Unified Messaging Split Permissions Recipient Management

Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.

 

Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3

By default, when a Microsoft Exchange Server 2007 recipient is created, it is not enabled for Unified Messaging (UM). After the recipient is UM-enabled, you can manage, modify, and configure the UM-related properties for the user. Then you can view and modify UM-related settings, such as the associated UM dial plan, the associated UM mailbox policy, and the extension number for the user.

A user's UM-related settings are stored in two places:

  • The recipient's mailbox

  • The user's Active Directory directory service object

When you enable a recipient for Unified Messaging, you are setting a specific property on the user's mailbox.

You can use the Exchange Management Shell or the Exchange Management Console to manage UM properties for a UM-enabled recipient on the user's Exchange 2007 Unified Messaging mailbox.

The Exchange Management Shell supports configuration of all settings for a UM-enabled mailbox.

The Exchange Management Console supports the following tasks:

  • Enabling and disabling UM recipients

  • Resetting a mailbox’s UM PIN

  • Managing several UM-related mailbox properties

Unified Messaging Recipient Attributes

To manage all UM-related properties, the Unified Messaging administrator must be delegated the Exchange View-Only Administrators role and have read and write access to the following attributes within the domain partition for the user or inetOrgPerson objects:

  • proxyAddresses

  • msExchUMDtmfMap

  • msExchUMPinChecksum

  • msExchUMEnabledFlags

  • msExchUMTemplateLink

  • msExchUMRecipientDialPlanLink

  • msExchUMOperatorNumber

  • msExchUMListInDirectorySearch

  • msExchUMServerWritableFlags

  • msExchUMAudioCodec

The Unified Messaging administrator must also have the Access Recipient Update Service extended right on the Exchange Server objects.

Note

Use this list to manage attributes that are specific to Unified Messaging.

The attributes in the list in the "Unified Message Recipient Attributes" section can be managed by using a several management tools. A description of each attribute and what each attribute corresponds to are listed in the following tables.

Enabling Mailboxes for Unified Messaging Properties

Unified Messaging administrators can enable a user's mailbox for Unified Messaging by using the Enable Unified Messaging wizard in the Exchange Management Console. This wizard uses the Exchange Management Shell Enable-UMMailbox cmdlet. For more information, see How to Enable a User for Unified Messaging.

The following table describes the settings that are specified when you enable a user's mailbox for Unified Messaging and the Active Directory attributes to which these settings correspond.

Property Active Directory attribute Description

Not applicable

msExchUMDtmfMap

The dial tone multi-frequency (DTMF) map is calculated from the user’s first name, last name, and e-mail alias.

Not applicable

msExchUMEnabledFlags

The data that this property stores indicates which UM features are enabled or disabled. You can adjust optional settings with additional properties of the Enable-UMMailbox cmdlet. Some of these settings will affect the msExchUMEnabledFlags attribute. In addition, several flags are set based on the UM mailbox policy.

PIN

msExchUMPinChecksum

This property specifies the value for the initial PIN to be used for the UM mailbox. If no PIN is specified, a PIN will be generated by the system and sent to the user in an e-mailed message. This Active Directory attribute stores a checksum value of the PIN. This is calculated from the PIN and other data. The checksum value of the PIN is used to detect whether someone has tampered with the actual PIN. A hash that is calculated from the PIN is stored in the mailbox.

Extensions

proxyAddresses

This property specifies the extension number or numbers for the user. A single extension number or a list of telephone number extensions can be specified.

UMMailboxPolicy

msExchUMTemplateLink

This property specifies the distinguished name of the UM mailbox policy to that is associated with the user.

UMMailboxPolicy

msExchUMRecipientDialPlanLink

This attribute specifies the UM dial plan that is associated with the UM mailbox policy.

Unified Messaging Recipient Properties in the Exchange Management Console

UM administrators can manage specific UM properties on UM-enabled mailboxes by using the Exchange Management Console. The following table describes the settings that you can configure and the Active Directory attributes to which these settings correspond.

Location Setting Active Directory attribute Description

Mailbox Features tab > Unified Messaging Properties page

Personal operator extension

msExchUMOperatorNumber

This property specifies the string of digits for a personal operator.

