Re: E2k7 eventsink identity prerequisits?

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

You need to be careful if a user has been assigned admin rights they will be
denied access to any other account other then there own so don't use the
admin user to debug and make sure you Myserviceaccount user has been given
admin rights. I would also check the security tab of the Com+ component and
make sure that the "Enforce Access Checks for this application" isn't ticked
which could cause some of the problems your describing. You should be able
to test the user rights assignment by trying to connect to the mailbox you
want to create the eventsink on with Outlook. If you can create a Outlook
profile and access this mailbox with your ServiceUser then that account
should have enough rights.

Cheers
Glen

"John" <no@xxxxxxxx> wrote in message
news:u87W5t3LHHA.5104@xxxxxxxxxxxxxxxxxxxxxxx
Hi

After hours/days of trying I get to the point that my application (store
eventsink / com+) starts working a little bit on e2k7. (YES!)

I had a lot of trouble to find out what needs to be done in the command
shell to give the com+ identity sufficient permissions. I think the
following did it.

Get-mailboxserver | add-adpermission -user MyServiceAccount -accessrights
GenericRead, GenericWrite -extendedrights Send-As, Receive-As,
ms-Exch-Store-Admin
Get-mailboxserver | Add-MailboxPermission -user
MyServiceAccount -accessrights FullAccess


It now looks like that account has the correct permissions but it still
only works when debugging! (logged on to the server with the same
MyServiceAccount as the com+ identity)

The compiled dll, called from the eventsink, errors out (access denied) at
the moment that the code wants to open a datasource using the url to the
item.
I think this is weird. because the code in debug mode works perfectly fine
while it runs with the same account as the compiled dll in the com+
package.

I CAN get the error to appear in the debugger as well when I run it as the
standard administrator so that's why I assume that there is some (more)
special permission needed for the com+ identity...


I hope anybody (Glenn are you there??) understands more of the exact
permissions needed and is willing to reply.

Thanks!




.

Relevant Pages

  • Re: Removing Local Admin Accounts - What do you think?
    ... people the necessary admin rights on the workstations, ... The local admin account poses a high risk in terms of workstations ... Does this pose a security risk to have a local administrator account on ... Is this a general best practice, from a security point of view? ...
    (Security-Basics)
  • Re: Using Same Account as both Admin and Limited User
    ... I don't think I want to make it too easy to switch the account back ... and forth between LUA and Admin rights. ... There's no time pressure to ... Well, I do buy into the whole security thing: run as a LUA account, ...
    (microsoft.public.windowsxp.security_admin)
  • Re: msn messenger hacked
    ... Admin rights were of course needed to install the keylogger ... a machine that someone with Admin rights hadn't logged off of. ... but had installed a keylogger. ... You used someone else's computer while logged on with an account that others ...
    (microsoft.public.security)
  • Re: Recovery Storage Group error: "There is no such object on the server"
    ... Could you confirm that the account that you are logged in with has Domain ... Admin rights?, if it does not give the account Domain Admin rights or logon ... > I right-click the Recovery Storage Group, select Add Database to Recover, ...
    (microsoft.public.exchange.admin)
  • Re: Logging Into Multiple Domains (not at once)
    ... local admin rights to my WinXP machine. ... First I have to login locally as admin, ... CompanyB Domain using my UserID B account, give my UserID B account local ... either network, I can't log into my laptop as either UserID A or UserID B, ...
    (microsoft.public.windowsxp.security_admin)