Re: E2k7 eventsink identity prerequisits?

You need to be careful if a user has been assigned admin rights they will be
denied access to any other account other then there own so don't use the
admin user to debug and make sure you Myserviceaccount user has been given
admin rights. I would also check the security tab of the Com+ component and
make sure that the "Enforce Access Checks for this application" isn't ticked
which could cause some of the problems your describing. You should be able
to test the user rights assignment by trying to connect to the mailbox you
want to create the eventsink on with Outlook. If you can create a Outlook
profile and access this mailbox with your ServiceUser then that account
should have enough rights.

Cheers
Glen

"John" <no@xxxxxxxx> wrote in message
news:u87W5t3LHHA.5104@xxxxxxxxxxxxxxxxxxxxxxx
Hi

After hours/days of trying I get to the point that my application (store
eventsink / com+) starts working a little bit on e2k7. (YES!)

I had a lot of trouble to find out what needs to be done in the command
shell to give the com+ identity sufficient permissions. I think the
following did it.

Get-mailboxserver | add-adpermission -user MyServiceAccount -accessrights
GenericRead, GenericWrite -extendedrights Send-As, Receive-As,
ms-Exch-Store-Admin
Get-mailboxserver | Add-MailboxPermission -user
MyServiceAccount -accessrights FullAccess


It now looks like that account has the correct permissions but it still
only works when debugging! (logged on to the server with the same
MyServiceAccount as the com+ identity)

The compiled dll, called from the eventsink, errors out (access denied) at
the moment that the code wants to open a datasource using the url to the
item.
I think this is weird. because the code in debug mode works perfectly fine
while it runs with the same account as the compiled dll in the com+
package.

I CAN get the error to appear in the debugger as well when I run it as the
standard administrator so that's why I assume that there is some (more)
special permission needed for the com+ identity...


I hope anybody (Glenn are you there??) understands more of the exact
permissions needed and is willing to reply.

Thanks!




.

Relevant Pages

  • Re: Removing Local Admin Accounts - What do you think?
    ... people the necessary admin rights on the workstations, ... The local admin account poses a high risk in terms of workstations ... Does this pose a security risk to have a local administrator account on ... Is this a general best practice, from a security point of view? ...
    (Security-Basics)
  • Re: msn messenger hacked
    ... Admin rights were of course needed to install the keylogger ... a machine that someone with Admin rights hadn't logged off of. ... but had installed a keylogger. ... You used someone else's computer while logged on with an account that others ...
    (microsoft.public.security)
  • Re: Logging Into Multiple Domains (not at once)
    ... local admin rights to my WinXP machine. ... First I have to login locally as admin, ... CompanyB Domain using my UserID B account, give my UserID B account local ... either network, I can't log into my laptop as either UserID A or UserID B, ...
    (microsoft.public.windowsxp.security_admin)
  • Re: msn messenger hacked
    ... I work at a major university and a couple of years ago a student used one on ... a machine that someone with Admin rights hadn't logged off of. ... You used someone else's computer while logged on with an account that others ...
    (microsoft.public.security)
  • Re: Client Installation Issues: SMS 2.0 SP5
    ... Lets say the account I use for> the SMS Services is SMSAdmin. ... I setup the Client> Installation Account as what was listed above being our local admin ... password on some> of those, but any other idea's why prior to this, the client didn't want to> install? ... Grant the>> service account admin rights on every box, ...
    (microsoft.public.sms.setup)