What permissions are necessary for deploying Collaboration Services? (4253978)

What permissions are necessary for deploying Collaboration Services?

The following permissions are required while deploying Collaboration Services for Exchange:

- Exchange View Only Administrator role:

If your Organization contains only Exchange 2003 server:

1. Open Exchange System Manager
2. Right click your Organization name and select Delegate Control
3. Click Next
4. Click Add
5. Click Browse and enter the name of the service account
6. Click OK
7. Select Exchange View Only Administrator and click OK
8. Click Next
9. Click Finish

If your Organization contains Exchange 2007 or Exchange 2007 and 2010 servers:

1. Add the service account to the Active Directory Exchange View-Only Administrators group

If your Organization contains only Exchange 2010 server View-Only rights are not sufficient. Organization Management rights are required:

1. Add the service account to the Active Directory Organization Management group

- Local Administrator permissions on the computer where Collaboration Services is installed:

1. Add the service account to the local Administrators group

- Full mailbox access permission for the service mailbox
- Full Control permission for Collaboration Services container:

1. Open Active Directory Users and Computers (ADUC)
2. Click View and check Advanced Features
3. Right click the OU created for Collaboration Services and select Properties
4. Select the Security tab
5. Click Add
6. Enter the name of the service account and click OK
7. Select Full Control under Permissions and click OK

The deployment of Collaboration Services itself is very straightforward and does not require much knowledge of Active Directory and Exchange. In the test lab, where you can use Enterprise Admins group member accounts to deploy and start Collaboration Services, setting special permissions is not required. However, if you deploy Collaboration Services in the production environment, it makes sense to use accounts with minimal required privileges.

Below is outline of permissions required for the QCS service account (also referred to as general account in the product documentation):

- Read Access to Active Directory
- Replicate Directory Changes right for all domains in the forest from which objects will be published:

1. Open ADUC
2. Click View and check Advanced Features
3. Right click the domain name and select Properties
4. Select the Security tab
5. Select the name of the service account or click Add to enter it
6. Select Replicating Directory Changes under Permissions and click OK

- Manage Replication Topology right for all domains in the forest from which objects will be published:

1. Open ADUC
2. Click View and check Advanced Features
3. Right click the domain name and select Properties
4. Select the Security tab
5. Select the name of the service account or click Add to enter it
6. Select Manage Replication Topology under Permissions and click OK

- Write, create, and delete objects rights for the Collaboration Services container and child container:

1. Open ADUC
2. Click View and check Advanced Features
3. Right click the Collaboration Services container and select Properties
4. Select the Security tab
5. Select the name of the service account or click Add to enter it
6. Select Read, Write, Create all child objects and Delete all child objects under Permissions and click OK

• Note: These rights are granted if you give the service account Full Control to the Collaboration Services container and allow the permission to be inherited by the child objects

- Delete objects right for all containers with objects that are subject to conflict resolution via deletion:

1. Open ADUC
2. Click View and check Advanced Features
3. Right click the container that contains objects subject to conflict resolution via deletion and select Properties
4. Select the Security tab
5. Select the name of the service account or click Add to enter it
6. Select Delete all child objects under Permissions and click OK
7. Repeat steps c - f for each container that contains objects subject to conflict resolution via deletion

- Write permission for all objects that are subject to matching:

1. Open ADUC
2. Click View and check Advanced Features
3. Right click a container that contains objects subject to matching and select Properties
4. Select the Security tab
5. Select the name of the service account or click Add to enter it
6. Select Write under Permissions and click OK
7. Repeat steps c - f for each container that contains objects subject to matching

- Modify group membership right for all groups whose members can be affected by conflict resolution via deletion or matching:

1. Open ADUC
2. Click View and check Advanced Features
3. Right click a container that contains groups whose members can be affected by conflict resolution via deletion or matching and select Delegate Control
4. Click Add
5. Enter the name of the service account and click OK
6. Click Next
7. Select Create, delete and manage groups
8. Click Next
9. Click Finish

- Modify permission for all stores in the Configuration container where Collaboration Services Calendar stub objects are stored (this requirement was added starting since QCS 3.0 when calendar data synchronization became possible):

Exchange 2003:

1. Open ADSI Edit
2. Expand Configuration | Services | Microsoft Exchange | Your Organization Name | Administrative Groups | The relevant Administrative Group | Server | The relevant Server name | InformationStores
3. Click the relevant Storage Group Name
4. In the right hand pane right click the name of a store and select Properties
5. Select the Security tab
6. Click Advanced
7. Select the name of the service account or click Add to enter it
8. Click Edit if the name was already in the list
9. Select Modify Permissions and click OK
10. Repeat for each store where Calendar stub objects are stored

Exchange 2007/2010/2013

1. Open ADSI Edit
2. Expand Configuration | Services | Microsoft Exchange | Your Organization Name | Administrative Groups | The relevant Administrative Group | Databases
3. Right click the name of a Database and select Properties
4. Select the Security tab
5. Click Advanced
6. Select the name of the service account or click Add to enter it
7. Click Edit if the name was already in the list
8. Select Modify Permissions and click OK
9. Repeat for each Database where Calendar stub objects are stored

Note: If any of these permission changes are made after QCS is installed you will need to restart the Synchronization Service for them to take affect.

Please also see the following additional KB articles:

Why the General Account needs the Replicate Directory Changes and Manage Replication Topology Rights.
https://support.quest.com/SUPPORT/index?page=solution&id=SOL14502

Mailbox test fails: It is not possible to check the mailbox configuration, Error codes 32623 and 32622 appear in the event log
https://support.quest.com/SUPPORT/index?page=solution&id=SOL45555