Re: Incoming E-Mail - cant create contact in OU

I've tried that, LOL. It was my sincerest hope that the content database
account/app pool for the web app didn't need to be a local admin on the
server (never mind be a domain admin), but that wasn't the case. Seriously,
the central admin app pool/farm account needs rights if you are going to be
deleting things, but that app pool for the web app that will be doing DMS
has to have the right to run things on the sharepoint server in order for it
to work.

Heck, for months just like Paul, I was running the app pool as a domain
admin because I *had* to get it to work. But in the mean time, I was trying
to figure out how to run it at a lower security level. I mean, c'mon
Microsoft wouldn't purposely break their own security best practices by
requiring the app pool for each web app using DMS have elevated privileges
would they? ; ) And the truth is, the account at least doesn't need to be a
domain admin, but it does need to be a local admin.

I found out about the farm account the same way. Originally, in Nov. 2006,
the documentation (which was even more scanty than it is now), gave the
impression that you needed only the app pool to be delegated control of the
OU for DMS to work. Imagine my surprise the first time I tried to remove
the distribution list on a sharepoint group and got told that I couldn't. ?!
It turned out that that was the domain of the central admin pool/farm
account and therefore it needed access to the OU.

Personally I feel that this has been a woefully under documented feature of
WSS (and for a good reason probably).

-callahan
"Daniel Bugday" <itkonsult@xxxxxxxxx> wrote in message
news:BCD88E61-DBC1-4326-8B59-175A7EF014CC@xxxxxxxxxxxxxxxx
Paul,
i think you have to follow callahans suggestion of adding the account to
the local admin froup of that server.

Could you try one other thing..

Try to delegate permission to the account which is running the IIS pool
for the central administration site without adding to admin group and then
do an IISReset.

/Daniel Bugday

"callahan" <cacallahan@xxxxxxxxxxxxxxxxxxx> wrote in message
news:%23NTN2SR7HHA.4436@xxxxxxxxxxxxxxxxxxxxxxx
The application pool account, in my experience, must be a local admin of
the sharepoint server that is doing incoming email and hosting DMS. Also
the account must have those permissions to all the child objects for that
OU as well.

In addition, if you are going to do approval for the groups, I found that
I had to give the farm account rights to the OU as well in order to be
able to delete a group. Please let me know if that is the case for you.

Frankly, I am impressed. I personally have never gotten it to work with
Exchange 2007.

-callahan
"Paul" <Paul@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E9308C36-1A8C-4071-93EB-BAB58A0C7DD8@xxxxxxxxxxxxxxxx
Running Windows 2003 R2 AD, Exchange 2007 and WSS 3.0.

I have WSS website application pool running as a domain user account,
not
network service.
I created an OU called Sharepoint and delegated rights to this user
account
(Create, delete and manage user accounts + Read All User Information).

When I create a site and attempt to enable email, it gives me "Error in
the
application. "

However to prove its a permission issue, I then added this website
application pool account to domain admins, rebooted my WSS to be sure
and
tried again - now it works! Obviously I dont want to run this as domain
admin, so removal of domain admin kills the ability to add email.

There must be other AD OU permissions that are not listed in the
Microsoft
instructions to make this work, but what?





.

Relevant Pages

  • Re: Incoming E-Mail - cant create contact in OU
    ... central admin pool different than the web app. ... that account a little (if the web app is compromised or something, ... So I started with giving the app pool account domain admins permissions then ...
    (microsoft.public.sharepoint.windowsservices)
  • Re: Incoming E-Mail - cant create contact in OU
    ... I too am worried about giving the app pool (and remember, ... local admin rights to the server hosting incoming email. ... If your app pool account is also the farm account, ...
    (microsoft.public.sharepoint.windowsservices)
  • Re: IIS6 on DC failing ASP.Net Service Unavailable
    ... On IIS 6.0 ASP.NET does not use the ASPNET account. ... identity of the web app pool that it is assigned to. ... Q1) Does you app work if you use one of the standard process identities? ...
    (microsoft.public.inetserver.iis)
  • RE: Sharepoint Installation Issue - Login Required
    ... open log on service and add your account). ... Posting your event log if this doesn't work would be helpful. ... The identity of application pool 'StsAdminAppPool' is invalid, ... am directed to the Central Admin webpage and it is requiring authentication. ...
    (microsoft.public.sharepoint.windowsservices)
  • installation woe(s)
    ... my app installs itself then msde with the securitymode=sql...the app ... installs for "everyone" and not "just me". ... user account that has access to the deviceis in the admin group. ...
    (microsoft.public.dotnet.languages.vb)
Loading