Which unity accts can I take off "domain admin" group after install

aamercado · ‎11-29-2010

Hi

Unity 5.X in UM mode - Which unity accts can I take off "domain admin" group after install (ie unityinstall, unityadmin, UnityMsgStoreSvc, UnityDirSVC etc..)

and if I do so, what is the impact or if I want to upgrade in the future?

Thanks

Jonathan Schulenberg · ‎11-29-2010

You're allowed to downgrade the UnityInstall account if you wish post install. Personally I just disable it until I need it again.

Everything else should stick with whatever permissions the documentation/permissions wizard assigned.

David Hailey · ‎11-30-2010

UnityInstall should be the most powerful account and is the only account that should be added to the Domain Admins group by the Permissions Wizard. This is definitely true for Exchange 200, 2003, and 2007. I've not dealt with a lot of customers on 2010 yet so this could have changed; however, I doubt it. You can verify what I'm telling you here:

http://www.ciscounitytools.com/Applications/Unity/PermissionsWizard/Unity403_411/Help/PWHelpPermissionsSet_ENU.htm

This link will tell you what permissions and group memberships are set at a high level for all the Unity service accounts.

To clarify what Jonathan said, by "downgrade" the UnityInstall account - the rule of thumb is this:

Cisco supports that you DISABLE the UnityInstall account, if desired, after an installation. This account should only be used during installation activities. However, DO NOT DELETE the account in AD. So, again - disabling the account is OK.

Hailey

Please rate helpful posts!