We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.

Barracuda PST Enterprise

PST Enterprise Permissions

  • Type: Knowledgebase
  • Date changed: 2 years ago
Solution #00007539

Scope: 

PST Enterprise, all versions

Answer:

This article outlines the permissions required by the account installing PST Enterprise as well as what permissions are given to the account (named 'PSTEnterpriseAdmin' by default) that is created during the installation process.

Account Running The Install Preparation

The account being used to run the install needs sufficient permissions to:

*Create an AD Acount/User.

*Create an AD Security Group.

*Install SQL Express (if using Barracuda configured SQL Express instance provided by PST Enterprise preinstaller) – typically local machine Administrator is required for this.

If you are using your own SQL server/instance then it will also need the details of an account that can login to the database (this is prompted for during the install).

Account That Is Created During Install Preparation

The account that the installer prep tool creates is used to run the application pool, the tool will also try to assign access to all mailboxes (see the PowerShell command below) to this account that is created – this is for when that account is being used in an file server environment to process uncoupled PST files.

When the install prep tool runs it will grant the AD account it creates rights over all Exchange mailboxes, using the following PowerShell command:

Add-ADPermission -Identity "MyExchangeOrganization" -User PSTEnterpriseAdmin -AccessRights ReadProperty,GenericExecute,ExtendedRight -ExtendedRights Receive-As,ms-Exch-Store-Visible,ms-Exch-Store-Admin 
-InheritanceType All

Where:

MyExchangeOrganization is the name of the Exchange Organization

PSTEnterpriseAdmin is the name of the AD account created during installation

Details of Changes Made During Installation

The PST Enterprise pre-installation process will create objects and grant appropriate permissions to allow smooth running of PST Enterprise. This section documents those operations so you can understand what changes it will make to your environment, and if necessary make these changes manually.

The pre-installation process will ask the user for:

*An AD account (which it will create if an existing one is not specified).

*An AD group (which it will create if an existing one is not specified).

*Details of a connection to a SQL database (it will install and use a SQL Express installation if a database connection is not given).

The product requires the following (pre-installation will establish these) on the account that is created:

*The specified AD account has Owner rights on the “PSTEnterprise” database.

*The IIS Application Pool used to run the “PST Enterprise” website is using ‘integrated pipeline’ mode.

*The IIS Application Pool has the process model identity set to the specified AD account.

*The AD account is granted ‘owner’ rights on all mailboxes in the Exchange organization, using the command listed below:

Add-ADPermission -Identity "MyExchangeOrganization" -User PSTEnterpriseAdmin -AccessRights ReadProperty,GenericExecute,ExtendedRight -ExtendedRights Receive-As,ms-Exch-Store-Visible,ms-Exch-Store-Admin -InheritanceType All

Where:

MyExchangeOrganization is the name of the Exchange Organization

PSTEnterpriseAdmin is the name of the AD account created during installation

This is only required so that the account can be used to log into any mailbox that an uncoupled PST may have been associated with, and is only used if PST Processor installations which are searching for uncoupled PSTs are run as the AD account.

Other points of interest:

*As long as the AD account has Owner rights on the “PSTEnterprise” database, when the website starts up it will create all required tables in the database. It’s not necessary to manually create any tables.

*The AD group is only required to control who is allowed to use the “PST Enterprise” website (the administrative site, not the “Self Service” site). If a user who is not a member of the AD group tries to log into the “PST Enterprise” website, they will be refused.