technology User Guide

Symantec Enterprise Vault Technical Note

Data Sheet: High Availability Veritas Cluster Server from Symantec Reduce Application Downtime

Siebel Server Sync Guide. Siebel Innovation Pack 2015 May 2015

Symantec Secure One Services Program Brief

Scheduled Automatic Search using Dell Repository Manager

ST0 100 Symantec Enterprise Vault 9 for Domino Technical

Administration of Symantec Data Loss Prevention 10.5 Study Guide

PRODUCT BROCHURE Mailbox Shuttle and Archive Shuttle:

DocAve. Release Notes. Governance Automation Online. Service Pack 8

Configuring Microsoft Windows Shared

Enterprise Vault Migrating Data Using the Microsoft Azure Blob Storage Migrator or later

Symantec Backup Exec 2012

Symantec Control Compliance Suite Express Security Content Update for JBoss Enterprise Application Platform 6.3. Release Notes

Transcription:

Enterprise Vault Whitepaper Configuring Exchange archiving with minimal permissions This document covers the minimal permissions required for Enterprise Vault in order to successfully achieve mailbox, journal and public folder archiving from Microsoft Exchange. If you have any feedback or questions about this document please email them to EV-TFE-Feedback@symantec.com stating the document title. This document applies to the following version(s) of Enterprise Vault: 9.0, 10.0 This document applies to the following version(s) of Microsoft Exchange Server: 2003, 2007, 2010 and 2013. Refer to Enterprise Vault Compatibility Charts for specific service pack releases of Microsoft Exchange that are supported by each Enterprise Vault version. This document is provided for informational purposes only. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Copyright 2012 Symantec Corporation. All rights reserved. Symantec, the Symantec logo and Enterprise Vault are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners

Document Control Contributors Who Karl Woodrow, EV Engineering Andy Joyce, EV TFE Contribution Technical content Editor Dan Strydom, EV TFE Updates for Exchange 2013 Revision History Version Date Changes 1.0 March 2012 Initial release 2.0 July 2013 Updated for Exchange 2013 Related Documents Version Date Title Table of Contents Purpose of this document 1 Intended audience 1 When minimal permissions can be used 1 Minimal permissions required on information store objects 2 Where to apply minimal permissions 3 Exchange 2003 3 Exchange 2007 3 Exchange 2010 4 Exchange 2013 4 i

Purpose of this document In order to provision Microsoft Exchange target mailboxes and public folders for archiving, the Enterprise Vault archiving and provisioning tasks require permission to access and write to those mailboxes, as well as permissions to access specific other parts of the Exchange hierarchy in order to be able to enumerate the mailboxes available. The standard Enterprise Vault Installing and Configuring manual supplied with the software details the procedure required to grant the Vault Service Account a set of permissions at a higher level in the Exchange hierarchy that will although Enterprise Vault to access all mailboxes and public folders below that point. However, some Exchange administrators to implement Enterprise Vault using a more restrictive set of permissions, applied at lower levels in the hierarchy. This document details how to do that. Intended audience It is assumed the reader understands how to set Exchange permissions and understands the Exchange archiving functionality and architecture of Enterprise Vault. When minimal permissions can be used The SetEVExchangePermissions.ps1 script, supplied with Enterprise Vault, is intended to apply permissions that ensure all Enterprise Vault functionality works without the need for additional configuration when new Exchange servers or databases are added into the Exchange organization. In some circumstances it is possible to set the permissions at lower levels than detailed in the Enterprise Vault Installing and Configuring guide, and by the provided script SetEVExchangePermissions.ps1. It is assumed that manual configuration of targets is to be completed. If the Getting Started Wizard is to be used instead then this requires a broader set of read permissions in order to automatically locate various objects (for example journal mailboxes) and therefore the minimal permissions approach detailed in this document cannot be used. The minimal permissions must be applied manually using either AdsiEdit.msc or via the Exchange PowerShell command Add-ADPermission. When applying the permissions take care to note the required inheritance otherwise Enterprise Vault will not function correctly. Page 1

