.. _domain_service_accounts:


Domain Service Accounts
-----------------------

A domain account with the appropriate privileges is required for each of the
applications managed by VOSS-4-UC: Active Directory, Skype for Business Server,
Exchange Server, Skype for Business Online / Teams, and Exchange Online. You may
use the same domain account for all of these applications, or you may create a
separate account for each. The choice will depend on your organization's security
requirements.

The minimum privileges required to manage each application are listed in the
table below. 

.. important::

   In addition, any domain service account used by VOSS-4-UC to manage a UC
   application must be a member of the local Remote Management Users security
   group on the PowerShell Proxy.


.. _table_3:


Minimum Privileges by UC Application

.. tabularcolumns:: |p{4.5cm}|p{10.5cm}|

+---------------------------+-----------------------------------------------+
| UC Application            | Service Account Minimum Required Privileges   |
+===========================+===============================================+
| Active Directory          | AD (general [#]_): Read                       |
|                           |                                               |
|                           | AD (managed OU [#]_): Read + Write            |
+---------------------------+-----------------------------------------------+
| Skype for Business Server | Security group membership:                    |
|                           |                                               |
|                           | * RTCUniversalServerAdmins                    |
+---------------------------+-----------------------------------------------+
| Exchange Server           | Security group membership:                    |
|                           |                                               |
|                           | * Recipient Management                        |
|                           | * UM Management                               |
+---------------------------+-----------------------------------------------+
| Microsoft Online /        | Office 365 admin role:                        |
|                           |                                               |
| Skype for Business Online | * Skype for Business administrator            |
+---------------------------+-----------------------------------------------+
| Exchange Online           | Create a custom role group with the following |
|                           | assigned roles:                               |
|                           |                                               |
|                           | * Address Lists                               |
|                           | * Mail Recipient Creation                     |
|                           | * Mail Recipients                             |
|                           | * Mailbox Import Export                       |
|                           | * Migration                                   |
|                           | * Move Mailboxes                              |
|                           | * Reset Password                              |
|                           | * SendMailApplication                         |
|                           | * UM Mailboxes                                |
+---------------------------+-----------------------------------------------+

.. [#] As an Authenticated User, the service account should already have read access to Active Directory.
.. [#] Read and write permissions are required for the parent OU containing the user and contact objects
   managed by VOSS-4-UC. Be sure to apply those permissions to the parent OU and all descendant objects.