HomeLOGbinder for EX KBGetting Started GuideAppendix A: Assigning Permissions

2.5. Appendix A: Assigning Permissions

Exchange Administrator Roles

  1. Add a new administrator role group, containing the following roles:
    • View-Only Audit Logs
    • View-Only Configuration
    • View-Only Recipients
    • Audit Logs (Only needed if using the LOGbinder Mailbox Audit Policy Management wizard – See Mailbox Audit Policy Management article)
  2. Make the LOGbinder service account a member of this role group.

The above two steps can be achieved, for example, through the Exchange Admin Center (https://<hostname>/ecp) interface, or using an Exchange Management Shell cmdlet, such as

New-RoleGroup "LOGbinderEX" -Roles "View-Only Audit Logs", "View-Only Configuration", "View-Only Recipients", “Audit Logs” -Members "lbex_svc"

where lbex_svc is to be replaced by the name of the LOGbinder for Exchange service account.

Local Security Policy Changes

The following chart summarizes the changes to be made in the Local Security Policy. Detailed explanations are found after the chart.

Local Security Policy (secpol.msc)
settings summary

Windows Server 2003

Windows Server 2008/2012

 

Security Settings

Local Policies

User Rights Assignment

Log on as a service

add service account

add service account

This always needs to be set and is configured during installation by the installer

Generate security audits

add service account

add service account

These need to be set if outputting to Windows Security log

Audit Policy

Audit object access

set Success

N/A

Security Options

Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings

N/A

set Enabled

Advanced Audit Policy Configuration

Object Access

Audit Application Generated

N/A

set Success

Log On as a Service 

(this is configured by the installer during installation) 

Generate Security Audits (SeAuditPrivilege)

Audit Policy

Windows Server 2003

Windows Server 2008/2012

Audit policy can be configured with the original top level categories as described above for Windows 2003 but most environments have migrated to the new more granular audit sub-categories available in Windows 2008 aka (Advanced Audit Policy).

Using Advanced Audit Policy Configuration allows for more granular control of the number and types of events that are audited on the server. (NOTE: The steps described here are for Windows Server 2008 R2; see TechNet for information on earlier releases.)

This page was: Helpful | Not Helpful