Home → LOGbinder for EX KB → Getting Started Guide → Appendix A: Assigning Permissions
2.5. Appendix A: Assigning Permissions
Exchange Administrator Roles
- Add a new administrator role group, containing the following roles:
- View-Only Audit Logs
- View-Only Configuration
- View-Only Recipients
- Audit Logs (Only needed if using the LOGbinder Mailbox Audit Policy Management wizard – See Mailbox Audit Policy Management article)
- Make the LOGbinder service account a member of this role group.
The above two steps can be achieved, for example, through the Exchange Admin Center (https://<hostname>/ecp) interface, or using an Exchange Management Shell cmdlet, such as
New-RoleGroup "LOGbinderEX" -Roles "View-Only Audit Logs", "View-Only Configuration", "View-Only Recipients", “Audit Logs” -Members "lbex_svc"
where lbex_svc is to be replaced by the name of the LOGbinder for Exchange service account.
Local Security Policy Changes
The following chart summarizes the changes to be made in the Local Security Policy. Detailed explanations are found after the chart.
|
Local Security Policy (secpol.msc) |
Windows Server 2003 |
Windows Server 2008/2012 |
|
|||
|
Security Settings |
Local Policies |
User Rights Assignment |
Log on as a service |
add service account |
add service account |
This always needs to be set and is configured during installation by the installer |
|
Generate security audits |
add service account |
add service account |
These need to be set if outputting to Windows Security log |
|||
|
Audit Policy |
Audit object access |
set Success |
N/A |
|||
|
Security Options |
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings |
N/A |
set Enabled |
|||
|
Advanced Audit Policy Configuration |
Object Access |
Audit Application Generated |
N/A |
set Success |
||
Log On as a Service
- Open the "Local Security Policy" (secpol.msc) Microsoft Management Console (MMC) snap-in.
- Select Security Settings\Local Policies\User Rights Assignment
- Open "Log on as a service" and add user
- NOTE: You can also configure this via a group policy object in Active Directory. If you try to modify this setting in Local Security Policy and the dialog is read-only, it means it is already being configured via Group Policy and you'll need to configure it from there.
Generate Security Audits (SeAuditPrivilege)
- Open the "Local Security Policy" (secpol.msc) Microsoft Management Console (MMC) snap-in.
- Select Security Settings\Local Policies\User Rights Assignment
- Open "Generate security audits" and add user
- NOTE: You can also configure this via a group policy object in Active Directory. If you try to modify this setting in Local Security Policy and the dialog is read-only, it means it is already being configured via Group Policy and you'll need to configure it from there.
Audit Policy
Windows Server 2003
- Open the "Local Security Policy" (secpol.msc) Microsoft Management Console (MMC) snap-in.
- Select Security Settings\Local Policies\Audit Policy
- Edit "Audit object access," ensuring that "Success" is enabled. (LOGbinder for Exchange does not require that the "Failure" option be enabled.)
- NOTE: You can also configure this via a group policy object in Active Directory. If you try to modify this setting in Local Security Policy and the dialog is read-only, it means it is already being configured via Group Policy and you'll need to configure it from there.
Windows Server 2008/2012
Audit policy can be configured with the original top level categories as described above for Windows 2003 but most environments have migrated to the new more granular audit sub-categories available in Windows 2008 aka (Advanced Audit Policy).
Using Advanced Audit Policy Configuration allows for more granular control of the number and types of events that are audited on the server. (NOTE: The steps described here are for Windows Server 2008 R2; see TechNet for information on earlier releases.)
- First, ensure that ‘basic’ and ‘advanced’ audit policy settings are not used at the same time:
- Microsoft gives this warning: “Using both the basic audit policy settings under Local Policies\Audit Policy and the advanced settings under Advanced Audit Policy Configuration can cause unexpected results. Therefore, the two sets of audit policy settings should not be combined. If you use Advanced Audit Policy Configuration settings, you should enable the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings policy setting under Local Policies\Security Options. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored.” (http://technet.microsoft.com/en-us/library/dd692792(WS.10).aspx)
- Select Security Settings\Local Policies\Security Options
- Open and enable “Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings”
- To enable LOGbinder events to be sent to the security log:
- Select Security Settings\Advanced Audit Policy Configuration\Object Access
- Edit “Audit Application Generated,” ensuring that “Success” is enabled. (LOGbinder for Exchange does not require that the “Failure” option be enabled.)
- NOTE: You can also configure this via a group policy object in Active Directory.