Table Of Contents
Creating Accounts for the Installation and Setting Rights and Permissions
About the Accounts Required for the Cisco Unity Installation
The Account Used to Install Cisco Unity
The Account Used to Access the Cisco Unity Administrator
The Accounts That Cisco Unity Services Log On As
Creating the Accounts Required for the Cisco Unity Installation
Adding the Cisco Unity Administration Account to an Admins Group
Setting Rights and Permissions with the Cisco Unity Permissions Wizard
Setting Required Exchange Permissions
Creating Accounts for the Installation and Setting Rights and Permissions
In this chapter, you do the following tasks in the order listed:
1. 
Familiarize yourself with the domain accounts you will create in Task 2. See the "About the Accounts Required for the Cisco Unity Installation" section.
2. Create the applicable domain accounts that are needed to install Cisco Unity. See the "Creating the Accounts Required for the Cisco Unity Installation" section.
3. If you created a Cisco Unity administration account in Task 2.: Add the account either to the local Administrators group—when the Cisco Unity server is a member server—or to the Domain Admins group—when the Cisco Unity server is a domain controller. See the "Adding the Cisco Unity Administration Account to an Admins Group" section.
4. Set rights and permissions for the accounts that you created in Task 2. See the "Setting Rights and Permissions with the Cisco Unity Permissions Wizard" section.
5. Set Exchange permissions. See the "Setting Required Exchange Permissions" section.
When you are finished with this chapter, return to the "Overview of Mandatory Tasks for Installing Cisco Unity" chapter to continue installing the Cisco Unity system.
Note The tasks in the list reference detailed instructions in the Cisco Unity installation guide and in other Cisco Unity documentation. Follow the documentation for a successful installation.
About the Accounts Required for the Cisco Unity Installation
This section describes the following domain accounts that are needed for the Cisco Unity installation:
•The Account Used to Install Cisco Unity
•The Account Used to Access the Cisco Unity Administrator
•The Accounts That Cisco Unity Services Log On As
Note The same accounts are required for installing a new Cisco Unity 4.0(x) system and for upgrading from previous versions of Cisco Unity.
The Account Used to Install Cisco Unity
During installation, Cisco Unity creates a number of Cisco Unity objects in Active Directory and in Exchange, so the account with which you log on to Windows to install Cisco Unity must have proper user rights and permissions to perform the necessary operations.
If you are installing more than one Cisco Unity server in a site, you can use the same account to install Cisco Unity software on all of the servers.
The Account Used to Access the Cisco Unity Administrator
When you install Cisco Unity, you are prompted to choose the Windows domain account that you want to use to access the Cisco Unity Administrator (the website used to perform most administration tasks). During installation, the domain account is automatically associated with a Cisco Unity subscriber whose class of service allows Cisco Unity Administrator access. (Later you can create additional Cisco Unity subscribers who also can access the Cisco Unity Administrator.)
By default, the Cisco Unity administration account is the installation account. If you prefer to use an account other than the installation account to be the first Cisco Unity administration account, create an additional domain account for that purpose.
When the Cisco Unity server is a domain controller, the Cisco Unity administration account must be a member of the Domain Admins group. When the Cisco Unity server is a member server, the Cisco Unity administration account must be a member of the local Administrators group. Procedures later in this chapter explain how to add the account to the applicable group.
The Accounts That Cisco Unity Services Log On As
During Cisco Unity installation, you are prompted to choose three domain accounts that Cisco Unity services log on as:
•The account that Cisco Unity directory services log on as. These services keep subscriber data in the directory synchronized with subscriber data in the Cisco Unity SQL Server database.
•The account that Cisco Unity message store services log on as. These services allow subscribers to send and receive voice messages by using the telephone user interface.
•The account that local services log on as. By default, local Cisco Unity services log on as the Local System account. We recommend that you not change this.
The permissions required by the directory services account conflict with the permissions required by the message store services account, so you must create separate accounts for the two types of services.
Creating the Accounts Required for the Cisco Unity Installation
To Create Domain Accounts for Cisco Unity Installation, Administration, and Services
Step 1 On the Cisco Unity server, log on to Windows by using an account that is a member of the Domain Admins group.
Step 2 On the Windows Start menu, click Programs > Microsoft Exchange > Active Directory Users and Computers or click Programs > Administrative Tools > Active Directory Users and Computers.
Step 3 In the left pane, expand the domain, right-click Users or the organizational unit where you want to create the installation account, and click New > User.
Step 4 Follow the on-screen prompts to create the installation account. Creating an Exchange mailbox is optional.
We suggest that you use the following names for the accounts:
Installation
|
UnityInstall
|
Administration
|
UnityAdmin
|
Account that Cisco Unity directory services log on as (directory services account)
|
UnityDirSvc
|
Account that Cisco Unity message store services log on as (message store services account)
|
UnityMsgStoreSvc
|
Step 5 Repeat Step 3 and Step 4 to create the Cisco Unity administration account, the directory services account, and the message store services account.
