It seems like your browser didn't download the required fonts. Please revise your security settings and try again.

Accounts and Permissions

  • Last updated on

This article outlines the permissions required by the account installing PST Enterprise as well as what permissions are given to the account (named 'PSTEnterpriseAdmin' by default) that is created during the installation process.

Account Running the Install Preparation

The account being used to run the installation must have sufficient permissions to:

  • Create an Active Directory (AD) Account/User;
  • Create an AD Security Group; and
  • Install SQL Express (if using C2C SQL Express) – typically local machine Administrator is required for this.

If you are using your own SQL server/instance then it will also need the details of an account that can log in to the database (a prompt will display during the installation).

Account Created During Install Preparation

The account that the installer prep tool creates is used to run the application pool, the tool will also try to assign access to all mailboxes (see the PowerShell command below) to this account that is created – this is for when that account is being used in an file server environment to process uncoupled PST files.

When the install prep tool runs it will grant the AD account it creates rights over all Exchange mailboxes, using the following PowerShell command:

Add-ADPermission -Identity "MyExchangeOrganization" -User PSTEnterpriseAdmin -AccessRights ReadProperty,GenericExecute,ExtendedRight -ExtendedRights Receive-As,ms-Exch-Store-Visible,ms-Exch-Store-Admin -InheritanceType All

Where:

MyExchangeOrganization is the name of the Exchange Organization, and PSTEnterpriseAdmin is the name of the AD account created during installation.

Details of Changes Made During Installation

The PST Enterprise pre-installation process creates objects and grants appropriate permissions to allow smooth running of PST Enterprise. This section documents those operations so you can understand what changes it will make to your environment, and if necessary make these changes manually.

The pre-installation process asks the user for:

  • An AD account (which it creates if an existing one is not specified).
  • An AD group (which it creates if an existing one is not specified).
  • Details of a connection to a SQL database (it will install and use a SQL Express installation if a database connection is not given).

The product requires the following (pre-installation will establish these) on the account that is created:

  • The specified AD account has Owner rights on the "PSTEnterprise" database.
  • The IIS Application Pool used to run the "PST Enterprise" website is using 'integrated pipeline' mode.
  • The IIS Application Pool has the process model identity set to the specified AD account.
  • The AD account is granted 'owner' rights on all mailboxes in the Exchange organization, using the command listed below:

Add-ADPermission -Identity "MyExchangeOrganization" -User PSTEnterpriseAdmin -AccessRights ReadProperty,GenericExecute,ExtendedRight -ExtendedRights Receive-As,ms-Exch-Store-Visible,ms-Exch-Store-Admin -InheritanceType All

Where:

MyExchangeOrganization is the name of the Exchange Organization and PSTEnterpriseAdmin is the name of the AD account created during installation.

This is only required so that the account can be used to log into any mailbox that an uncoupled PST may have been associated with, and is only used if PST Processor installations which are searching for uncoupled PSTs are run as the AD account.

Other points of interest:

  • As long as the AD account has Owner rights on the PSTEnterprise database, when the website starts up it creates all required tables in the database. It is not necessary to manually create any tables.
  • The AD group is only required to control who is allowed to use the PST Enterprise website (the administrative site, not the Self Service site). If a user who is not a member of the AD group tries to log into the PST Enterprise website, they are refused.