2.5 Permissions for Discovering Exchange Server Resources

Before discovering and monitoring Exchange Server resources, ensure that the user account running the AppManager agent service (netiqmc) has the following memberships and permissions:

  • Membership in the Exchange View-Only Administrators group (for Exchange Server 2007)

  • Membership in View-Only Organization Management group (for Exchange Server 2010 or later)

  • Membership in the Local Administrators group on the Exchange Server

  • Permission to access the File Share Witness folder

In addition to the minimum permissions required for any role, following are the specific Exchange Server roles that require additional permissions:

Component

Required Permissions and Memberships for Exchange Server 2007

Required Permissions and Memberships for Exchange Server 2010 or later

Client Access Server role

  • Membership in the Exchange Server Administrators group

  • Membership in Server Management group

  • Membership in the Organization Management group

Edge Transport Server role

  • Membership in the Exchange Server Administrators group

  • Membership in Server Management group

Hub Transport Server role

  • Membership in the Exchange Organization Administrators group

  • Membership in the Builtin\Administrators group on the Active Directory server

  • Membership in the Organization Management Group

  • Membership in the Builtin\Administrators group on the Active Directory server

Mailbox Server role

  • Membership in the Exchange Server Administrators group

  • Membership in the Exchange Recipient Administrators group

  • Membership in Server Management group

  • Membership in Recipient Management group

  • Membership in the Organization Management group

Unified Messaging Server role

  • Membership in the Exchange Server Administrators group, for support for the UMS_Connectivity Knowledge Script

  • Membership in Server Management group, for support for the UMS_Connectivity Knowledge Script

Exchange Best Practices Analyzer tool (for all Exchange Server roles)

  • Designation as the Domain Administrator, or membership in the Builtin\Administrators group on the Active Directory server, for enumerating the Active Directory information and calling the Microsoft Windows Management Instrumentation (WMI) providers on the domain controller and global catalog servers.

  • Membership in the Local Administrators group on each Exchange server for calling the WMI providers and accessing the registry and the metabase

  • Delegation for at least Exchange View-Only Permissions on the Exchange organization

  • Designation as the Domain Administrator, or membership in the Builtin\Administrators group on the Active Directory server, for enumerating the Active Directory information and calling the Microsoft Windows Management Instrumentation (WMI) providers on the domain controller and global catalog servers

  • Membership in the Local Administrators group on each Exchange server for calling the WMI providers and accessing the registry and the metabase

  • Delegation for at least View-Only Organization Management Permissions on the Exchange organization

Directory Server

  • Membership in the Local Administrators group on the local computer

  • Delegation for at least Exchange View-Only Permissions

  • Delegation for at least Exchange View-Only Permissions