Does the qexch2k1a4.exe service require Domain Administrator rights? (NETIQKB28099)

  • 7728099
  • 02-Feb-2007
  • 28-Jul-2010

Environment

AppManager Suite 6.x
AppManager Suite 7.0.x
Microsoft Exchange 2000 Server

Situation

Does the qexch2k1a4.exe service require Domain Administrator rights?
Does the Exchange 2000 Monitoring Account for the qexch2k1a4.exe service require Domain Administrator rights?

Resolution

The Exchange 2000 Monitoring Account requires the Domain Administrator rights during the discovery process.  The monitoring service (qexch2k1a4.exe) retrieves information from Active Directory Configuration Container that is not accessible by Exchange View Only Administrator accounts.

Once the discovery has completed, the Monitoring Account may be removed from the Domain Administrators Domain Group.  If the Exchange 2000 agent needs to be discovered again, the Monitoring Account will have to be granted Domain Administrator rights.  Please reference the Exchange 2000 configuration guide (am_exch2K_config.pdf) on the AppManager installation CD for specific information on Exchange and Windows domain permissions for Discovery and usage of all of the AppManager Exchange 2000 knowledge scripts.

Additional Information

Formerly known as NETIQKB28099

The qexch2k1a4.exe service account must have permission to Log on as a service and must be a member of the Domain Admin the User?s container. In order to run the Exchange_TopNReceivers and Exchange_TopNSenders Knowledge Scripts, the monitoring service (qexch2k1a) must be able to read the tracking log files in the Exchange 2000 Server tracking log directory. In order to run certain Knowledge Scripts (such as Exchange_NumberOfMailboxes), the Log On As account for the monitoring service (qexch2k1a) must have Exchange View Only Administrator.

After you create a user account and mailbox, make sure that Active Directory has time to replicate the account information before you attempt to grant additional permissions such as Log on as a service. If the user account information is not propagated through Active Directory, granting additional permissions will fail.