contentACCESS documentation – version 4.2

  1. Introduction to contentACCESS
    1. Services provided by contentACCESS
    2. Software requirements
  2. contentACCESS setup package
    1. Installation of contentACCESS
      1. EULA
      2. Installation type
      3. Components
      4. Prerequisites
      5. Base folder
      6. Service settings
      7. Database connection
      8. contentACCESS Central Administration
      9. contentACCESS Web Services (Proxy)
      10. contentWEB
      11. Central login
      12. Virtual drive
      13. Search service
      14. SMTP server
      15. Overview
      16. Installation
      17. Summary
  3. contentACCESS components
    1. contentACCESS Central Administration
      1. Central administration login
      2. contentACCESS Automated single sign on
      3. Central Administration logout
      4. contentACCESS Central Administration user interface
    2. contentWEB
      1. Logging in to contentWEB
      2. contentWEB Automated single sign on
    3. Virtual drive
    4. contentACCESS Web Services (Proxy)
    5. Central login page
  4. contentACCESS Tools
    1. Installing Outlook forms
    2. Legacy email archive connectors
    3. Legacy archive connector for Metalogix Archive Manager Exchange Edition (MAM EE)
    4. Legacy archive connector for Email Lifecycle Manager (ELM)
    5. Installing TECH-ARROW’s WinShortcutter
    6. contentACCESS Outlook add-in
      1. Installation of contentACCESS Outlook add-in
      2. How to use contentACCESS Outlook add-in
  5. Tenants in contentACCESS
    1. How to create a new tenant
      1. How to edit and disable a tenant
    2. Tenant limitations
    3. How to provide access to a tenant (adding new tenant administrators)
    4. Tenant administrator invitation types
    5. Tenant associations
      1. Tenant - database association
      2. Tenant - user association
    6. Tenant deletion
  6. General system configurations
    1. Connection
    2. User interface
    3. Users in contentACCESS
    4. Invitations
    5. Roles
      1. Creating roles
      2. Role details
      3. Role assignment
      4. Defining specific permissions of a role assignment
      5. Editing roles, editing role assignments
      6. Role cloning
      7. General use cases of how to create/assign roles
      8. Managing access to contentACCESS objects
    6. Login providers
      1. Login providers’ context menu options
      2. External login provider configuration
        1. Configuring Google OAuth
        2. Configuring Office 365 login provider
        3. Exchange login provider
        4. External AD login provider
      3. Associating an enabled provider with a user login
      4. contentACCESS users in third party systems
    7. System
    8. Licensing
      1. How to activate your license key
    9. Notifications
    10. System logs — how to find out possible misconfigurations / reasons of potential system/job failures
    11. Configuration auditing
    12. Archive auditing
    13. Distributed environment in contentACCESS — Clusters
    14. Statistics
    15. Legal hold
    16. Task runner
    17. Indexing
    18. SMTP Servers
    19. SMTP Mappings
    20. How to create/configure databases — All databases
  7. Common features
    1. Databases
    2. Schedules
    3. Retentions
    4. Storages
      1. Google drive storage
      2. Amazon S3
    5. Exchange connections
      1. Exchange performance settings – turning off the Exchange throttling policies
      2. Mixed Exchange environments in the Email Archive system
    6. Importing contentACCESS configurations from files
      1. Manual import of Exchange servers/groups/mailboxes to the contentACCESS Address book
      2. Importing File Archive root folders to be archived
  8. Creating new jobs in contentACCESS
  9. Jobs’ page, jobs’ context menu
  10. Filtering in jobs
  11. File Archive
    1. Introduction to File system archive
    2. File archive settings
    3. File archive Databases
    4. File archive System settings
    5. File archive Retentions
    6. File archive Storages
    7. Root folders
    8. Aliases
    9. File archive Schedules
    10. Provisioning settings and managing access to contentWEB
      1. File system provisioning job description
    11. Remote agents (file archive)
    12. Global rules (remote file archive)
    13. Configuring aliases
    14. Configuration of jobs available in contentACCESS File Archive
    15. Configuration of File archive retention changer job
    16. Configuration of File system archive job
      1. File system archive job description
    17. Configuration of a File system restore job
      1. File system restore job description
    18. Configuration of File system recovery job
      1. File system recovery job description
    19. Configuration of Delete job in File archive
      1. File system delete job description
    20. Configuration of File system shortcut synchronization job
      1. File system shortcut synchronization job description
    21. Configuration of Remote shortcutting job
      1. File system remote shortcutting job description
    22. Active/inactive documents in File system archive
  12. Email Archive
    1. Important settings before creating an Email Archive job
    2. Database settings
    3. Email archive System settings
      1. Hybrid exchange settings
      2. Email archive registration on Azure portal for Modern authentication
    4. Email archive Provisioning settings
      1. Email archive provisioning job description
    5. Retention settings
    6. Shortcuts in email archiving
    7. Storing of archived emails
      1. LoboDMS storage
    8. Creating email archive schedulers
    9. User experience
