HOWTO: Configure Exchange Event Service on Exchange 2003 with minimum permissions

  • Article

We have received several support calls in the past months relating to migrating Exchange Event Service Scripts from Exchange 5.5 to Exchange 2003. Because it isn’t straightforward or documented (to my knowledge), I came up with this information to help you get your scripts working in Ex 2000. This should only be migration step and I don’t encourage new development to utilize this technology. This will NOT be around in Exchange 12. Please note my previous post before moving forward…

 

KB: Suitable Applications for Exchange Server Event Scripting

https://blogs.msdn.com/mstehle/archive/2005/12/27/507610.aspx

 

That being said this is how to setup Exchange Event Service Scripting on an Exchange 2003 server with the minimum permissions needed for both the script authors (the users who will write scripts) and service account (the account used to run the Exchange Event Service). I have tried to provide details of the permissions at the lowest level possible. Obviously if you have numerous mailboxes and application folders you can choose to apply permissions at higher levels (store, group, or organization)…

 

Service Account Setup

The following steps detail how to create a service account which executes event service scripts...

 

  1. In Active Directory Users and Computers (U&C): create a new account, specify a password, mark it to never expire and user cannot change, create a mailbox
  2. In U&C: add this account to the local “Administrators” group. Do not add it to the “Domain Administrators” group, this will enact specific denials on the mailbox store and elevate the permissions unnecessarily within the domain.
  3. In Exchange System Manager (ESM): right click on the organization group, select “Delegate Control…” and add the service account as an “Exchange View Only Administrator”. For more information see the following article…

23018 Overview of Exchange administrative role permissions in Exchange 2003

https://support.microsoft.com/default.aspx?scid=kb;EN-US;823018

  1. In U&C: Give the service “Full Mailbox Access” to any script author accounts by right clicking the author’s account, selecting properties, selecting the “Exchange Advanced” tab, and clicking the “Mailbox Rights” button.  You may have many authors or want to enable everyone to author scripts potentially. Instead of applying permissions on a mailbox basis, in ESM you can give “Receive As” permissions to a mailbox store, administrative group, or organization.
  2. In ESM: Give “Owner” permissions to any public folders that will have events setup on them. If events will be setup on mailboxes, the service account must of “Full Mailbox Access” on the mailboxes.
  3. In ESM: Select the “Public Folders” node under the “Folders” node of the Administrative Group, right click and select “View System Folders”. Expand the “Events Root” folder and give “Owner” permissions to the service account on the "EventConfig_<exchange server name>" folder.This folder may not exist if you haven’t tried to start the Exchange Event Service before. Just start the service to create the folder.
  4. At this point you either have to wait for these permissions to replicate which could take up to 2 hours or you can restart the Exchange Information Store service.
  5. In the Services management console, change the Exchange Event Service to “Logon As” the service account and specify the “Startup Type” as “Automatic”. Then start the Exchange Event Service.

 

Script Author Setup

The following steps detail how to setup an existing Exchange user to author scripts…

 

  1. In ESM: Give “Owner” permissions to any public folders that will have events setup on them. If events will be setup on mailboxes, the service account must of “Full Mailbox Access” on the mailboxes.
  2. In ESM: Select the “Public Folders” node under the “Folders” node of the Administrative Group, right click and select “View System Folders”. Expand the “Events Root” folder and give “Owner” permissions to the service account on the "EventConfig_<exchange server name>" folder.
  3. Ensure that the service account has “Full Mailbox Access” to the script author’s mailbox or “Receive As” permission on the store, group, or organization that the script author’s mailbox resides in.
  4. In order to create and edit scripts the author will need to use Outlook through the “Agents” tab. To enable this tab in Outlook turn on the “Server Scripting” add-in. In Outlook, click Tools, select Options, click the Other tab, click the “Advanced Options…” button, click the “Add-in Manager…” button, and check the “Server Scripting” add-in.
  5. Restart Outlook and right click on the folder to create events in and select Properties. Click on the Agents tab to create Exchange Event Service Scripts.

Here are some resources I used when putting together this information. Because permissions in Exchange 2003 are much tighter than Exchange 5.5, I needed to identify and infer what permissions were required by the Exchange Event Service based on the old Exchange 5.5 doco below and use the newer Exchange 2003 security information to figure how to apply minimum permissions...

 

MSDN - Scripts, Agents, and Security

https://msdn.microsoft.com/library/default.asp?url=/library/en-us/exchserv/html/events_2cxl.asp

 

EHLO - Minimum permissions necessary to access mailbox data

https://blogs.technet.com/exchange/archive/2006/01/25/418099.aspx

 

Here are some additional resources for Exchange Event Service Scripts. Because the only documentation we have on MSDN is related to Exchange 5.5, it can be a little hard to find…

 

MSDN - Exchange Event Service, Event processing steps

https://msdn.microsoft.com/library/default.asp?url=/library/en-us/exchserv/html/events_2bfr.asp

 

MSDN - Agents tab in Outlook

https://msdn.microsoft.com/library/default.asp?url=/library/en-us/exchserv/html/events_8jvp.asp

 

MSDN - Using the Script Debugger with Exchange Event Service Scripts

https://msdn.microsoft.com/library/default.asp?url=/library/en-us/exchserv/html/events_1eeq.asp

 

...Many thanks to Chris Nguyen for helping me with some of research

Updated 1/22/2009 – Broken links from the Exchange 5.5 SDK can be found here.