Domain Service Accounts

A domain account with the appropriate privileges is required for each of the applications managed by VOSS-4-UC: Active Directory, Skype for Business Server, Exchange Server, Skype for Business Online / Teams, and Exchange Online. You may use the same domain account for all of these applications, or you may create a separate account for each. The choice will depend on your organization’s security requirements.

The minimum privileges required to manage each application are listed in the table below.

Important

In addition, any domain service account used by VOSS-4-UC to manage a UC application must be a member of the local Remote Management Users security group on the PowerShell Proxy.

Minimum Privileges by UC Application

UC Application Service Account Minimum Required Privileges
Active Directory

AD (general [1]): Read

AD (managed OU [2]): Read + Write
Skype for Business Server

Security group membership:

  • RTCUniversalServerAdmins
Exchange Server

Security group membership:

  • Recipient Management
  • UM Management

Microsoft Online /

Skype for Business Online

Office 365 admin role:

  • Skype for Business administrator
Exchange Online

Create a custom role group with the following assigned roles:

  • Address Lists
  • Mail Recipient Creation
  • Mail Recipients
  • Mailbox Import Export
  • Migration
  • Move Mailboxes
  • Reset Password
  • SendMailApplication
  • UM Mailboxes
[1]As an Authenticated User, the service account should already have read access to Active Directory.
[2]Read and write permissions are required for the parent OU containing the user and contact objects managed by VOSS-4-UC. Be sure to apply those permissions to the parent OU and all descendant objects.