System Administration Guide for Cisco Unity Release 5.x (With IBM Lotus Domino) - Managing Cisco Unity Administrator Accounts [Cisco Unity]

Table Of Contents

Managing Cisco Unity Administrator Accounts

About the Accounts That Can Be Used to Administer Cisco Unity

Creating Subscriber Accounts That Can Be Used to Access the Cisco Unity Administrator

Granting Administrative Rights to Other Cisco Unity Servers

Managing Cisco Unity Administrator Accounts

See the following sections in this chapter:

•About the Accounts That Can Be Used to Administer Cisco Unity

•Creating Subscriber Accounts That Can Be Used to Access the Cisco Unity Administrator

•Granting Administrative Rights to Other Cisco Unity Servers

About the Accounts That Can Be Used to Administer Cisco Unity

To access the Cisco Unity Administrator, administrators can use one of the following accounts:

Administration account

This is the account that was selected during installation to administer Cisco Unity. The administration account is automatically associated with a Cisco Unity subscriber account that has COS rights to access the Cisco Unity Administrator

The Active Directory account associated with a Cisco Unity subscriber account that has COS rights to access the Cisco Unity Administrator

In order for administrators to log on to the Cisco Unity Administrator on the Cisco Unity server, this account must be a member of one of the following Admins groups, as applicable:

•Domain Admins group (when the Cisco Unity server is a domain controller)

•Local Administrators group (when the Cisco Unity server is a member server)

Otherwise, the account must at least have the right to log on locally so that administrators can log on to the Cisco Unity Administrator from a computer other than the Cisco Unity server

A Domino account that is associated with a Cisco Unity subscriber account that has COS rights to access the Cisco Unity Administrator

This option is available only when the Cisco Unity Administrator uses the Anonymous authentication method.

Until you create a Cisco Unity subscriber account specifically for the purpose of administering Cisco Unity, you must use the Active Directory credentials associated with the administration account that was selected when Cisco Unity was installed to log on to the Cisco Unity Administrator.

Consider using an alternative to the administration account, if you want to do the following:

•Limit the use of the administration account. The COS assigned to the administration account has full system access rights to the Cisco Unity Administrator. This means that not only can the administration account access all pages in the Cisco Unity Administrator, but it also has read, edit, add, and delete privileges for all Cisco Unity Administrator pages.

•Ensure that there are additional accounts available that can be used to access the Cisco Unity Administrator if the administration account is deleted or corrupted.

The Cisco Unity subscriber accounts that are used to access the Cisco Unity Administrator must have the appropriate COS rights. COS rights specify which tasks, if any, administrators can do in the Cisco Unity Administrator. For example, some subscriber accounts that are used for administrator access can be associated with a COS that provides read-only access, or that restricts administrators to access of specific pages in the Cisco Unity Administrator for the purpose of unlocking accounts or changing passwords.

In addition to COS rights, subscriber accounts used to access the Cisco Unity Administrator must be associated with an Active Directory account that is enabled when the Cisco Unity Administrator uses Integrated Windows authentication. The same is true when the Cisco Unity Administrator uses the Anonymous authentication method and administrators will use their Active Directory account credentials to access it. (When the Cisco Unity Administrator uses Anonymous authentication and administrators will use their Domino credentials to access the Cisco Unity Administrator, you do not need to create Active Directory accounts for each subscriber account that you create.)

To create additional subscriber accounts for the purposes of accessing the Cisco Unity Administrator, complete the procedures in the "Creating Subscriber Accounts That Can Be Used to Access the Cisco Unity Administrator" section. If you prefer not to create a specific subscriber account for each administrator who needs to access the Cisco Unity Administrator, you can use the GrantUnityAccess utility to associate one or more Active Directory accounts with a single subscriber account. You can also use GrantUnityAccess to associate the Domino account of each administrator with a subscriber account that has COS rights to the Cisco Unity Administrator on a particular server. For more information about using the GrantUnityAccess utility, see the "Granting Administrative Rights to Other Cisco Unity Servers" section.

Note As a best practice, we recommend that Cisco Unity Administrators not use the same subscriber account to log on to the Cisco Unity Administrator that they use to log on to the Cisco PCA to manage their own Cisco Unity accounts. In addition, they should not use Unity service accounts to administer Cisco Unity.

Creating Subscriber Accounts That Can Be Used to Access the Cisco Unity Administrator

How you create additional accounts that can be used to access the Cisco Unity Administrator depends on the authentication method that the Cisco Unity Administrator uses and on the credentials that subscribers use to access it.

If the Cisco Unity Administrator uses Integrated Windows authentication (the default method), use the procedures in this section to do the following tasks:

1. Create an Active Directory account.

2. If you want the administrator to be able to log on to the Cisco Unity Administrator on the Cisco Unity server, add the Active Directory account to the applicable Admins group. (Otherwise, the administrator can access the Cisco Unity Administrator only from another computer.)

