Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. Required Cluster service account permissions are different in Exchange 2000 Server and Exchange Server 2003

Required Cluster service account permissions are different in Exchange 2000 Server and Exchange Server 2003

View products that this article applies to.

Summary

This informational article discusses how Exchange 2000 Server and Exchange Server 2003 differ in the permissions that you must have to create, to delete, or to modify Exchange virtual servers successfully. In Exchange 2000 Server, the Exchange Full Administrator permission must be assigned to the Cluster service account. In Exchange Server 2003, the Exchange Full Administrator permission must be assigned to the administrator who is creating the Exchange virtual server.

↑ Back to the top

More information

The Exchange 2000 Resource Creation Process

On Exchange 2000 Server, the Microsoft Windows 2000 Server Cluster service requires that the Exchange Full Administrator permission be granted to the Cluster service account at the organization level of the first Exchange virtual server in the organization.

Note On additional Exchange virtual servers, the Exchange Full Administrator permission is required on the Administrative Group.

In Exchange 2000 Server, an Exchange virtual server is created as follows:
  1. The DOMAIN\Administrator user logs in and starts Cluster Administrator (Cluadmin.exe).

    Note Cluadmin.exe is run as the currently logged in user (DOMAIN\Administrator).
  2. The Administrator tries to create a new Exchange System Attendant resource. The Excluadmin.dll process gathers information from the Microsoft Active Directory directory service to create the resource, including the organization name and the administrative group name.

    Note For this process to succeed, the DOMAIN\Administrator user requires permissions to read from the configuration partition of Active Directory.
  3. The Excluadmin.dll process then passes the information it has collected to the Exres.dll process.

    Note Exres.dll is the Exchange resource .dll file. Exres.dll runs in the Resource Monitor process in the context of the Cluster service account.
  4. Exres.dll then loads Exsetdata.dll to create the Active Directory objects.

    Note Exsetdata.dll also runs in the Resource Monitor process.
  5. Exsetdata.dll then creates the required Active Directory objects. Because Exsetdata.dll runs in the context of the Cluster service account, this account requires Exchange Full Administrator permissions to successfully create the Active Directory objects.

In Exchange Server 2003, when you create a new Exchange virtual server the Microsoft Windows 2000 Server Cluster service account no longer has to have the Exchange Full Administrator permission. In Exchange Server 2003, an Exchange virtual server is created as follows:
  1. The DOMAIN\Administrator user logs in and starts Cluster Administrator (cluadmin.exe).

    Note Cluadmin.exe is run as the user who is currently logged on (DOMAIN\Administrator).
  2. The Administrator tries to create a new Exchange System Attendant resource. The Excluadmin.dll process will gather information from Active Directory to create the resource, including the organization name and the administrative group name.

    Note For this process to succeed, the DOMAIN\Administrator user requires permissions to read from Active Directory.
  3. The Excluadmin.dll process then loads the Exsetdata.dll process directly.

    Note Exsetdata.dll runs in the same process as Excluadmin.dll, and therefore uses the same context (DOMAIN\Administrator).
  4. Exsetdata.dll then creates the required Active Directory objects. Because Exsetdata.dll runs in the context of the DOMAIN\Administrator account, this account requires Exchange Full Administrator permissions to successfully create the Active Directory objects.

Post-Upgrade Permissions


After you upgrade your Exchange 2000 virtual server to an Exchange Server 2003 virtual server, the permissions for the Cluster service account can be removed from the organization and from the administrative group. These permissions can be removed using Delegation of Control Wizard.

Warning If the account is still used by other Exchange 2000 clusters, leave the permissions until all the servers have been upgraded to Exchange Server 2003.

For reference, the Cluster service account must have the following permissions to create an Exchange 2000 virtual server on a Windows 2000 cluster:
  • The Cluster service account requires Local Administrator permission on each node in the cluster.
  • The Cluster service account requires Exchange Full Administrator permission on the organization if this is the first Exchange server in the organization. If this is a subsequent server, Exchange Full Administrator permission is required only on the Administrative Group.
For reference, the user must have the following permissions to create an Exchange 2003 Server Exchange virtual server on a Windows 2000 cluster:
  • The user who is creating the Exchange virtual server requires Local Administrator permission on each node in the cluster.

    Note No permissions are required in the organization or in the administrative group.

↑ Back to the top

References

For additional information about Cluster service permissions, click the following article number to view the article in the Microsoft Knowledge Base:
329702� Cluster service account permissions to create, modify, or delete an Exchange virtual server

↑ Back to the top

Keywords: KB821834, kbinfo, kbtshoot

↑ Back to the top

Article Info
Article ID : 821834
Revision : 9
Created on : 10/25/2007
Published on : 10/25/2007
Exists online : False
Views : 281