Support

Support for business applications

Kaspersky Security Center 14

Kaspersky Security Center 14.2

Deployment best practices

Preparation for deployment

Preparing to mobile device management

Exchange Mobile Device Server

Account for Exchange ActiveSync service

Kaspersky Security Center
Нет результатов
Нет результатов
Knowledge Base Online Help
Advice & Solutions FAQ Download Buy Renew Forum Contact support Recovery tools

Account for Exchange ActiveSync service

April 17, 2024

ID 92340

Get as PDF

When an Exchange Mobile Device Server is installed, an account is automatically created in Active Directory:

  • On Microsoft Exchange Server (2010, 2013): KLMDM4ExchAdmin***** account with the KLMDM Role Group role.
  • On Microsoft Exchange Server (2007): KLMDM4ExchAdmin***** account, a member of the KLMDM Secure Group security group.

The Exchange Mobile Device Server service runs under this account.

If you want to cancel the automatic generation of an account, you need to create a custom one with the following rights:

  • When using Microsoft Exchange Server (2010, 2013), the account must be assigned a role that has been allowed to execute the following cmdlets:
    • Get-CASMailbox
    • Set-CASMailbox
    • Remove-ActiveSyncDevice
    • Clear-ActiveSyncDevice
    • Get-ActiveSyncDeviceStatistics
    • Get-AcceptedDomain
    • Set-AdServerSettings
    • Get-ActiveSyncMailboxPolicy
    • New-ActiveSyncMailboxPolicy
    • Set-ActiveSyncMailboxPolicy
    • Remove-ActiveSyncMailboxPolicy
  • When using a Microsoft Exchange Server (2007), the account must be granted the access rights to Active Directory objects (see the table below).

    Access rights to Active Directory objects

    Access

    Object

    Cmdlet

    Full

    Thread "CN=Mobile Mailbox Policies,CN=<Organization name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<Domain name>"

    Add-ADPermission -User <User or group name> -Identity "CN=Mobile Mailbox Policies,CN=<Organization name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<Domain name>" -InheritanceType All -AccessRight GenericAll

    Read

    Thread "CN=<Organization name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<Domain name>"

    Add-ADPermission -User <User or group name> -Identity "CN=<Organization name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<Domain name>" -InheritanceType All -AccessRight GenericRead

    Read/write

    Properties msExchMobileMailboxPolicyLink and msExchOmaAdminWirelessEnable for objects in Active Directory

    Add-ADPermission -User <User or group name> -Identity "DC=<Domain name>" -InheritanceType All -AccessRight ReadProperty,WriteProperty -Properties msExchMobileMailboxPolicyLink, msExchOmaAdminWirelessEnable

    Extended right ms-Exch-Store-Active

    Mailbox repositories of Exchange server, thread "CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=<Organization name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<Domain name>"

    Get-MailboxDatabase | Add-ADPermission -User <User or group name> -ExtendedRights ms-Exch-Store-Admin

See also:

Main installation scenario

Rights required for deployment of Exchange Mobile Device Server

Kaspersky Security Center: Optimization of daily routine tasks
A powerful administration console, with an additional flexible web-based interface that’s available wherever you are. Buy as part of Endpoint Security for Business Advanced.
Kaspersky Premium Support (MSA): High‑priority incident processing
Telephone and web ticket support. Fast response, monitoring and health check. Submit a request and activate the contract (MSA).
Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.