Submit a ticketCall us

Webinar: Web Help Desk for HR, Facilities and Accounting Departments
This webinar will focus on use cases for HR, Facilities and Accounting.

Having a unified ticketing and asset management system for all the departments in your company can provide end-users with a seamless experience and make things easier for your IT team. Yet, with different business tasks and objectives, many departments don’t fully understand the capabilities of Web Help Desk and how the software can be customized for effective use in their departments.
Register Now.

Home > Success Center > Server & Application Monitor (SAM) > SAM 6.4 Administrator Guide > Troubleshooting SAM > Troubleshooting Permissions issue in SAM

Troubleshooting Permissions issue in SAM

Updated: 3-9-2017

You may encounter permissions issues with the following account and service types. These accounts include 3rd party applications and services, which may require administration credentials to review and solve.

  • Non-Domain Accounts
  • Adding Local Administrative privileges to Active Directory Account
  • Exchange Access
  • Mailbox Exchange Access

Mailboxes with an empty primary SMTP address can be polled; however, their Sent and Received statistics are not available.

Non-Domain Account

Local accounts (Non-Domain) cannot access Exchange Management interfaces and therefore are not supported by AppInsight for Exchange. Please select an Active Directory account or create a new one to use with AppInsight for Exchange.

Add Local Administrative privileges to Active Directory Account

  1. On the server you need to grant local administrative privileges, open a Computer Management console.

    On Windows 2012, add this privilege using the Active Directory console.

  2. Navigate to the Administrators group.
  3. Add the type in the Active Directory user name of the account you want to grant administrative privileges. Ensure the location is set to either the domain where the account is located or Entire Directory.
  4. Save your changes.

Alternatively, you can add an Active Directory group to the local administrators group and add the Active Directory user accounts to that group.

To verify the account and local group membership has been configured properly, run the following code in a PowerShell session:

$Recurse = $true
$GroupName = 'Administrators'
Add-Type -AssemblyName System.DirectoryServices.AccountManagement
$ct = [System.DirectoryServices.AccountManagement.ContextType]::Machine
$group = [System.DirectoryServices.AccountManagement.GroupPrincipal]::FindByIdentity($ct,$GroupName)
$LocalAdmin = $group.GetMembers($Recurse) | select @{N='Domain'; E={$_.Context.Name}}, samaccountName, @{N='ObjectType'; E={$_.StructuralObjectClass}} -Unique
$LocalAdmin = $LocalAdmin | Where-Object {$_.ObjectType -eq "user"}

File:Success_Center/Reusable_content_-_InfoDev/SAM_Admin_Guide_Reuse/SAM-Admin-MT/0V0/1L0/doscodesam.png

Exchange Access

You can gran Least Privilege access to the Exchange Organization using Active Directory Users and Computers (ADUC).

  1. From the Start Menu, open ADUC and navigate to the Microsoft Exchange Security Groups OU.
  2. Double click on the View-Only Organization Management group. After the window opens, click the Members tab, then click Add.
  3. Type the user name of the account you want to grant access to the Exchange organization, then click OK.
  4. Click Apply and OK, then close the ADUC window.

Access can also be granted using the Exchange Management Shell with the following command. Replace the word "user" with the correct user name of the service account.

Add-RoleGroupMember -Identity "View-Only Organization Management" -Member "USER"

To verify the management role is properly assigned, use the following commands:

Get-RoleGroupMember -Identity "View-Only Organization Management" | Where-Object {$_.SamAccountName -eq "USER"}
Get-RoleGroupMember -Identity "Organization Management" | Where-Object {$_.SamAccountName -eq "USER"}

or

Get-ManagementRoleAssignment -RoleAssignee ???USER??? | Where-Object {$_.RoleAssigneeName -eq "View-Only Organization Management" -or $_.RoleAssigneeName -eq "Organization Management"}

Mailbox Search Access

Mailbox Search access is required to determine attachment counts and sizes. You can grant the access using the Exchange Management Shell (EMS).

  1. From the Start Menu, open the EMS.
  2. Type: New-ManagementRoleAssignment -Role "Mailbox Search" -User "USER" and press Enter.

To verify the management role has been properly assigned, use the following command:

Get-ManagementRoleAssignment -RoleAssignee ???USER??? -Role "Mailbox Search" | Where-Object {$_.RoleAssignmentDelegationType -eq "Regular"}

Exchange Management Roles can be assigned to role assignees using either regular or delegating role assignments:

  • Regular role assignments enable the role assignee to access the permissions provided by the management role entries on this role.
  • Delegating role assignments give the role assignee the ability to assign this role to Role Groups, Users, or Universal Security Groups.
 
Last modified
16:01, 20 Mar 2017

Tags

Classifications

Public