Microsoft Exchange rights and permissions required for the service account used for the gathering (4318879)

The service account used for Messagestats gatherings requires specific rights and permissions to gather Exchange data. The MessageStats account must have the following rights and permissions in the Exchange environment.

For Exchange 2000 and 2003 servers:

• View Only Administrator rights delegated at the Organization level.
• Read rights for the administrative shares on the Exchange server.
• Read rights to the log files in the tracking log share on the Exchange server.
• Read rights to the file system directory (local, NAS, or SAN) containing all Exchange mailbox and public stores in all storage groups.

For Exchange 2007 Servers:

• Membership in the Exchange View-Only Administrators and the Exchange Recipient Administrators groups OR the Exchange Organization Administrators group.(This provides the required access rights to the system mailbox on one of the gathering servers to collect mailbox and public folder information.)

Note: For instructions about how to configure cross-forest administration of an Exchange 2007 organization, see the following article:http://technet.microsoft.com/en-us/bb232078.aspx

• Be a member of the local Administrators group on each Exchange server for access to administrative shares.
• Read rights to the log files in the tracking log share on the Exchange server. For instructions about how to enable message tracking on an Exchange 2007 server, see the following article: http://technet.microsoft.com/en-us/library/aa997984.aspx.
• For Exchange 2007, the Exchange server to which you connect to enumerate the organization must have the Mailbox role. However, MessageStats gathers tracking logs only from Hub and Edge Transport servers. The tracking logs on Mailbox servers do not include all the information that is needed for reports.
• Exchange 2007 is the first version of Exchange that does not share the directory that contains the tracking logs by default. You must manually share the tracking log folder for Exchange 2007 servers.
• Read rights to the file system directory (local, NAS, or SAN) that contains the Exchange private and public information stores in all storage groups.

For Exchange 2010 or 2013 Servers:

• Membership in the following security group:
  Organization Management
  - OR -
  If you do not want the task credentials to be a member of the Exchange
  Organization Management group, add the task credentials to the following
  security groups instead:
  View-Only Organization Management
  Public Folder Management
  In some environments, you can encounter gathering errors unless you ensure
  that one of the security groups has access to the Microsoft Exchange System
  Objects container in Active Directory for each domain. For instructions, see
  Granting Access to the Microsoft Exchange System Objects container on page
  22 of the MessageStats Quick Start Guide.
• Membership in the local Administrators group on each Exchange server to
  gather Exchange database information.
  If you do not want to add the credentials to the local Administrators group,
  provide the account certain WMI permissions instead. For details, see
  Running the Information Stores/Databases Gathering for Exchange 2010
  Without Being a Local Administrator on page 22 of the MessageStats Quick Start Guide.
• For Exchange 2010, the Exchange server to which you connect to enumerate
  the organization must have the Client Access (CAS) role. However,
  MessageStats gathers tracking logs only from Hub and Edge Transport servers.
  The tracking logs on CAS servers do not include all the information that is
  needed for reports.
• To create the connection to the Exchange CAS (2010) or Mailbox server
  (2013), MessageStats requires a mailbox to which the account used to run
  tasks has full access rights. To grant an account full rights on the Exchange
  2010 or 2013 mailbox, see Granting Full Rights to an Exchange 2010 or 2013
  Mailbox on page 23 of the MessageStats Quick Start guide
• Read rights to the log files in the tracking log share on the Exchange server.
• Read rights to the file system directory (local, NAS, or SAN) that contains the
  Exchange private and public information stores in all storage groups.
• The account used to run a Public Folder gathering task must be a member of
  the Public Folder Management security group.
• For Exchange 2013, the CAS server that is used for connection must be
  configured to include NTLM among the IIS authentication methods allowed.
  For example, you could allow NTLM, Basic, and Negotiate by entering the
  following PowerShell command:
  Get-OutlookAnywhere | Set-OutlookAnywhere -IISAuthenticationMethods
  basic,ntlm,negotiate
• To run the Server Uptime gathering to populate the Server Uptime report,
  task credentials must belong to the Performance Monitor Users group. You
  must also grant the task credentials access to certain registry keys. For
  instructions, see Granting Access for Server Uptime Information Without
  Being a Local Administrator on page 22 of the MessageStats Quick Start Guide.