How do I set up a Delegated Service Account in Exchange?

These instructions provide information needed to connect ZynSync and ZynCal for clients using Exchange Email Servers. Exchange 2010 is supported for the ZynBox Outlook Desktop Client and ZynSync products.  Exchange 2013 can be used with ZynBox clients for Outlook Desktop, OWA, and Zynsync.

ZynBit Permissions Scripts Documentation and Configuration

Overview:

This script manages user permissions for Zynbit to be able to access users’ calendars and send notification emails as them. It processes users filtered on a security group, a list of OUs, or both. When it runs, any newly added users to the filter will have the Zynbit permissions applied to them and any newly removed users from the filter will have the Zynbit permissions removed from them. The calendar folder permissions and send as permissions are granted based on SamAccountName. It is then scheduled to run in order to process the users on a recurring schedule. It also creates and writes to log files if you need to check errors or debugging information on the script.

Requirements:

  • For on prem setups, the script needs to be run on the Exchange server.
  • Zynbit-script needs access to modify AD permissions to grant Send As rights on users and to modify mailbox folder permissions for the calendar for on prem setups.
  • Commandlets used:
  • Get-ADUser
  • Get-MailboxFolderPermission
  • Add-MailboxFolderPermission
  • Get-Mailbox
  • Add-ADPermission
  • Get-ADPermission
  • Remove-MailboxFolderPermission
  • Remove-ADPermission
  • Zynbit-script user needs full control access to the folder containing all of the scripts, data, etc.
  • Zynbit-script needs access to get AD user information for on prem and 365 setups.
  • The computer the script is run on needs to have execution policy set to at least RemoteSigned.
  • For O365, the O365ScriptAccount user must have access to Exchange Online PowerShell.
  • For O365, the O365ScriptAccount user needs Exchange Administrator permissions or permissions to modify calendar folder permissions and modify send as permissions.
  • Commandlets used:
  • Get-ADUser
  • Add-MailboxFolderPermission
  • Get-MailboxFolderPermission
  • Add-RecipientPermission
  • Get-RecipientPermission
  • Remove-MailboxFolderPermission
  • Remove-RecipientPermission
  • O365 setups require the O365ScriptAccount password to be stored on the machine. It is stored in an encrypted file that there is a script to update the password with.
  • Secondary logon needs to be enabled on the machine running the script so that the service account can run the script.
  • On prem setups will not allow the script to modify send as permissions for administrative users. This can be seen in the logs where the permission was unable to be granted. You can manually grant Zynbit Send As permissions by opening an Exchange Management Shell and running the following command.

Get-Mailbox -Identity <UserSamAccountName>| Add-ADPermission -User <CalendarSASamAccountName> -ExtendedRights “Send As”

 

Accounts To Be Created:

  • On Prem:
  • ScriptSA: This is the account that is used to run the script for the scheduled task. It needs permissions to pull AD users’ information and modify users calendar permissions and send as permissions. A mailbox is not needed for this account. Preferred name is zynbit-script.
  • Permissions:
  • Needs to be allowed to logon to the server the script is run on
  • Needs to be granted exchange permissions to roles “Active Directory Permissions” and “Mail Recipients”. A new admin role can be created with those permissions if desired and the user can be added to that admin role.
  • CalendarSA: This is the account that Zynbit has access to and will need the username/password for. This account is a regular user with a mailbox that has permission to other users’ calendars and send as permissions. Preferred name is zynbit-calendar.
  • O365:
  • ScriptSA: This is the account that is used to run the script for the scheduled task. It needs permissions to pull AD users’ information. A mailbox is not needed for this account. Preferred name is zynbit-script.
  • O365CalendarAccount: This is the account that Zynbit has access to and will need the username/password for. This account is a regular user with a mailbox that has permission to other users’ calendars and send as permissions. Preferred name is zynbit-calendar.
  • O365ScriptAccount: This is the account that needs permissions to modify users calendar permissions and send as permissions in O365 Exchange Online Powershell. A mailbox is not needed for this account. It can be the same account as the ScriptSA if directory sync is configured as long as the O365 Exchange Online Powershell permissions are granted. In most cases you can grant this user Exchange Administrator access. Preferred name is zynbit-script.

Configuration File:

All values are double-quoted strings except for true/false values and FilterOUs. True/false values are just the word true or false. FilterOUs is a comma seperated list of strings inside brackets (i.e. [“DN1″,”DN2″,”DN3”].

  • Environment: This is to specify your exchange environment.
  • Valid options are: O365 or Exchange for cloud-based or on prem, respectively
  • DomainName: The name of your on premise domain.
  • CalendarSAName: This is the calendar’s service account name for on prem environments. This user must have a mailbox assigned to it.
  • ScriptSAName: This is the service account name used to run the script for either environment and to manage user permissions for on prem environments.
  • ExchangeConnectionUri: This is the connection uri for implicit remoting session to your Exchange server. It is typically http://<exchangeserver>.<domain>/Powershell
  • O365CalendarAccount: This is the account that is created with a mailbox for O365 environments. It should be in the format zynbit-script@<O365 Domain>
  • O365ScriptAccount: This is the account that is created with permissions for Exchange Administrator to administer O365 mailboxes. It does not require a mailbox. It should be in the format zynbit-calendar@<O365 Domain>
  • O365ConnectionUri: This is the URI used to authenticate and open up a remote powershell session for Exchange Online PowerShell. The default value of https://outlook.office365.com/powershell-liveid/ should be used unless you have a differing use case.
  • BehindProxy: This should be set to true if you are using O365 and you are behind a proxy and need this enabled for Exchange Online PowerShell.
  • ProxyAccessType: The ProxyAccessType required for Exchange Online PowerShell.
  • LogDirectory: The path to the logs root directory relative to the Config.json file. This should not be changed unless necessary.
  • LoggingLevel: This is the logging level used in the logs. Options are:
  • “DEBUG”: This will put the log in debug mode and log the various steps and events in the scripts. This can be useful for troubleshooting or to ensure proper execution is occurring.
  • “ERROR”: This will cause the logs to only log errors. This includes errors granting the necessary permissions to users.
  • The logs will always log when the scheduled task is triggered, when the script starts, and when the script ends or is terminated due to a caught error.
  • FilterOnGroup: If set to true, Zynbit will only be granted calendar and send as permissions to users that are a member of the FilterGroup. If FIlterOnOUs is also set to true, users will be filtered on both.
  • FilterGroup: The Distinguished Name (DN) of the security group to be filtered on
  • FilterOnOUs: If set to true, Zynbit will only be ranted calendar and send as permissions to users that are in one of the FilterOUs. If FilterOnGroup is also set to true, users will be filtered on both.
  • FilterOUs: The DNs of all OUs desired to be filtered on. Multiple OUs can be used, they need to be comma separated strings wrapped in double-quotes with a full DN for each.

Deployment:

  1. Create the necessary user accounts as outlined above.
  2. Place the ZynBitPowershell folder on the machine the script will be run from.
  3. Grant the account running the script full control permissions on the folder and all directories/files within it.
  4. Determine how your users will be filtered.
  5. Modify the configuration file to reflect your organization’s setup.
  6. For O365 setups, run the ChangeO365ScriptAccountPassword.ps1 script in order to store the O365 script account password in an encrypted file that the script needs to run.
  7. Schedule the task as outlined below.
  8. If you wish to run the script now, you can right click the task in task scheduler and select run.

Scheduled Task Creation:

General:

  • Name: Zynbit Permission Sync
  • Security Options:
  • Run as: domain\script user (i.e. test\zynbit-script)
  • Run whether user is logged on or not

Triggers:

  • Run script on a schedule, once a day, at a time you choose

 

Actions:

  • Action: Start a program
  • Program/script: Powershell.exe path (typically C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • Arguments:

-File <absolute path to ZynbitMain.ps1 script location> (i.e. -File “C:\Share            \ZynbitPowershell\Scripts\ZynbitMain.ps1”)

  • Start In: absolute path to scripts subfolder of the ZynbitPowershell folder (i.e. C:\Share\ZynbitPowershell\Scripts\)

 

Conditions:

  • Start only if the following connection is available: Any Connection or a connection you choose
  • Leave all other values default

 

Settings:

  • Allow task to be run on demand
  • Stop the task if it runs longer than: 2 hours
  • If the task is already running: Do not start a new instance
  • Leave all other values default