We have acquired Exinda More info

What is required to get the GFI Archiver Mailbox Folder Structure Retrieval working correctly?

This article outlines a set of permissions and requirements in order to use the Mailbox Folder Structure Retrieval (UMPolling) feature within GFI Archiver.

To avoid common problems:
  1. Do not use an existing administrator account. Default deny permissions exist within Exchange which make it more difficult to use an admin account compared to a new user account.
  2. Create a new user account in Active Directory (AD) and do not make this user a member of the domain administrators group or any other administrative group in AD
  3. Choose the correct protocol to access Exchange
    • EWS - Exchange Web Services
      • Microsoft Exchange 2013
      • Microsoft Exchange 2010
      • Microsoft Exchange 2007 SP1, SP2, SP3
      • Microsoft Office 365
    • MAPI - Messaging Application Programming Interface
      • Microsoft Exchange 2007 without any SP
      • Microsoft Exchange 2003
You will need to grant the following permissions to the user that will be used to access the Exchange mailboxes:
  1. User Access: The user has access to the users’ mailboxes in the Microsoft Exchange Store(s). This can be done by performing the following:
    1. Microsoft Exchange 2013 / 2010 [EWS]
      1. Open the ‘Exchange Management Shell’ on the Microsoft Exchange 2010 server
      2. Run the following cmdlet:
        • New-ManagementScope -name "MAUMPolling" -recipientrestrictionfilter {recipienttype -eq "UserMailbox"}
      3. Once the above is complete, run the following cmdlet (the account used in this step cannot have domain administrator rights):
        • New-ManagementRoleAssignment -name "MAUMPollingRA" -role:applicationimpersonation -user "masynch@domain.com" -customrecipientwritescope "MAUMpolling"
          • Example: New-ManagementRoleAssignment -name "MAUMPollingRA" -role:applicationimpersonation -user "masynch@mydomain.com" -customrecipientwritescope "MAUMpolling"
      • ​Notes
        • ​Some Exchange 2010 environments also required the Exchange 2007 scripts to be run
        • The ManagementScope might already exist and be named differently. You can confirm the existing scope using the cmdlet Get-ManagementScope. For example, if GFI MailEssentials is running in the same environment the scope might have already been created and with the name GFI_MA_UMP. In this case it is not needed to run New-ManagementScope again. But run:
          • New-ManagementRoleAssignment -name "MAUMPollingRA" -role:applicationimpersonation -user "masynch@mydomain.com" -customrecipientwritescope "GFI_MA_UMP"
    2. Microsoft Exchange 2007 SP1, SP2, SP3 [EWS]
      1. Open the ‘Exchange Management Shell’ on the Microsoft Exchange 2007 server
      2. Run the following cmdlet (the account used in this step cannot have domain administrator rights): 
        • Add-ADPermission -identity "Mailbox Store" -User "Trusted User" -AccessRights GenericAll
          • Example:  Add-ADPermission –Identity “Mailbox Database” -User "master-domain\masynch" –AccessRights GenericAll
      3. Run the following cmdlet:  
        • foreach ($exchangeServer in Get-ExchangeServer){if ($exchangeServer.ServerRole -match 'ClientAccess'){Add-ADPermission -Identity $exchangeServer.DistinguishedName -User 'domain\user' -ExtendedRights ms-Exch-EPI-Impersonation}}
          • Example: foreach ($exchangeServer in Get-ExchangeServer){if ($exchangeServer.ServerRole -match 'ClientAccess'){Add-ADPermission -Identity $exchangeServer.DistinguishedName -User 'master-domain\masynch' -ExtendedRights ms-Exch-EPI-Impersonation}}
    3. Microsoft Exchange 2003 [MAPI]
      1. On Microsoft Exchange 2003 machine, start the ‘Microsoft Exchange System Manager’ ensuring that you are logged on as Administrator or you are using an account with administrative privileges
      2. Expand the ‘Servers’ node and then expand server which contains the Mailbox Store you need to modify
      3. Expand the Storage Group and right click on the Mailbox Store and select ‘Properties’
      4. Access the ‘Security’ tab
      5. Select a listed user from ‘Group or user names’ or click ‘Add’… to add the user to whom you granted special authority on all user mailboxes
      6. In the permissions list, click ‘Allow’ next to ‘Full Control’ to grant full control permissions to the user that you just created
      7. Repeat the procedure for all the Mailbox Stores configured in GFI Archiver
    4. Microsoft ​Office 365 [EWS] (GFI MailArchiver 2014 or newer only)
      1. Open a Power Shell with the Azure module (if not installed please refer to http://technet.microsoft.com/en-us/library/jj151815.aspx#bkmk_installmodule) or use the "Import-Module MSOnline" cmdlet
      2. Execute the following commands
        • Set-ExecutionPolicy RemoteSigned
        • $O365Cred = Get-Credential
        • $O365Session = New-PSSession –ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $O365Cred -Authentication Basic -AllowRedirection
        • Import-PSSession $O365Session
        • Connect-MsolService –Credential $O365Cred
        • Enable-OrganizationCustomization
        • New-ManagementScope -name "MAUMPolling" -recipientrestrictionfilter {recipienttype -eq "UserMailbox"}
        • New-ManagementRoleAssignment -name "MAUMPollingRA" -role:applicationimpersonation -user "masynch@mydomain.com" -customrecipientwritescope "MAUMpolling"
      3. On-premise Active Directory requirements:
        • An on-premise Active Directory is required
        • Users which are to be folder synchronized in Office365 must be added into the local on-premise Active Directory
        • Users in Active Directory must have the MAIL field set which must map to the same email address of the corresponding user in Microsoft Office 365