Mailbox Features tab > Unified Messaging Properties page

  • Enable for Automatic Speech Recognition

  • Allow faxes to be received

  • Allow diverted calls without caller ID to leave a message

msExchUMEnabledFlags

This property contains the following settings for the UM mailbox:

  • Automatic Speech Recognition (ASR)

  • Inbound faxes

  • Diverted calls without a caller ID can leave a message

Mailbox Features tab > Unified Messaging Properties page

All UM calls from non-users

msExchUMListInDirectorySearch

This property specifies whether the UM server will try to transfer calls to the user. If this parameter is disabled, the UM server invites the caller to leave a voice mail message.

Mailbox Features tab > Unified Messaging Properties page

Unified Messaging Mailbox Policy

msExchUMTemplateLink

This property specifies the UM messaging mailbox policy that is associated with the UM-enabled user's mailbox.

Mailbox Features tab > Unified Messaging Properties page

Mailbox Extensions

proxyAddresses

This property specifies extensions for the UM-enabled user's e-mail address.

Unified Messaging Properties in the Exchange Management Shell

UM administrators can use the Set-UMMailbox cmdlet in the Exchange Management Shell to change UM properties on a UM-enabled mailbox. The following table describes the settings that you can configure and the Active Directory attributes to which these settings correspond.

Parameter Active Directory attribute Description

AllowUMCallsFromNonUsers

msExchUMListInDirectorySearch

This parameter specifies whether the UM server will try to transfer calls to the user. If this parameter is disabled, the UM server invites the caller to leave a voice mail message.

AnonymousCallersCanLeaveMessages

msExchUMEnabledFlags

This parameter specifies whether diverted calls without a caller ID will be allowed to leave a message.

AutomaticSpeechRecognitionEnabled

msExchUMEnabledFlags

This parameter specifies whether the user can use Automatic Speech Recognition (ASR) when they log on to their mailbox.

CallAnsweringAudioCodec

msExchUMAudioCodec

This parameter specifies the audio codec for creating voice messages.

Extensions

proxyAddresses

This parameter specifies one or more extension numbers for the user.

FaxEnabled

msExchUMEnabledFlags

This parameter specifies whether a user is allowed to receive incoming faxes.

MissedCallNotificationEnabled

msExchUMServerWritableFlags

This parameter specifies whether to send missed call notifications.

OperatorNumber

msExchUMOperatorNumber

This parameter specifies the string of digits for the personal operator.

SubscriberAccessEnabled

msExchUMEnabledFlags

This parameter specifies whether the user is allowed Microsoft Outlook Voice Access to the user's individual mailbox.

TUIAccessToAddressBookEnabled

msExchUMEnabledFlags

This parameter specifies whether a user can access the directory and contact information over the telephone.

TUIAccessToCalendarEnabled

msExchUMEnabledFlags

This parameter specifies whether a user can access personal calendaring over the telephone.

TUIAccessToEmailEnabled

msExchUMEnabledFlags

This parameter specifies whether a user can access personal e-mail over the telephone.

UMDialPlan

msExchUMRecipientDialPlanLink

This parameter specifies the UM dial plan that is associated with the UM-enabled user's mailbox.

UMDtmfMap

msExchUMDtmfMap

The DTMF map is calculated from the user’s first name, last name, and e-mail alias.

UMMailboxPolicy

msExchUMTemplateLink

This parameter specifies the UM mailbox policy that is associated with the UM-enabled user's mailbox.

Resetting the Unified Messaging PIN

UM administrators can reset a UM user's PIN in the Exchange Management Console or in the Exchange Management Shell. For more information, see the following topics:

The following table describes the settings that you must configure and the Active Directory attributes to which these settings correspond.

Property Active Directory attribute Description

Not applicable

msExchUMPinChecksum

This property specifies the value for the initial PIN to be used with the UM mailbox. If no PIN is specified, a PIN is generated by the system and e-mailed to the user. This Active Directory attribute stores a checksum value of the PIN. This is calculated from the PIN and other data. The checksum value of the PIN is used to detect if someone has tampered with the actual PIN. A hash that is calculated from the PIN is stored in the mailbox.

Disabling Mailboxes for Unified Messaging Properties

UM administrators can execute the disable Unified Messaging task in the Exchange Management Console. This task uses the Exchange Management Shell Disable-UMMailbox cmdlet to disable a mailbox for Unified Messaging. The following table describes the settings that you must configure and the Active Directory attributes to which these settings correspond.

Property Active Directory attribute Description

Not applicable

msExchUMEnabledFlags

This property is adjusted to indicate that the mailbox is no longer provisioned for Unified Messaging.

Not applicable

proxyAddresses

The UM e-mail address is removed from the list of proxy addresses.

Not applicable

msExchUMTemplateLink

The UM mailbox policy is removed from the UM mailbox.