Ensure that for the accounts that Cisco Unity services log on as, the password will never expire. If the password expires, Cisco Unity will stop working the next time the server is restarted.
Step 6 Close Active Directory Users and Computers.
Adding the Cisco Unity Administration Account to an Admins Group
Note If you did not create a Cisco Unity administration account in the "Creating the Accounts Required for the Cisco Unity Installation" section, skip this section.
You must add the Cisco Unity administration account either to the local Administrators group—when the Cisco Unity server is a member server—or to the Domain Admins group—when the Cisco Unity server is a domain controller.
This section contains two procedures. Do the one that applies to your installation.
To Add the Cisco Unity Administration Account to the Local Administrators Group (Only When the Cisco Unity Server Is a Member Server)
Step 1 On the Cisco Unity server, on the Windows Start menu, click Programs > Administrative Tools > Computer Management.
Step 2 In the left pane of the Computer Management MMC, expand System Tools > Local Users and Groups.
Step 3 In the left pane, click Groups.
Step 4 In the right pane, double-click Administrators.
Step 5 In the Administrators Properties dialog box, click Add.
Step 6 In the Select Users or Groups dialog box, in the Look In list, click the name of the domain to which the Cisco Unity server belongs.
Step 7 In the top list, double-click the name of the Cisco Unity administration account. The name appears in the bottom list.
Step 8 Click OK to close the Select Users or Groups dialog box.
Step 9 Click OK to close the Administrators Properties dialog box.
Step 10 Close the Computer Management MMC.
To Add the Cisco Unity Administration Account to the Domain Admins Group (Only When the Cisco Unity Server Is a Domain Controller)
Step 1 On the Cisco Unity server, log on to Windows by using an account that is a member of the Domain Admins group.
Step 2 On the Windows Start menu, click Programs > Microsoft Exchange > Active Directory Users and Computers or click Programs > Administrative Tools > Active Directory Users and Computers.
Step 3 In the left pane, expand the domain, and click Users.
Step 4 In the right pane, double-click the name of the Cisco Unity administration account.
Step 5 Click the Member Of tab.
Step 6 Click Add.
Step 7 In the Select Groups dialog box, in the top list, double-click Domain Admins. The name appears in the bottom list.
Step 8 Click OK to close the Select Groups dialog box.
Step 9 Click OK to close the Properties dialog box.
Setting Rights and Permissions with the Cisco Unity Permissions Wizard
The procedure in this section sets the permissions that Cisco Unity requires for:
•The account that you will use to install Cisco Unity.
•The two accounts that Cisco Unity directory and message store services will log on as.
In addition, you must set Exchange-specific permissions, as described in the "Setting Required Exchange Permissions" section.
The Permissions wizard will complete in under an hour, and possibly in just a few minutes.
Before you can run the Permissions wizard, the Active Directory schema must have been extended for Cisco Unity, which you should have done when you set up the message store (in the "Extending the Active Directory Schema for Cisco Unity" section).
Caution Cisco Unity needs to be able to change properties of Active Directory users. The Permissions wizard grants the directory services account the right to change user accounts in the containers that you specify. Cisco Unity can change user accounts in those containers only if inheritance is enabled for the containers and for the users themselves. If you disable inheritance for any containers or groups that include Cisco Unity subscribers, or for any users who are subscribers, Cisco Unity (using the directory services account) will not be able to change properties for the affected users. In that case, you will need to either grant permissions to those users explicitly or re-enable inheritance by checking the Allow Inheritable Permissions from Parent to Propagate to This Object check box on the Security tab in the applicable Properties dialog box.
The following procedure grants the installation and services accounts the rights to act as a part of the operating system, to log on as a service, and to log on as a batch job, and does so in the local security policy. (For a complete list of the permissions set by Permissions Wizard, refer to the Permissions Wizard Help file PWHelpPermissionsSet_<language>.htm.)
To Run the Cisco Unity Permissions Wizard
Step 1 If a domain security policy is in effect, confirm that the domain security policy does not deny the installation and services accounts the rights to act as a part of the operating system, to log on as a service, and to log on as a batch job.
Step 2 Log on to the Cisco Unity server by using an account that:
•Is a member of the Domain Admins group in the domain in which the Cisco Unity server is being installed.
•Is either an Exchange Full Administrator or a member of the Domain Admins group in the domain that contains all of the domains from which you want to import Cisco Unity subscribers.
Caution If you try to run the Permissions wizard by using an account that has less than the default permissions for a Domain Admin, the wizard may not be able to set all of the permissions required by the installation account and the services accounts. If the Permissions wizard cannot set all of the required permissions, either the Cisco Unity installation will fail or Cisco Unity will not run properly after it has been installed.
