cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
642
Views
3
Helpful
5
Replies

Unity 4.0(5) - GrantUnityAccess Tool

brian-henry
Level 4
Level 4

What minimum rights does a person need on a Unity server box to run the GrantUnityAccess Tool?

I know as a local admin it works great, but I would like to make other individuals perform this task but not be a local admin. Is there specific rights I can give them as part of a local group lets say "HelpDesk" which do not have admin rights but just enough to run this tool?

Thanks in Advance

Brian

5 Replies 5

kechambe
Level 7
Level 7

File level read and execute rights. However, if this is UM (or VM connecting orgs AD) I very much caution against allowing people you wouldn't want to have local admin rights on Unity server to logon. Unity has a lot of permissions within a network and a knowledgeable user could potentially use its functionality for malicious purposes. Only fully trusted Administrators should be allowed to login to a Unity server.

Thanks,

Keith

Thanks for the reply but we tested it out with the user a "Power User" but it did not work.

This was a request of a site and I warned them ahead of time of not just giving anyone rights. However the admins think that resetting VM passwords is below them and they are running in VM only but do not want to give the user the right to go to ciscopca.

Thanks for all your assistance

Brian

The user will also need access to SQL Server (which you can configure via Enterprise Manager), but you would want to be careful about that since this would give someone the ability to read/write any of the Unity data.

- Matt

Hi Brian -

On the Unity server, create a class of service that allows the admins to reset user passwords. We do this for our Help Desk. In the COS System Access page, uncheck the boxes you don't want the admins to have access to and check the box under Subscriber Access that says "Can unlock subscriber accounts and change passwords". When they go to the Unity SA http://Unityservername/web/sa, all they see is what the COS allows them to see. Once you create the COS, go to each admin subscriber and change it on the Profile Page.

Ginger

Thanks Ginger for your response which I used a bunch of times.

Scenario:

This is a VM only system which the VM sits in its own domain while the real users sit in another, but the same forest.

The problem is that the Unity Admins Tier II admins want to use their regular login ID's, as well as helpdesk to get into Web/Sa to do their stuff. That is not a problem for the Unity admins nor helpdesk. Accept that their are a lot of people floating in and out of the helpdesk postions. Security is the up most important and no bogus accounts are made because of strict policies.

Therefore the Unity Admins do not want to spend there time using the GrantUnityAccess Tool to associate domain B's accounts with Domain A's subscribers. (Freakin Lazy!).

So they want the helpdesk personal to be able to use the grantunityacces tool so they can do it themselves.

I guess the Admins have been watching to much "Office Space" and do not want to work anymore.

Thanks for your reply though.

Brian