What permissions are needed for the Metalogix Superuser Account? (4274943)

Voltar

Feedback enviado

Este artigo resolveu um problema para você?

Selecione a classificação

Título

What permissions are needed for the Metalogix Superuser Account?
Descrição

The following guide describes step by step all the permissions that are required for a superuser account.
Resolução
A superuser account is a windows account with administrator privileges to work with Metalogix Archive Manager for Exchange administration tools, run services, manage databases, manage extensions. It also has elevated privileges to interact with the on-premise or online Microsoft Exchange servers.

The following guide will let you know what are the permissions required for the Metalogix Superuser Account.

1. Superuser must have read access to the container node in the domain controller:

Microsoft Exchange servers and other information stores are created as child nodes under the CN=Services,CN=Configuration,DC= node in the domain controller.
- The superuser needs sufficient permissions to read the list of Exchange servers and information stores of the organization.
- A read permission must be granted to the superuser to be able to access the object and all its descendant objects.
Steps:

1.Log in to the domain controller.

2.Navigate to Start > Windows Administrative Tools > ADSI Edit.

3.Click the Action menu, and then click Connect to. The Connection Settings window opens.

4.In the Connection Point frame, choose Select a well known Naming Context. From the drop down list select Configuration.

5.Click OK. The Configuration context appears in the ADSI editor.

6.Expand or select the Configuration context to display the node (begins with CN=Configuration).

7.Right-click the node and select Properties.

8.In the properties window, click the Security tab, and then click Add.

9.In the Enter the object name to select field, enter the user logon name of the super user. For example, enter democorp\mamadmin.

10.Click Check Names to verify the logon name.

11.Click OK to add the superuser to the Administrator group.

12.Click Advanced. The Advanced Security Settings for Configuration window opens.

13.From the Permissions tab, select the superuser, and then click Edit. The Permission Entry for Configuration window opens.

14.In the Applies To drop down select This object and all descendant objects.

15.Click OK, and then click OK in each parent window to close all the windows.

16.Close the ADSI editor.

2. Superuser account must be a Local Administrator:

The superuser must be able to run windows services and accomplish tasks that require administrator privileges on the Metalogix Archive Manager for Exchange feature servers. Follow the steps described below to grant administrator privilege to the superuser on each feature server.

1.Log in to each server with its local administrator credentials.

2.Navigate to Start > Windows Administrative Tools > Computer Management

3.From the Console Tree, navigate to the System Tools > Local Users and Groups > Groups container.

4.From the list of groups in the right-hand pane, right-click Administrators and select Properties from the context menu. The Administrators Properties window opens.

5.Click Add.

6.In the Enter the object name to select field, enter the user logon name of the super user. For example, enter sales\mamadmin

7.Click Check Names to verify the logon name.

8.Click OK to add the superuser to the Administrator group.

9.In the Administrators Properties window, click Apply and OK to complete the process.

TIP: Log out of the server and log in again with the superuser's credentials to quickly verify that the superuser can access the server.

3. Superuser must be added to the Enterprise Administrators group (recent requirement for 8.4 version)

4. Superuser must be added as a database user with sysadmin role:

If you plan to use Windows authentication with a Microsoft SQL Server database, follow the steps described below:

1.Log in to the database server with your database administrator credentials.

2.Open the SQL Server Management Studio on your SQL server database server.

3.Log in to the server instance for Metalogix Archive Manager for Exchange databases.

4.Open the Security folder.

5.Right-click on the Logins folder and select New Login. The Login - New user properties window appears.

6.If you want to assign rights to a Windows account, select Windows authentication.

7.Provide the login name in the text box. You can use the Browse button to select an existing account if you chose Windows authentication (eg. democorp\mamadmin)

8.In the user properties window, click Server Roles from the Select a page panel and select the check box Sysadmin.

9.Click OK to create the account.

5. Superuser must have the following rights to the Exchange Environment:
5.1 Superuser must have permissions assigned at the database level (on-premise preferred method):
```
Get-MailboxDatabase | Add-adpermission -user SUPERUSER -ExtendedRights Send-as,Receive-as,ms-Exch-Store-Admin
```
5.2 Superuser must have permissions at mailbox level:
```
Get-Mailbox -ResultSize unlimited -Filter {RecipientTypeDetails -eq 'UserMailbox'} | Add-Mailboxpermission -User admin@company.com -AccessRights fullaccess -InheritanceType all -Automapping $False
```
6. If you use EWS Connection; Superuser must have the impersonation permissions assigned:
6.1 Set up new impersonation role and add the SuperUser account:
```
New-ManagementRoleAssignment –Name "Impersonation-Metalogix" –Role "ApplicationImpersonation" –User “SUPERUSER”
```
6.2 Add the SuperUser account to an existing impersonation role:
```
Add-RoleGroupMember "Impersonation-Metalogix" -Member "SUPERUSER"
```
7. Additional requirements if you want to connect to O365:

To connect Metalogix Archive Manager to an Office 365 account, first, you must set up an account that will be used by the software to connect to Office 365. When setting up this account we need the following prerequisites:
- The account must have a mailbox in Office 365
- If you still have an on-premise Exchange environment, we recommend creating an account in your on-premise Exchange environment and migrating the account to Office 365
- The account can be a Global Administrator for your Office 365 account or other account having following rights granted (member of):
- Organization Management
- View-Only Organization Management
- Public Folder Management
- Outlook 2016 32-bit or newer should be installed on the archive server
- You should be able to setup a mail profile for the account on the archive server. Metalogix Archive Manager will not be able to connect to an Office 365 account if there are problems with mail routing or autodiscover.
- The account will need access to your Office 365 mailboxes and needs impersonation which should be granted using the following Powershell commands:
```
$LiveCred = Get-Credential
```
```
$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection
```
```
Import-PSSession $Session 
Get-Mailbox -ResultSize unlimited -Filter {RecipientTypeDetails -eq 'UserMailbox'} | Add-Mailboxpermission -User admin@company.com -AccessRights fullaccess -InheritanceType all -Automapping $False
```
```
New-ManagementRoleAssignment –Name "Impersonation-Metalogix" –Role "ApplicationImpersonation" –User admin@company.com
```
```
Add-RoleGroupMember "Impersonation-Metalogix" -Member admin@company.com
```