3. Create a Cisco Unity subscriber account that has COS rights to access the Cisco Unity Administrator.

4. Use the GrantUnityAccess utility to associate the Active Directory account with the Cisco Unity subscriber account.

If the Cisco Unity Administrator uses Anonymous authentication and if administrators will use their Domino credentials to access the Cisco Unity Administrator, do only the "To Create the Cisco Unity Subscriber Account(s) That Will Be Used to Access the Cisco Unity Administrator" procedure.

To Create an Active Directory Account

Step 1 On the Cisco Unity server or another computer on which Active Directory Users and Computers is installed, log on to Windows by using an account that is a member of the Domain Admins group.

Step 2 On the Windows Start menu, click Programs > Administrative Tools > Active Directory Users and Computers.

Step 3 In the left pane, expand the domain, right-click Users or the organizational unit in which you want to create the account, and click New > User.

Step 4 Follow the on-screen prompts.

Step 5 Close Active Directory Users and Computers.

If you want the administrator to be able to log on to the Cisco Unity Administrator on the Cisco Unity server, you must add the Active Directory account that you created in the previous procedure either to the local Administrators group (when the Cisco Unity server is a member server), or to the Domain Admins group (when the Cisco Unity server is a domain controller). Do one of the following two procedures, as applicable.

To Add the Active Directory Account to the Local Administrators Group (When the Cisco Unity Server Is a Member Server)

Step 1 On the Cisco Unity server, on the Windows Start menu, click Programs > Administrative Tools > Computer Management.

Step 2 In the left pane of the Computer Management MMC, expand System Tools > Local Users and Groups.

Step 3 In the left pane, click Users.

Step 4 In the right pane, double-click the administration account.

Step 5 In the Properties dialog box, click the Member Of tab.

Step 6 Click Add.

Step 7 In the Select Groups dialog box, in the top list, double-click Administrators.

Step 8 Click OK to close the Select Groups dialog box.

Step 9 Click OK to close the Properties dialog box.

Step 10 Close the Computer Management MMC.

To Add the Active Directory Account to the Domain Admins Group (When the Cisco Unity Server Is a Domain Controller)

Step 1 On the Cisco Unity server or another server where Active Directory Users and Computers is installed, log on to Windows by using an account that is a member of the Domain Admins group.

Step 2 On the Windows Start menu, click Programs > Administrative Tools > Active Directory Users and Computers.

Step 3 In the left pane, expand the domain, and click Users.

Step 4 In the right pane, double-click the name of the administration account.

Step 5 Click the Members Of tab.

Step 6 Click Add.

Step 7 In the Select Groups dialog box, in the top list, double-click Domain Admins.

Step 8 Click OK to close the Select Groups dialog box.

Step 9 Click OK to close the Properties dialog box.

Step 10 Close Active Directory Users and Computers.

To Create the Cisco Unity Subscriber Account(s) That Will Be Used to Access the Cisco Unity Administrator

Step 1 If the Domino person that you want to use to access the Cisco Unity Administrator does not already exist, create the Person document in the Domino Administrator.

Step 2 On the Cisco Unity server, log on to Windows by using the administration account that was selected when Cisco Unity was installed.

Step 3 Right-click the Cisco Unity icon in the status area of the taskbar, and click Launch System Admin.

Step 4 If IIS is configured so that the Cisco Unity Administrator uses Integrated Windows authentication and Internet Explorer is configured to prompt you for a user name and password, enter the user name and password of the administration account in the dialog box, and press Enter. If Internet Explorer is not configured to prompt you for a user name and password, skip to Step 5.

If IIS is configured so that the Cisco Unity Administrator uses Anonymous authentication, on the Cisco Unity Log On page, click Log On Using Windows Authentication, and then enter the user name and password of the administration account, and the domain name for the Cisco Unity server.

Step 5 Create a Cisco Unity subscriber account based on the Default Administrator template by importing the Person document that you created in Step 1 or another Person document from Domino. (The Default Administrator template has COS rights to access the Cisco Unity Administrator.)

Note See the "Managing Subscriber Accounts" chapter for detailed procedures for creating subscriber accounts.

Because the Cisco Unity Administrator does not import Active Directory account information, the subscriber accounts that you created in the previous procedure still cannot access the Cisco Unity Administrator without corresponding Active Directory accounts (even though they have the COS rights required to access it) when either of the following statements is true:

•The Cisco Unity Administrator uses Integrated Windows authentication.

•The Cisco Unity Administrator uses Anonymous authentication and administrators will use their Active Directory account credentials to access it.

Do the following procedure to use GrantUnityAccess to associate the Active Directory account and the Cisco Unity subscriber account(s) that you created earlier in this section.

To Associate an Active Directory Account with a Cisco Unity Subscriber Account

Step 1 On the Cisco Unity server desktop, double-click the Cisco Unity Tools Depot icon.

Step 2 In the left pane, expand Diagnostic Tools, and double-click Grant Unity Access to display a command prompt window.