Step 3 On Cisco Unity DVD 1 or CD 1, browse to the Utilities\PermissionsWizard directory, and run PermissionsWizard.exe.
Step 4 On the Welcome to the Cisco Unity Permissions Wizard page, click Microsoft Exchange 2000 or Microsoft Exchange 2003, depending on the version of Exchange installed on the partner Exchange server.
If Windows Server 2003 is installed on the Cisco Unity server, Microsoft Exchange 2003 is the only option available.
Step 5 Click Next.
Step 6 On the Installation Account page, click Change, and choose the account that you want to use to install Cisco Unity.
Step 7 Click Next.
Step 8 On the Directory Services Account page, click Change, and choose the account that you want Cisco Unity directory services to log on as.
Step 9 Click Next.
Step 10 On the Message Store Services Account page, click Change, and choose the account that you want Cisco Unity message store services to log on as.
Step 11 Click Next.
Step 12 Cisco Unity needs access to one or more Active Directory organizational units to create users (Cisco Unity subscribers) and groups (Cisco Unity distribution lists). On the Set Active Directory Containers for New Objects page, choose the following:
•The domain in which you want new users and groups to be created.
•The organizational unit in which you want users to be created. This is where Cisco Unity Example Administrator will be created during Cisco Unity installation.
•The organizational unit in which you want groups to be created.
Step 13 Click Next.
Step 14 On the Objects the Cisco Unity Administrator Can Create page, check the check boxes for the objects you want to be able to create by using the Cisco Unity Administrator.
If you do not want to use the Cisco Unity Administrator to create new Active Directory users, contacts, and groups, you may choose not to grant the Cisco Unity directory services account the necessary rights to create each type of Active Directory object.
If you uncheck a check box next to an Active Directory object type, you will not be able to create the associated type of Cisco Unity object by using the Cisco Unity Administrator. You may only import existing objects into Cisco Unity. (For example, if you uncheck the Users check box, you will not be able to create new Cisco Unity subscribers by using the Cisco Unity Administrator. You will only be able to import existing Active Directory users to make them Cisco Unity subscribers.)
Step 15 Click Next.
Step 16 On the Set Active Directory Container for Location Objects page, choose the organizational unit in which you want Cisco Unity location objects to be created.
Step 17 Click Next.
Step 18 On the Set Active Directory Containers for Import page, choose the Active Directory containers from which you want to import users, contacts, and groups to make them Cisco Unity subscribers and public distribution lists. Note the following considerations:
•You must choose a container for the domain that includes the Cisco Unity server.
•Choose only one container for each domain. If you will want to import users and groups from more than one container in a domain, choose a common parent container that includes all of the containers from which you want to import. If the common parent is the domain itself, choose the domain.
Alternatively, if you want to choose multiple containers without choosing the common parent container, you can run the Permissions wizard more than once. Every time you run the Permissions wizard, choose the same options except on this page, where you choose a different container each time.
•If you are using Digital Networking to connect multiple Cisco Unity servers and if you will be importing users from the same container for every Cisco Unity server, choose that container. (For example, if CiscoUnityServer1 and CiscoUnityServer2 will both be importing users only from Container1, choose Container1.)
If you are using Digital Networking and if, for all of the Cisco Unity servers combined, you will be importing users from two or more containers, the Cisco Unity message store services account on each Cisco Unity server must be granted SendAs permission on every container from which users will be imported on every Cisco Unity server in the forest. (For example, if CiscoUnityServer1 will import users from Container1 and Container2, and if CiscoUnityServer2 will import users from Container3 and Container4, the Cisco Unity message store services account on each Cisco Unity server must have SendAs permission for all four containers.) On each Cisco Unity server, do one of the following, or identified subscriber messaging may not work between Cisco Unity servers:
–Choose all of the containers from which users will be imported by choosing a common parent container.
–Choose all of the containers from which users will be imported by running the Permissions wizard more than once.
–Use the same Active Directory account for the Cisco Unity message store services account as on every other Cisco Unity server in the forest.
•If you are using identified subscriber messaging for AMIS, the Cisco Unity Bridge, or VPIM, and if you will be importing contacts from the same container for every Cisco Unity server, choose that container. (For example, if CiscoUnityServer1 and CiscoUnityServer2 will both be importing contacts only from Container1, choose Container1.)
If you are using identified subscriber messaging for AMIS, the Bridge, or VPIM, and if, for all of the Cisco Unity servers combined, you will be importing contacts from two or more containers, the Cisco Unity message store services account on each Cisco Unity server must be granted SendAs permission on every container from which contacts will be imported on every Cisco Unity server in the forest. (For example, if CiscoUnityServer1 will import contacts from Container1 and Container2, and if CiscoUnityServer2 will import contacts from Container3 and Container4, the Cisco Unity message store services account on each Cisco Unity server must have SendAs permission for all four containers.) On each Cisco Unity server, do one of the following, or identified subscriber messaging may not work between Cisco Unity servers:
–Choose all of the containers from which contacts will be imported by choosing a common parent container.
–Choose all of the containers from which contacts will be imported by running the Permissions wizard more than once.
–Use the same Active Directory account for the Cisco Unity message store services account as on every other Cisco Unity server in the forest.
Step 19 Click Next.
Step 20 On the Choose Mailstores page, click Next. Cisco Unity subscribes will be homed in all of the available Exchange 2003 or Exchange 2000 mailstores.
Step 21 The Verify Permission Assignments page appears, listing the permissions that will be granted to each account. The information listed includes user rights, Active Directory rights, and membership in groups. Click Next to grant the listed permissions.
Step 22 If the Permissions wizard failed to grant one or more permissions, an error message appears that lists the number of permissions it was not able to grant. Click OK.
Step 23 To display a report listing the operations that succeeded and those that failed, if any, click View Detailed Results.
Note that in some cases, individual rights may be combined into a single entry. For example, the rights to read properties, write properties, list contents, read permissions, and modify permissions applied onto Group objects are all included in the single entry "SUCCEEDED granting Group read/modify rights."
Step 24 If one or more permissions could not be granted, fix the problems, and run the Permissions wizard again.
Caution If the Permissions wizard failed to set any permissions, either the Cisco Unity installation will fail or Cisco Unity will not run properly after it has been installed. You must successfully run the Permissions wizard before you can continue installing Cisco Unity.
Caution An Active Directory right being granted by the Permissions wizard may conflict with an existing right on an Active Directory container. (For example, an account may be denied the right to create user objects in one of the containers selected during the Permissions wizard.) The log file will explain that a conflict has been found, but the Permissions wizard will not resolve the conflict. You must resolve the conflict and then rerun the Permissions wizard.
Step 25 Click Finish.
Step 26 If the account that you logged on with in Step 2 is also the account that you want to use to install Cisco Unity (the account that you selected in Step 6), log off of Windows so the permissions set by the Permissions wizard will take effect.
Setting Required Exchange Permissions
In general, the Cisco Unity Permissions wizard does not set Exchange permissions, so they must be set manually. (The Permissions wizard does grant Send-As, Receive-As, and Administer Information Store permissions on Exchange 2003 or Exchange 2000 mailstores.)
The following Exchange permissions must be set for the Cisco Unity installation and services accounts:
Installation account
|
Exchange Administrator.
|
Cisco Unity directory
services account
|
Exchange Administrator if you want to create Cisco Unity subscribers by using the Cisco Unity Administrator. Exchange View Only Administrator if you want to create Cisco Unity subscribers only by importing accounts from Active Directory.
|
Cisco Unity message store
services account
|
Send-As, Receive-As, and Administer Information Store permissions on Exchange 2003 or Exchange 2000 mailstores (set by the Permissions wizard).
|
Do the following procedure for the installation account first, then for the directory services account.
To Grant Exchange Permissions to the Installation and Directory Services Accounts
Step 1 Log on to the Cisco Unity server by using an account that is an Exchange Full Administrator.
Step 2 On the Windows Start menu, click Programs > Microsoft Exchange > System Manager.
Step 3 In the left pane of the Exchange System Manager MMC, right-click the organization name at the top of the tree control, and click Delegate Control.
Step 4 On the Welcome to the Exchange Administration Delegation Wizard page, click Next.
Step 5 In the Users or Groups dialog box, click Add.
Step 6 In the Delegate Control dialog box, click Browse.
Step 7 In the Select Users, Computers, or Groups dialog box, in the Look In list, click the name of the domain to which the Cisco Unity server belongs.
Step 8 When you are granting permissions for the installation account, in the list of users, computers, and groups, double-click the name of the account.
When you are granting permissions for the Cisco Unity directory services account, in the list of users, computers, and groups, double-click the name of the account.
The Delegate Control dialog box reappears. The account you selected appears in the Group (Recommended) or User box.
Step 9 When you are setting permissions for the installation account, in the Role list, click Exchange Administrator.
When you are setting permissions for the Cisco Unity directory services account, in the Role list, click the applicable option:
Exchange
Administrator
|
If you want to create Cisco Unity subscribers by using the Cisco Unity Administrator.
|
Exchange View
Only Administrator
|
If you do not want to create Cisco Unity subscribers by using the Cisco Unity Administrator (meaning that you will create Cisco Unity subscribers only by importing accounts from Active Directory).
|
Step 10 Click OK to close the Delegate Control dialog box.
Step 11 Repeat Step 5 through Step 10 for the Cisco Unity directory services account.
Step 12 Click Next.
Step 13 Click Finish.
Step 14 Close the Exchange System Manager MMC.
Feedback