Not applicable

msExchUMRecipientDialPlanLink

The UM dial plan is removed from the UM mailbox.

How to Apply Permissions

In Exchange 2007, you can apply permissions in several ways. Microsoft provides two tools to apply permissions:

  • ADSI Edit (AdsiEdit.msc)

  • DSACLS (Dsacls.exe)

Both tools are included on the Microsoft Windows Server 2003 CD in Support\Tools and can be downloaded from the Internet. Several third-party products can also be used to apply permissions.

In addition, if the Exchange administrator has the necessary rights within the Active Directory domain partition, the Exchange administrator can use the Add-ADPermission cmdlet in the Exchange Management Shell to apply the appropriate permissions, instead of using either ADSI Edit or DSACLS.

Important

Incorrectly modifying the attributes of Active Directory objects by using Active Directory Service Interfaces (ADSI) Edit, DSACLS, the LDP tool (ldp.exe), or any other LDAP (Lightweight Directory Access Protocol) version 3 clients can cause serious problems. These problems may require reinstallation of Windows Server, Exchange Server, or both. Problems that occur if Active Directory object attributes are incorrectly modified may not be resolved until you reinstall the software.

Changing permissions in the domain naming partition will require Domain Admin rights on the object that you are configuring.

Consider the following example that shows how you can use DSACLS to delegate certain rights to organizational unit (OU) administrators who have a business requirement to manage the UM-related data associated with UM-enabled mailboxes.

Telecommunication administrators in the universal security group UM Recipient Administrators require the ability to manage UM attributes for all mailboxes located in and below the organizational unit OUContainer1 in the contoso.com domain. This example assumes UM Recipient Administrators is delegated the Exchange View-Only Administrators role. For more information about permissions, delegating roles, and the rights that are required to administer Exchange 2007, see Permission Considerations.

The example shows how to apply rights on OUContainer1 by specifying read or write, or both, access on the following attributes in OUContainer1:

  • proxyAddresses

  • msExchUMDtmfMap

  • msExchUMPinChecksum

  • msExchUMEnabledFlags

  • msExchUMTemplateLink

  • msExchUMRecipientDialPlanLink

  • msExchUMOperatorNumber

  • msExchUMListInDirectorySearch

  • msExchUMServerWritableFlags

  • msExchUMAudioCodec

Note

The permissions specified here provide the UM Recipient Administrators group the ability to manage these UM-related attributes only.

In addition, the example shows how to grant the extended right, Access Recipient Update Service, on the Exchange Server objects for the universal security group UM Recipient Administrators.

How to Use DSACLS to Apply Permissions

DSACLS (Dsacls.exe) is a command-line tool that you can use to query and change permissions and security attributes of Active Directory objects. It is the command-line equivalent of using the Security tab in the Windows 2000 Server or Windows Server 2003 Active Directory Users and Computers and Active Directory Sites and Services snap-ins. DSACLS is included with the Windows Server 2003 Support Tools.

The following example uses DSACLS to apply permissions. After you have completed the procedure, the UM Recipient Administrators security group can manage UM-related properties for all users contained in the OUContainer1 organizational unit hierarchy in the contoso.com forest that contains the ContosoOrg Exchange organization.

Note

DSACLS is case sensitive. You must be precise in the syntax that you pass to DSACLS because all characters are passed literally. This includes white spaces and carriage returns. If you receive errors from DSACLS, review the command or try breaking the command into smaller segments.

To apply permissions by using DSACLS.exe

  1. Log on to a system within the forest that has the Windows Support Tools installed and use an account that has the necessary rights to perform the required actions, such as membership in the Domain Administrators group.

  2. Open a command prompt, and type the following commands for each container where you want to grant access:

    Note

    Replace the domain name, Exchange organization, and accounts by using information for your organization.

