• All Files
AMS Controller  >  Prerequisites  >  User Permissions Requirements

Service account permissions

Installation user account

The user account used to perform the installation must be:

  • A member of the domain.
  • Assigned appropriate send-as and receive-as permissions on mail server.
  • Not a domain administrator (highly recommended)
  • A local administrator on the AMS server.

User account to run AMS services

An Active Directory user account is required to run all AMS service processes on servers running AMS components. This user must have a number of special permissions pre-configured on the account.

User requirements:

  • User must be a member of the domain in which the Aurea Messaging Solutions server is installed.
  • User has a Microsoft Exchange mailbox.
  • User must be a member of the local administrator group on the Aurea Messaging Solutions server, and preferably not a domain administrator. To do this, on the Aurea Messaging Solutions server launch the Local Users and Groups applet (Start > Run > lusrmgr.msc) and add the user to Groups > Administrators.
  • In Microsoft Exchange 2010 and higher, the user account must also be a member of the Organization Management and Recipient Management security groups. For more information refer to Add Members to a Role Group.
  • The user must be assigned a Microsoft Exchange management scope role that has access to all mailboxes (impersonation rights). For more information on how to create the management scope role, refer to Microsoft Exchange management scope role.

Setting Impersonation rights

An Active Directory Service Account refers to an Active Directory user account under which all AMS service processes run. This user account must be created on the AMS server.

This Active Directory Service Account user must be a member of:

  • The domain in which the AMS server is installed
  • A local administrator group on the AMS server

To ensure product reliability and performance, it is our recommendation that the Active Directory Service Account used be dedicated to AMS and not shared with any other applications.

The account must be assigned a Microsoft Exchange management scope role that has access to all mailboxes (impersonation rights).

This management scope role is utilized by SyncManager to access the list of Microsoft Exchange mailbox names and synchronize them with the data center. It is also used by RecoveryManager to restore emails that were sent or received during an email outage, back into their Exchange mailboxes.

ClosedMicrosoft Exchange 2016

To manually assign impersonation rights to the AMS user account, run the following cmdlet in the Microsoft Exchange 2016 Management Shell.

New-ManagementRoleAssignment -name:<role_name> -Role:ApplicationImpersonation -User:<impersonator>

Replace the following entries with these values:

  • Replace <role_name> with a friendly name to the role being assigned, for example: impersonate_role
  • Replace <impersonator> with the username of the user which will run the Aurea Messaging Solutions services.

For example: 

New-ManagementRoleAssignment –name:impersonate_role –Role:ApplicationImpersonation –User:AMS_User

ClosedMicrosoft Exchange 2013 & 2010

To manually assign impersonation rights to the Aurea Messaging Solutions user account, you must first create a new management scope which groups all recipients that have a mailbox, and then create a new management role that allows a particular user to have impersonation rights on that management scope.

Run the following two cmdlets in the Microsoft Exchange Management Shell.

Step 1: Creating a new management scope

Run the following cmdlet to create a new management scope which groups all recipients that have a mailbox:

New-ManagementScope -name <scope_name> -RecipientRestrictionFilter {RecipientType -eq "UserMailbox"}

Replace <scope_name> with the name of the scope given for all user mailboxes.

For example: 

New-ManagementScope -name user_mailboxes -RecipientRestrictionFilter {RecipientType -eq "UserMailbox"}

NOTE

If a management scope that covers all Microsoft Exchange mailboxes already exists, then you cannot create another similar scope that covers all mailboxes. In this case, either skip the above step and use the existing scope, or else remove the current scope before creating a new one. Use the Get-ManagementScope command to retrieve the list of management scopes and use Remove-ManagementScope command to remove an existing scope.

Step 2: Create a new management role

Run the following cmdlet to create a new management role which allows the Aurea Messaging Solutions user to have impersonation rights on the previously created management scope:

New-ManagementRoleAssignment -name <role_name> -role:ApplicationImpersonation -user <impersonator> -CustomRecipientWriteScope <scope_name>

Replace the following entries with these values:

  • Replace <role_name> with a friendly name to the role being assigned, for example: impersonate_role
  • Replace <impersonator> with the email address of the Aurea Messaging Solutions user.
  • Replace <scope_name> with the name of the scope specified in step 1 above, for example user_mailboxes

For example:

New-ManagementRoleAssignment -name impersonate_role -role:ApplicationImpersonation -user amsuser@example.com -CustomRecipientWriteScope user_mailboxes

Contact Support

Related Topics

Aurea Messaging Solutions Help System
Copyright © Aurea Software 2021
Free Trial