Minimal permissions required on information store objects The following permissions are required on the information store objects (mailbox databases/public folder databases). These allow Enterprise Vault to access mailboxes and public folders. Applying these permissions at the lowest level in the Exchange hierarchy in Active Directory is discussed later. Permission Read (ReadProperty, GenericExecute) Receive As Reason Allows Enterprise Vault to read additional properties from information store objects. This enables more informative error information when checking task configuration. For Exchange 2010 this permission is granted to Everyone by default (onto descendant mailbox and public information stores). Symantec recommend setting this permission to ensure in locked down Exchange deployments the archiving tasks continue to function correctly. Allows the task to connect and open any mailbox/public folder. (Receive-As) Administer Information Store (ms-exch-store-admin) Create named properties on information store (ms-exch-store-create-named- Properties) View Information Store Status (ms-exch-store-visible) Allows the task to connect and open any mailbox/public folder. Additionally by using administrative permissions Exchange uses less resource when performing permission checks when opening mailboxes. Allows the tasks to create named properties. The default Exchange permissions grant Everyone this permission by default. Symantec recommend setting this permission to ensure in locked down Exchange deployments the archiving tasks continue to function correctly. Allows the task to bypass the default MAPI session limit (32) on the target Exchange server. Does not apply to Exchange 2013. Where possible all permissions must be set to inherit to lower objects. For example when using AdsiEdit.msc for Windows 2003 you would need to select the 'Advanced' permission tab and ensure Apply onto is set to 'This object and all child objects'. For Windows 2008 the setting is 'Apply to:' with value 'This object and all descendant objects'. If using Add-ADPermission set -InheritanceType All. Page 2

Where to apply minimal permissions Exchange 2003 Permissions required by VSA or task account (for mailbox, journal and public folder archiving and provisioning) Recommended lowest level in Exchange hierarchy to apply these permissions Additional permissions required for provisioning task Read Receive as Administer information store Create named properties in information store View Information Store Status Set on each individual Exchange Server object with inheritance down to lower levels None in addition to those specified above for archiving Exchange 2007 Permissions required by VSA or task account (for mailbox, journal and public folder archiving and provisioning) Recommended lowest level in Exchange hierarchy to apply these permissions Alternative lowest level to apply permissions Additional permissions required for provisioning task Read Receive as Administer information store Create named properties in information store View Information Store Status Set on each individual Exchange Server object with inheritance down to lower levels Permissions can be applied on specific databases or storage groups. However for mailbox archiving, mailboxes in databases that don t have the required permissions should be excluded from provisioning or the archive task will log errors each time it runs for public folder archiving, the mailbox database of the task s system mailbox and the public folder database must have the required permissions read permission must be granted at least the server level (otherwise the archiving task cannot be configured) In addition to permissions required for archiving, the VSA or task account requires access to managed folder content settings. The synchronization can be disabled by following the following articles: http://www.symantec.com/docs/tech126862 http://www.symantec.com/docs/howto57173 Page 3

Exchange 2010 Permissions required by VSA or task account (for mailbox, journal and public folder archiving and provisioning) Read Receive as Administer information store Create named properties in information store View Information Store Status Recommended lowest level in Exchange hierarchy to apply these permissions Set on each individual Exchange database object with inheritance down to lower levels. For mailbox archiving, mailboxes in databases that don t have the required permissions should be excluded from provisioning or the archive task will log errors each time it runs For public folder archiving, the mailbox database of the task s system mailbox and the public folder database must have the required permissions Additional permission required for Exchange 2010 Additional permissions required for provisioning task The archiving tasks require Read permissions to the Global Settings container In addition to permissions required for archiving, the VSA or task account requires access to managed folder content settings. The synchronization can be disabled by following the following articles: http://www.symantec.com/docs/tech126862 http://www.symantec.com/docs/howto57173 Exchange 2013 Permissions required by VSA or task account (for mailbox, journal and public folder archiving and provisioning) Read Receive as Administer information store Create named properties in information store Recommended lowest level in Exchange hierarchy to apply these permissions Set on each individual Exchange database object with inheritance down to lower levels. For mailbox archiving, mailboxes in databases that don t have the required permissions should be excluded from provisioning or the archive task will log errors each time it runs For public folder archiving, the mailbox database of the task s system mailbox and the public folder database must have the required permissions Page 4

Additional permission required for Exchange 2013 Additional permissions required for provisioning task The archiving tasks require Read permissions to the Global Settings container In addition to permissions required for archiving, the VSA or task account requires access to managed folder content settings. The synchronization can be disabled by following the following articles: http://www.symantec.com/docs/tech126862 http://www.symantec.com/docs/howto57173 Page 5

About Symantec: Symantec is a global leader in providing storage, security and systems management solutions to help consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. For specific country offices and contact numbers, please visit our Web site: www.symantec.com Symantec Corporation World Headquarters 350 Ellis Street Mountain View, CA 94043 USA +1 (650) 527 8000 +1 (800) 721 3934 Copyright 2013 Symantec Corporation. All rights reserved. Symantec and the Symantec logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback