References > AppInsight Help > AppInsight for Exchange: Create AD Account with Org. Wide

Create an Active Directory account with organization wide Exchange access

The following information details how to create an Active Directory account with organization wide Exchange access. The roles for the account include View-Only-Organization Management and Mailbox Search Management Role.

Exchange Access

Granting Least Privilege access to the Exchange Organization can be accomplished using Active Directory Users and Computers (ADUC)

  1. From the Start Menu open ADUC and navigate to the Microsoft Exchange Security Groups OU.
  2. Double click on the View-Only Organization Management group.
  3. After the window opens, click the Members tab and then click Add.
  4. Type the user name of the account you want to grant access to the Exchange organization, and then click OK.
  5. Click Apply and then click OK . Close the ADUC window.
  6. Configure AppInsight for Exchange by clicking Configure Server.

Access can also be granted using the Exchange Management Shell with the following command:

Replace the word "user" with the correct user name of the service account.

Add-RoleGroupMember -Identity "View-Only Organization Management" -Member "USER"

Verify the management role is properly assigned, use the following commands:

Get-RoleGroupMember -Identity "View-Only Organization Management" | Where-Object {$_.SamAccountName -eq "USER"}
Get-RoleGroupMember -Identity "Organization Management" | Where-Object {$_.SamAccountName -eq "USER"}

or

Get-ManagementRoleAssignment -RoleAssignee "USER" | Where-Object {$_.RoleAssigneeName -eq "View-Only Organization Management" -or $_.RoleAssigneeName -eq "Organization Management"}
            

Mailbox Search Access

Mailbox Search access is required to determine attachment counts and sizes. It can be granted using the Exchange Management Shell (EMS).

  1. From the Start Menu, open the EMS.
  2. Type: New-ManagementRoleAssignment -Role "Mailbox Search" -User "USER" and press Enter.

    Verify the management role has been properly assigned:

    Get-ManagementRoleAssignment -RoleAssignee "USER" -Role "Mailbox Search" | Where-Object {$_.RoleAssignmentDelegationType -eq "Regular"}

    Note: Exchange Management Roles can be assigned to role assignees using either regular or delegating role assignments. Regular role assignments enable the role assignee to access the permissions provided by the management role entries on this role. Delegating role assignments give the role assignee the ability to assign this role to Role Groups, Users, or Universal Security Groups.

  3. Configure AppInsight for Exchange by clicking Configure Server.