Step 3 To associate an Active Directory account with a Cisco Unity subscriber account, enter:

GrantUnityAccess -u <Domain>\<UserAlias> -s <UnitySubscriberAlias>

For example:

GrantUnityAccess -u UnityDomain\UnityAdmin -s UnityFullAdmin

Granting Administrative Rights to Other Cisco Unity Servers

Rather than create subscriber accounts on each server for each person who needs to administer Cisco Unity, you can use the GrantUnityAccess utility to associate any number of Active Directory accounts with a single Cisco Unity subscriber account. You can also use GrantUnityAccess to associate a Domino Person document with a Cisco Unity subscriber account. GrantUnityAccess maintains a table of the associated Active Directory accounts (or Domino Person documents) and Cisco Unity subscriber accounts that Cisco Unity references when someone tries to access the Cisco Unity Administrator (regardless of the authentication method used by the Cisco Unity Administrator). This table is used to determine whether to permit someone access to the Cisco Unity Administrator.

Before you use GrantUnityAccess, consider the following:

•The Active Directory account(s) that you want to associate with a subscriber account must either be in the same domain as the Cisco Unity server or in a trusted domain. In addition, if you want administrators to be able to log on to the Cisco Unity Administrator on the Cisco Unity server, you must add the Active Directory account to the applicable Admins group (see the "Creating Subscriber Accounts That Can Be Used to Access the Cisco Unity Administrator" section for a detailed procedure.) Otherwise, the account must at least have the right to log on locally so that administrators can log on to the Cisco Unity Administrator from a computer other than the Cisco Unity server.

•As a best practice, the Active Directory accounts that are associated with subscriber accounts should require strong passwords. Set your domain account policy in Active Directory to require them.

•You can associate multiple accounts with a single subscriber account.

•You can associate multiple Domino Person documents with a single subscriber account.

•You can associate Active Directory account(s) or Domino Person documents with any subscriber account, as long as the subscriber account has COS rights to access the Cisco Unity Administrator. This includes the administration account that was selected when Cisco Unity was installed.

•Because the administration account is associated with a COS that offers unlimited access to the Cisco Unity Administrator, consider associating the Active Directory account(s) or Domino account(s) used by administrators with a different subscriber account that you create on each Cisco Unity server to have more limited COS rights. In this way, you can customize the level of access for the administrators in your organization.

•If there are several servers that the administrators need access to, you can create a batch file that contains the commands to grant access to the applicable servers. In this way, you can avoid entering the commands repeatedly.

Use the following procedure to run GrantUnityAccess. Note that you cannot run GrantUnityAccess remotely across a network, so you will need to run it on each Cisco Unity server that you want to make accessible, and for each account that you want to map. See the "Sample GrantUnityAccess Arguments" section for an example of how this utility is used, and for argument syntax details.

To Use the GrantUnityAccess Utility

Step 1 Log on to Windows on the Cisco Unity server by using either the administration account that was selected when Cisco Unity was installed or an Active Directory account that is a member of the local Administrators group on the Cisco Unity server.

Step 2 On the Cisco Unity server desktop, double-click the Cisco Unity Tools Depot icon.

Step 3 In the left pane, expand Diagnostic Tools, and double-click Grant Unity Access to display a command prompt window.

Step 4 To associate an Active Directory account with a Cisco Unity subscriber account, enter:

GrantUnityAccess -u <Domain>\<UserAlias> -s <UnitySubscriberAlias>

To associate a Domino Person document with a Cisco Unity subscriber account, enter:

GrantUnityAccess -n "<FullName>/<CertificationAuthority>" -s <UnitySubscriberShortName>

Note that the quotation marks are required around the first argument, because the full name of a Domino user will more than likely contain a space.

Sample GrantUnityAccess Arguments

For example, assume that JSmith and KChen are the aliases of administrators who need access to the Cisco Unity Administrator on another Cisco Unity server, and that their Active Directory accounts are in a domain called NewYorkDomain. To associate their Active Directory accounts with the administration account that was selected when Cisco Unity was installed, run GrantUnityAccess two times as follows:

GrantUnityAccess -u NewYorkDomain\JSmith -s <UnitySubscriberAlias for administration account>

GrantUnityAccess -u NewYorkDomain\KChen -s <UnitySubscriberAlias for administration account>

Alternatively, if you want to associate their Domino accounts with the administration account that was selected when Cisco Unity was installed, run GrantUnityAccess two times as follows:

GrantUnityAccess -n "Jane Smith/MyCert" -s <UnitySubscriberAlias for administration account>

GrantUnityAccess -n "Kevin Chen/MyCert" -s <UnitySubscriberAlias for administration account>

Rather than specifying the administration account, you could associate the Active Directory account for Neil Jones with the subscriber account for Kelly Bader instead:

GrantUnityAccess -u NewYorkDomain\NJones -s KBader

To obtain a list of accounts that have been associated with Cisco Unity subscriber accounts, enter:

GrantUnityAccess -l

To delete an association made previously using GrantUnityAccess, enter:

GrantUnityAccess -u <Domain>\<UserAlias> -s <UnitySubscriberAlias> -d

or enter:

GrantUnityAccess -n <FullName>/<CertificationAuthority> -s <UnitySubscriberShortName> -d

To display information about these and other arguments, enter:

GrantUnityAccess -?