立即与支持人员聊天
与支持团队交流

Active Roles 8.2.1 - Installation Guide

Introduction System requirements Prerequisites of installing Active Roles Installing Active Roles Deploying the Administration Service Deploying user interfaces Installing optional tools and components Uninstalling Active Roles Using Active Roles to manage Azure AD objects Active Roles availability on Azure and AWS Marketplace Configuring Active Roles for AWS Managed Microsoft AD

Configuring the Administration Service account

When installing the Administration Service, you are prompted for the name and password of the Administration Service account—the account the Administration Service logs on to. This account must have sufficient permissions to:

  • Gain administrative access to the computer running the Administration Service.

  • Publish the Administration Service in Active Directory.

  • Access any managed domain for which an override account is not specified.

NOTE: When registering a domain with Active Roles, you can specify an override account. If you specify an override account, the Administration Service uses the override account rather than the service account to access the domain.

Access to managed domains

Active Roles access to a domain is limited by the access rights of the service account, or the override account, if specified. For all managed domains with no override account specified, configure the service account to have permissions you want Active Roles to have in those domains. If you use an override account when registering a domain with Active Roles, ensure that the override account (rather than the service account) has these permissions for the domain. In addition, the service account (or the override account, if any) must have the Read Permissions and Modify Permissions rights on the Active Directory objects and containers where you are planning to use the Active Roles security synchronization feature.

For more information, see Minimum required permissions for the Active Roles service account.

Configuring access to Exchange organizations

To manage Exchange recipients on Exchange Server 2019 or 2016, the service account or the override account must be configured to have sufficient rights in the Exchange organization. The rights must be delegated to the service account if an override account is not used, otherwise, the rights must be delegated to the override account.

To configure the service account or the override account

  1. Add the account to the Recipient Management role group.

    For instructions for Exchange 2019, see Add Members to a Role Group in the Microsoft Exchange Server 2019 documentation.

  2. Add the account to the Account Operators domain security group.

  3. Enable the account to use remote Exchange Management Shell.

    For instructions for Exchange 2019, see Use the Exchange Management Shell to enable or disable remote access for a user in the Microsoft Exchange PowerShell documentation.

  4. Ensure that the account can read Exchange configuration data. For more information, see Configuring the permission to read Exchange configuration data.

  5. Restart the Administration Service after you have changed the configuration of the account: Start Active Roles Configuration Center, go to the Administration Service page in the Configuration Center main window, then click the Restart button at the top of the Administration Service page.

    NOTE:

    • For instructions for Exchange 2016, and 2019, see the relevant pages in the Microsoft Exchange documentation.

    • Active Roles service account must be a part of Recipient Management group to run Exchange hybrid commands.

    The Exchange 2016 management tools are not required on the computer running the Administration Service.

Configuring the permission to read Exchange configuration data

To perform Exchange recipient management tasks, Active Roles requires read access to Exchange configuration data in Active Directory. This requirement is met if the service account (or the override account, if specified) has administrator rights (for example, is a member of the Domain Admins or Organization Management group). Otherwise, give the account the Read permission in the Microsoft Exchange container. You can do this by using the ADSI Edit console that ships with all Windows Server versions officially supported by Active Roles.

To give Read permission to Exchange configuration data

  1. Open the ADSI Edit console and connect to the Configuration naming context.

  2. In the ADSI Edit console, navigate to the Configuration > Services container, right-click Microsoft Exchange in that container, and then click Properties.

  3. On the Security tab in the Properties dialog that appears, click Advanced.

  4. On the Permissions tab in the Advanced Security Settings dialog, click Add.

  5. On the Permission Entry page, configure the permission entry:

    1. Click the Select a principal link, and select the desired account.

    2. Verify that the Type box indicates Allow.

    3. Verify that the Applies onto box indicates This object and all descendant objects.

    4. In the Permissions area, select the List contents and Read all properties check boxes.

    5. Click OK.

  6. To close the Advanced Security Settings dialog, click OK. Then, to close the Properties dialog, click OK again.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级