    dsacls "OU=OUContainer1,DC=contoso,DC=com" /I:S /G "contoso\UM Recipient Administrators:RPWP;proxyAddresses;user" "contoso\UM Recipient Administrators:RPWP;msExchUMDtmfMap;user" "contoso\UM Recipient Administrators:RPWP;msExchUMPinChecksum;user" "contoso\UM Recipient Administrators:RPWP;msExchUMEnabledFlags;user" "contoso\UM Recipient Administrators:RPWP;msExchUMTemplateLink;user" "contoso\UM Recipient Administrators:RPWP;msExchUMRecipientDialPlanLink;user" "contoso\UM Recipient Administrators:RPWP;msExchUMOperatorNumber;user" "contoso\UM Recipient Administrators:RPWP;msExchUMListInDirectorySearch;user" "contoso\UM Recipient Administrators:RPWP;msExchUMServerWritableFlags;user" "contoso\UM Recipient Administrators:RPWP;msExchUMAudioCodec;user" 
    dsacls "OU=OUContainer1,DC=contoso,DC=com" /I:S /G "contoso\UM Recipient Administrators:RPWP;proxyAddresses;inetOrgPerson" "contoso\UM Recipient Administrators:RPWP;msExchUMDtmfMap;inetOrgPerson" "contoso\UM Recipient Administrators:RPWP;msExchUMPinChecksum;inetOrgPerson" "contoso\UM Recipient Administrators:RPWP;msExchUMEnabledFlags;inetOrgPerson" "contoso\UM Recipient Administrators:RPWP;msExchUMTemplateLink;inetOrgPerson" "contoso\UM Recipient Administrators:RPWP;msExchUMRecipientDialPlanLink;inetOrgPerson" "contoso\UM Recipient Administrators:RPWP;msExchUMOperatorNumber;inetOrgPerson" "contoso\UM Recipient Administrators:RPWP;msExchUMListInDirectorySearch;inetOrgPerson" "contoso\UM Recipient Administrators:RPWP;msExchUMServerWritableFlags;inetOrgPerson" "contoso\UM Recipient Administrators:RPWP;msExchUMAudioCodec;inetOrgPerson" 
    
  3. Using the command prompt, type the following command:

    Note

    Replace the domain name, Exchange organization, and accounts by using information for your organization.

    dsacls "CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=ContosoOrg,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com" /I:S /G "contoso\UM Recipient Administrators:CA;Access Recipient Update Service;msExchExchangeServer"
    
  4. If the command runs successfully, it will output the revised Windows NT security descriptor at the command prompt and will state, "The command completed successfully".

How to Use the Exchange Management Shell to Apply Permissions

The Exchange Management Shell is a command-line interface that lets you retrieve and configure Exchange objects. The Exchange Management Shell includes the Add-ADPermission cmdlet that you can use to apply permissions to objects that are stored within Active Directory.

The following procedure is an example for how to use the Add-ADPermission cmdlet to apply permissions. After the permissions have been applied, the UM Recipient Administrator security group can manage e-mail addresses, display names, and move mailboxes for all users contained in the OUContainer1 organizational unit hierarchy in the contoso.com forest that contains the ContosoOrg Exchange organization.

To apply permissions by using the Exchange Management Shell

  1. Log on to a system within the forest that has the Windows Support Tools installed and use an account that has the necessary rights to perform the required actions, such as membership in the Domain Administrators group.

  2. Open the Exchange Management Shell and type the following commands for each container where you want to grant access.

    Note

    Replace the domain name, Exchange organization, and accounts by using information for your organization.

    Add-ADPermission -identity "ou=Container1,dc=contoso,dc=com" -user "contoso\UM Recipient Administrators"  -AccessRights ReadProperty,WriteProperty -Properties proxyAddresses,msExchUMDtmfMap,msExchUMPinChecksum,msExchUMEnabledFlags,msExchUMOperatorNumber,msExchUMListInDirectorySearch,msExchUMRecipientDialPlanLink,msExchUMTemplateLink,msExchUMServerWritableFlags,msExchUMAudioCodec -InheritedObjectType user -InheritanceType Descendents
    Add-ADPermission -identity "ou=Container1,dc=contoso,dc=com" -user "contoso\UM Recipient Administrators"  -AccessRights ReadProperty,WriteProperty -Properties proxyAddresses,msExchUMDtmfMap,msExchUMPinChecksum,msExchUMEnabledFlags,msExchUMOperatorNumber,msExchUMListInDirectorySearch,msExchUMRecipientDialPlanLink,msExchUMTemplateLink,msExchUMServerWritableFlags,msExchUMAudioCodec -InheritedObjectType inetOrgPerson -InheritanceType Descendents
    
  3. In the Exchange Management Shell, type the following command:

    Add-ADPermission -Identity "CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=ContosoOrg,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com" -User "contoso\UM Recipient Administrators" -InheritedObjectType ms-Exch-Exchange-Server -ExtendedRights ms-Exch-Recipient-Update-Access -InheritanceType Descendents
    
  4. If the command runs successfully, it will output the access control entries that were added to the object.

For More Information

For more information, see the following topics: