Appendix D. Using Cisco Tmsxe With Separate Admin Roles; Installation - Cisco TELEPRESENCE MANAGEMENT SUITE EXTENSION - ADMINISTRATOR GUIDE FOR MICROSOFT EXCHANGE 2.2 Administrator's Manual

Appendix D.
Separate Admin Roles
Cisco TMSXE normally requires the installing and operating user be a Local Domain Administrator
and an Exchange Full Administrator (or Exchange Recipient Administrator for Exchange 2007
Installs). In some organizations, due to internal policy or security requirements, these requirements
can not be met as these roles are explicitly separated. This section is intended to provide additional
instruction on how the Cisco TMSXE product can be installed and operated in an environment where
the Active Directory and Exchange Administrative roles are segregated.
Assumptions/Background
The following are the assumptions about the customer environment for these instructions.
 An Admin Group is responsible for creating users, groups, and mailboxes for new users.

An Exchange group is responsible for ongoing operation of Exchange Servers and mail
processes.
 The Exchange group has local administrative rights to the Exchange server, but does not have
Domain Administrative rights.

The users installing the product are aware of any replication delays associated with their Active
Directory implementation—how it affects propagation of changes in AD objects and permissions
and any waits that are required before changes will take effect.
 The process description assumes this is a first time installation of the TANDBERG product.
For common terminology purposes in this guide, the user from the Admin group will be called the AD-
Admin. The user from the Exchange group will be called the Exchange-Admin.

AD-Admin is a member of Domain Admins.

Exchange-Admin is a Local Administrator and delegated Full Exchange Administrator
permissions (or Exchange Recipient Administrator in Exchange 2007).

Installation

This section will outline how to adapt the installation process to function when the Active Directory
and Exchange Administrator roles are separated.
Pre-Installation Steps
1. The AD-Admin must create or decide which OU in Active Directory will be used for accounts
related to the Cisco TMSXE Integration. Accounts are not required to be in the same OU, but the
policy should be followed for consistency with the standard product.
2. The Exchange-Admin decides which Exchange Server and Information store will be used for the
Exchange Integration (all mailboxes for integrated accounts must be located in information stores
on the same Exchange Server).
3. The AD-Admin must create a new domain user or designate an existing user to be the Exchange
Side service user. Example: TMS-Service. The remainder of the instructions will refer to this
account as TMS-Service. When creating a new account, create a mailbox for the TMS-Service
user. The mailbox must be in an information store on the specified Exchange Server. If re-using
an existing account and the mailbox for the TMS-Service user not stored on the specified
Exchange Server, the Exchange-Admin must move the user's mailbox to the specified Exchange
Server before proceeding. The account must have a SMTP email address that is reachable from
the mail server used by Cisco TMS.
The AD-Admin must set the extensionattrbute1 property on the TMS-Service user to be ‗TMS-
4.
Service'.
a. Exchange 2003—Using the AD Users and Computers tool, enable Advanced Features from
the View Menu, open Properties for the user, select the Exchange Advanced Tab, click
Custom Attributes and edit the value of extensionAttribute1 to be ‗TMS-Service'
Cisco TMSXE Administrator Guide 2.2
Using Cisco TMSXE with
Page 53 of 60