Domain Admin privs are closely held in our network and not available to us. We are migrating our Unity installation to a new domain on a new server with new install, admin, and service accounts.
It occured to me that maybe we could send Permissions Wizard to one of our blessed domain admins who could run it remotely for us. Then we could proceed with the install locally.
Would this work? Or can we conplete a scratch install without DA privs?
You certainly can't install from scratch without appropriate rights in the domain.
Yes, Permissions Wizard was originally designed to be used by the "god" IT user such that less divine users could carry on installing Unity properly. Over time it's been made more into a tool that we expect the person installing to run since that's the vast majority of the folks running it in the field.
So you can have the domain admin run PW and create an install account, directory facing account and message facing account for you to use during installation. The only hitch is the install has been tooled to force you to have run PW on the local box - if the domain admin runs this tool on the box for you ahead of time then you're golden (it writes this information through to the registry such that the setup knows it's cool to continue). If they run it remotely back in the crystal pallace then you'll have to manually edit the reistry to tell the setup to skip the PW run when you install (no, this is not TAC supported but can be done).
However the installation account needs to be able to do a few things such as creating a new OU and making some objects (i.e. the location object, distribution lists and the example admin account) that may give a conservative DA cramps - and they may not want to give control over for that. We find in most such cases the DA just needs to be present and do the installation itself.
What are the "appropriate rights in the domain"?
Can the Permissions Wizard be run without Domain Admin rights?
The account running PW will have permissions to create an OU and any other objects required, in addition to Exchange permissions.
The admins installing and maintaining Unity are not Domain Admins.
The rights needed by PW and set on account by PW are covered in the help files for PW itself - you'll find both help files on it's home page (for the 4.0(3) version) here:
In the help file for Exchange 2000/3 install it says:
"Log on to the Cisco Unity server by using an account that:
· Is a member of the Domain Admins group in the domain in which the Cisco Unity server is being installed, or that has permissions equivalent to the default permissions for the Domain Admins group.
· Is either an Exchange Full Administrator or a member of the Domain Admins group in the domain that contains all of the domains from which you want to import Cisco Unity subscribers.
Caution! If you try to run Permissions Wizard using an account that has less than the default permissions for a Domain Admin, Permissions Wizard may not be able to set all of the permissions required by the installation account and the services accounts. If Permissions Wizard cannot set all of the required permissions, either the Cisco Unity installation will fail, or Cisco Unity will not run properly after it has been installed."
If you try and shoe-horn this in without using an account that's a member of the domain admins group and call TAC for help, the first thing they'll ask you to do is run PW with an account that's a member of the domain admins group. Trying to skimp out on the account rights on this first step of the install will just generally waste your time. I think you'd be better off scheduling time with the IT gods at this site to have them do this for you - it doesn't take long in most cases and then you can be on your way.
You can point them at the other help file for PW (also on its home page noted above) that shows exactly what rights will be given to which accounts by PW - I'm sure they'll want to review and approve that.
I'm in the position of having the DA run PW from another server and need to know what registry edit is needed to skip PW when installing. Any help appreciated.
The branch that needs to be there is:
There's a key that needs to be in that branch called "HasCompleted" that's a DWORD set to "1" that the preparation assistant will look for to skip it during setup.
Of course you need to be careful to select the right accounts during setup since they wont be auto selected for you as they would be if you'd run PW on the box you did the install on - same deal with picking the containers for new users and the like - just be careful.
Hi Jeff -
When we did our Unity 4.0(3) upgrade this past weekend, we had problems with the Message store configuration wizard. It complained the unityinstall account did not have Exchange Full Admin rights. We had run the 4.0(3) permissions wizard in production, but had only set the Exchange permissions at our administrative group and domain level NOT at the top organization level. The organization level is administered by a different data center group and domain, who function as the Enterprise Admins. We believed we did not need this level of permissions with 4.0(3) since we would only be importing subscribers from our own domain. After contacting them and getting the necessary Exchange permissions set and replication between our two domains, we were able to continue. They would like an explanation of why Exchange Full Admin is needed for the unityinstall account and why Exchange View is needed for unitydirsvc (we only import subscribers from AD). I know they will also ask if these permissions can be removed at the ORG level, now that we have Unity upgraded. What problems would we encounter with Unity if that was done?
Thanks for your help!