      1. Exchange 2013+: Mail app in OWA 2013+ or on MS Outlook 2013+ desktop version
      2. Exchange 2010: OWA 2010 integration
    10. Address book objects
      1. Adding address book objects manually
      2. Removing groups and mailboxes from the Address book
    11. Granting access rights for mailbox users and explicit users to view the mailbox archive
      1. Creating contentWEB users (option 1)
      2. Manage access to a mailbox archive (option 2)
    12. Database and store assignment in email archiving
      1. How to assign database, storage and index zone to an Exchange group?
      2. How to assign database, storage and index zone to a mailbox?
      3. How to move data from source database/storage into a second (target) database/storage?
    13. Mail app access
    14. Remote agents (email archive)
    15. PST import
      1. PST import job description
    16. Creating Email archive jobs: archive, restore, recovery, delete, mailbox move, shortcut synchronizaion, shortcut repair
    17. Email archive job
      1. Email archive job configuration
      2. Email archive job description
      3. Email archive journal processing
    18. Email archive retention changer job
    19. Email restore job
      1. Email restore job configuration
      2. Email restore job description
    20. Email recovery job
      1. Email recovery job configuration
      2. Email recovery job description
    21. Configuration of Delete job in Email archive
      1. Email delete job description
    22. Journal post processing job
      1. Journal post processing job configuration
    23. Mailbox move job
      1. Mailbox move job configration
      2. Mailbox move job description
    24. Shortcut synchronization job
      1. Shortcut synchronization job configuration
      2. Email shortcut synchronization job description
    25. Shortcut repair job
      1. Shortcut repair job configuration
      2. Email shortcut repair job description
    26. Public folder archiving
      1. How to configure a job to archive public folders
      2. Public folders in the contentWEB archive
      3. User permissions to public folders
      4. Public Folder archiving in mixed Exchange environments
    27. SMTP archiving
  13. SharePoint archive plugin
    1. SharePoint Archive settings
    2. SharePoint Archive job configuration
      1. SharePoint archive job description
    3. SharePoint archive retention changer job configuration
    4. SharePoint recovery job configuration
      1. SharePoint recovery job description
    5. Configuration of Delete job in SharePoint archive
      1. SharePoint delete job description
    6. SharePoint archive Provisioning settings
      1. SharePoint provisioning job description
    7. SharePoint Publishing job
      1. SharePoint publishing job description
    8. SharePoint in the contentWEB archive
  14. GDPR plugin
    1. GDPR Settings
      1. GDPR Databases
      2. GDPR Schedules
      3. GDPR Index zones
    2. GDPR Processing
      1. GDPR File system settings
      2. GDPR Exchange settings
      3. GDPR Applications
      4. GDPR Jobs
        1. GDPR File system job
          1. GDPR file system job description
        2. GDPR Exchange job
          1. GDPR Exchange job description
        3. GDPR Application job
          1. GDPR application job description
  15. Teams archive
    1. Teams archive databases
    2. Teams archive System settings
    3. Teams archive Provisioning settings
    4. Teams archive Address book
      1. Removing objects from Teams archive Address book
    5. Teams archive Licensing
    6. Teams archive Jobs
      1. Teams archive job
      2. Teams chat archive job
  16. Custom plugins
    1. Email management job configuration
    2. Storage replication plugin
    3. Sharing plugin
    4. Datengut plugin
    5. Email synchronizer plugin
    6. Categorize to Public folders plugin
    7. LoboDMS plugin
  17. ThreatTest
    1. ThreatTest configuration
      1. ThreatTest Databases
      2. ThreatTest System settings
      3. ThreatTest Schedules
      4. ThreatTest User experience
      5. ThreatTest Statistics
      6. ThreatTest Job
    2. Using ThreatTest App
  18. officeGATE
  19. contentACCESS Mobile
  20. Virtual drive configurations
  21. Teams application
  22. Application settings
  23. Terms of use
  24. FAQ
    1. Download sample for the file to be imported does not work
    2. Archiving is not working if MAPI is set to communicate with the Exchange server
    3. Virtual drive is still appearing after the uninstall
    4. Outlook forms problems
    5. Unable to open shortcuts of archived files on the server side
    6. Samples are not shown using 'Show sample" option in the Import dialog
    7. Do I need to create separate tenants for file archiving and email archiving
    8. What is the recommended database size for email, file and Sharepoint archiving
    9. The TEMP folder is running out of space when archiving big files
    10. The attachment could not be opened
    11. After updating Exchange 2013, the EWS connection might not work in contentACCESS
    12. If Windows authentication is not working in contentACCESS and an alias was created for contentACCESS
    13. contentACCESS Outlook add-in certificate issue
    14. PowerShell scripts for setting up Email archive
    15. Solution for Outlook security patches
    16. Solution for Outlook security patches through GPO
    17. Solution for indexing PDF files
    18. O365 SuperUser mailbox configuration
    19. Office365 journaling
    20. Organizational forms
    21. Multifactor authentication
    22. Region setting
    23. contentACCESS Mail app installation issue
    24. Azure app registration