  2. Logon Rights Assignment: The user needs to have logon rights on the GFI Archiver machine. This can be achieved by performing the following:
    1. Member Server
      1. Login onto the Domain Controller and ensure that you are logged on as Administrator or you are using an account with domain administrative privileges
      2. Enter the ‘Control Panel’ and select ‘Administrative Tools’ 
      3. Open the ‘Active Directory Users and Computers’ console
      4. Locate the user which was configured in the GFI Archiver Mailbox Folder Structure Retrieval
      5. Right Click on the user and select ‘Properties’
      6. Click on the ‘Account Tab’ and then click on the ‘Log On To…’ button
      7. If you have selected the ‘The Following Computers’ option, then enter the computer name of the GFI Archiver server and click on the ‘Add’ Button
      8. Click the ‘Ok’ button to save changes
    2. Domain Controller  If you installed GFI Archiver on a domain controller, by default only Domain Administrators have logon rights on domain controllers. You are able to add a user to the domain controller security policy by performing the following:
      1. Microsoft Windows 2008
        1. Open the 'Group Policy Manager' from 'Administrative Tools'
        2. Expand the 'Forest' > 'Domains' > 'domain.com'
        3. Expand the 'Domain Controllers' node
        4. Right click on the 'Default Domain Controller Policy' and select 'Edit'
        5. Expand 'Computer Configuration' > 'Policies' > 'Windows Settings' > 'Security Settings' > 'Local Policies'
        6. Click on 'User Rights Assignment'
        7. In the right pane double click on the policy ‘Allow log on locally’
        8. Click on the ‘Add User or Group’ and enter the user which you have configured in the GFI Archiver Mailbox Synchronization configuration
      2. Microsoft Windows 2003
        1. Open the ‘Domain Controller Security Policy’ from ‘Administrative Tools’
        2. Expand the ‘Local Policy’ and click on ‘User Rights Assignment’
        3. In the right pane double click on the policy ‘Allow log on locally’
        4. Click on the ‘Add User or Group’ and enter the user which you have configured in the GFI Archiver Mailbox Folder Structure Retrieval configuration
  3. The user does not use a roaming profile
  4. Ensure that the user has Full Control rights for the GFI Archiver installation folder. You can do this by performing the following:
    1. Open Windows Explorer
    2. Browse to and right click on the ‘Archiver’ Folder and select ‘Properties’
    3. Click on the ‘Security’ Tab
    4. Select a listed user from ‘Group or user names’ or click ‘Add’… to add the user to whom you granted special authority on the GFI Archiver directory
    5. In the permissions list, click ‘Allow’ next to ‘Full Control’ to grant full control permissions to the user that you just created
  5. [MAPI only] Microsoft Outlook 32bit (the 64bit version is NOT supported for this feature) or "Microsoft Exchange Server MAPI Client and Collaboration Data Objects (MAPI/CDO)" needs to be installed if GFI Archiver is not installed on the same machine as Microsoft Exchange 2003
  6. Ensure that no Archive Stores in GFI Archiver are marked as read only. GFI Archiver would need to modify the Archive Store when an email is matched and assign it to the correct folder. To remove the read only attribute on a GFI Archiver Archive Store perform the following:
    1. Open GFI Archiver
    2. Navigate to Configuration > Archive Stores
    3. Click on the 'Edit Settings' Icon near the locked Archive Store
    4. Untick ‘Read-only access’
    5. Click 'Finish' to complete wizard
Notes
  • You can test that the user is able to access the mailboxes on Microsoft Exchange using Outlook Web Access from the GFI Archiver server. You are able to test this by logging onto a machine using the Mailbox Folder Structure Retrieval user and configuring Microsoft Outlook to open a different mailbox. You are able to do this by performing the following:
  1. Open Microsoft Outlook with the Mailbox Folder Structure Retrieval user account
  2. Click on ‘Tools’ and select ‘Email Accounts’
  3. Select ‘View or change existing email accounts’ and click on next to proceed
  4. Click on the ‘Change’ button and then select ‘More Settings’ from the next screen
  5. Under the ‘Advanced’ Tab, click on the ‘Add’ button and enter the name of the mailbox you wish to add
  6. Click ‘Ok’ to save your changes
  • GFI Archiver will not retrieve the Mailbox Folder structure for a user's mailbox if that user is defined in the GFI Archiver User Exclude Options. You can ensure that a user is not listed in the user exclude options by performing the following:
  1. Open the GFI Archiver Configuration
  2. Expand 'Configuration' and click on the 'Archive Restrictions'
  3. If 'Enable Archiving Restriction' is enabled, ensure that the user is not defined in the user exclusion list
  • When configuring the GFI Archiver Mailbox Folder Structure Retrieval you might encounter the error message 'No Mailboxes found to Synchronize’. For further information, review the following: http://www.gfi.com/support/products/gfi-archiver/KBID003417
  • If you are running the GFI Archiver services under a user account (this is an unusual setup and not recommended - the services should run under "local system") you need to make sure that the account you are running the services has Full Access permissions granted under Configuration > Roles and Permissions in the GFI Archiver web page
  • In mixed environments (for example in which mailboxes reside on Exchange 2003 and Exchange 2010) Mailbox Folder Structure Retrieval cannot work correctly against all mailboxes. GFI Archiver can only use one protocol (either MAPI or EWS) at a time, but in this scenario both would be needed.

See ​also