24.14.PowerShell scripts for setting up Email archive

This section with PowerShell scripts will help you with setting up your Email archive and checking and granting necessary permissions for the superuser.

Permissions for Email archive
The Email archive is using one account (called “superuser” in this section) to connect to the Exchange resources.
The Email archive is accessing Exchange resources through remote PowerShell. It is necessary to enable remote PowerShell on the target Exchange server or Office 365.
There are multiple authentication possibilities when connecting to remote PowerShell:

  • Kerberos
  • Negotiate
  • Digest
  • Basic
Note: The selected authentication method needs to be enabled on the Exchange Server.

The example below shows how to allow Basic authentication:

# Check if Basic Authentication is already allowed
Get-PowerShellVirtualDirectory | fl *auth*

# Allow Basic Authentication – replace the name of the virtual directory
Set-PowerShellVirtualDirectory -Identity “PowerShell (Default Web Site)” -BasicAuthentication $true


Connecting to remote PowerShell
This section will help you with testing the connection to the remote PowerShell. You can use this connection to set up the permissions for the Email archive as well.
The following script prompts for credentials and connects to remote PowerShell. Do not forget to replace the with the full qualified name of the Exchange Server (or ps.outlook.com for Office 365):

$ExServerPSURL = “https:///PowerShell”
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri $ExServerPSURL -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session

If the connection was successful, it will be possible to execute commands. If the connection was not successful, try using other authentication method like Kerberos and check whether the credentials are correct. If the connection is no longer needed, it is highly recommended to close the session:

Remove-PSSession $Session

For more information about how to connect to Exchange using remote PowerShell, please check this page.

Access to resources
The email archive requires access to the following resources:

  • Exchange groups and mailboxes
  • Public folders (optional)
  • Mailbox permissions
  • Organization applications

The superuser account requires an active mailbox on the Exchange Server/Office 365 and the permissions included in the following role groups:

  • View only organization management
  • Public folder management
  • Org Marketplace apps

These built-in role groups are allowing access to the complete address book information of Exchange and allowing to install/uninstall Mail apps for the whole organization.

Recommended permissions
For a smoother and more transparent configuration process, we recommend creating a new role group especially for contentACCESS, which will include all the necessary roles. The role group is merely a collection of the necessary permissions. If an account is assigned to this role group, the account automatically receives all permissions necessary for the Email archive.

The following script can be used to create the role group and add members to it:

New-RoleGroup -Name “contentACCESS Management” -Roles “View-Only Recipients”, “View-Only Configuration”, “Public Folders”, “Org Custom Apps”, “Org Marketplace Apps” -Members superuser

On-premise Exchange Server
For on-premise Exchange Servers, the superuser requires additional access to the following resources:

  • ActiveDirectory users and groups

The connection to the ActiveDirectory is configured in System –> Services -> System, scroll down to section Active Directory integration settings. It is possible to use the same superuser account or use a different account (recommended if the account is member of Domain Administrators).

This account will connect to the configured domain controller or global catalog to access domain groups and users. The account requires read permission on groups and users. The account should be a member of Domain Administrators. If this is not possible, it is necessary to set up a Security group with the read permissions over the ActiveDirectory objects and add the account to this group.

Office 365 and Hybrid Exchange
These two do not have any special requirements.

Access to mailboxes
The Email archive requires access to mailboxes and optionally public folders.
contentACCESS can archive mailboxes using 2 different methods, both requiring different permissions:

  • Delegation
  • Impersonation

Delegation
When delegation is used, the superuser account requires full access permission to the archived mailboxes. The Exchange throttling is calculated for the superuser account and this might cause archive performance problems on Office 365.
The full access permission can be granted on individual mailboxes or on Mailbox databases. If permission is granted on individual mailboxes, the newly created mailboxes will not be accessible by the superuser. Therefore, the recommended approach is to set the permissions on mailbox database level (the process needs to be repeated for newly created mailbox databases).

On-premises Exchange Server
The following script grants access to all mailboxes in all mailbox databases:

#On-Prem Exchange:
#Set the permission for the superuser on all mailbox databases:
Get-MailboxDatabase | Add-ADPermission -User -AccessRights ‘ExtendedRight’ -ExtendedRights ‘Receive-As’,’ms-Exch-Store-Admin’ -InheritanceType ‘All’

The following script grants access to one specific mailbox:

#Set the permission for the superuser on one mailbox:
Add-MailboxPermission -Identity mailbox@domain.com -User -AccessRights FullAccess -InheritanceType All -Automapping $false

Office 365
The following script grants access to all mailboxes currently available:

#O365:
#Set the permission for the superuser on all mailboxes:
Get-Mailbox | Add-MailboxPermission -User superuser -AccessRights fullaccess -InheritanceType all

The following script grants access to one specific mailbox:

#Set the permission for the superuser on one mailbox:
Add-MailboxPermission -Identity mailbox@domain.com -User superuser -AccessRights FullAccess -InheritanceType All -Automapping $false

Impersonation
Impersonation has multiple benefits:

  • if a new user is added to Exchange, the superuser automatically has permissions to it
  • it is easy to set up

Impersonation has big impact on Office 365 archiving. It allows to archive more emails/mailboxes, since the throttling is not calculated for one account, but for each archived mailbox individually. Therefore, if multiple mailboxes are archived, the throughput will be higher.

When impersonation is used, the superuser account requires one additional role: ApplicationImpersonation. With this role, the superuser account is able to access all the mailboxes in the organization. The Exchange throttling is calculated for each accessed mailbox individually. This method is recommended when archiving Office 365.

The following script grants ApplicationImpersonation role for the superuser:

New-ManagementRoleAssignment -name:contentACCESSImpersonation -Role:ApplicationImpersonation -User:superuser

Note: If the O365 user has “desktopless” license, his account can’t be used for impersonation. The problem is that EWS access is disabled for such user (he is unable to connect to EWS).
Yes No Suggest edit
Help Guide Powered by Documentor
Suggest Edit