Cisco Unity System Administration Guide (With Microsoft Exchange), Release 4.0(5)
Accessing the Cisco Unity Administrator

Table Of Contents

Accessing the Cisco Unity Administrator

Accessing and Exiting the Cisco Unity Administrator

Logging On to the Cisco Unity Administrator

Exiting the Cisco Unity Administrator

Browsing to Another Cisco Unity Administrator from the Local Cisco Unity Administrator

Cisco Unity Administrator Accounts

About the Accounts That Can Be Used to Administer Cisco Unity

Creating Subscriber Accounts That Can Be Used to Access the Cisco Unity Administrator

Granting Administrative Rights to Other Cisco Unity Servers


Accessing the Cisco Unity Administrator


The Cisco Unity Administrator is a website that you use to do most administrative tasks. Administrative tasks include determining system schedules, specifying settings for individual subscribers (or for a group of subscribers by using a subscriber template), and implementing a call management plan.

See the following sections in this chapter for more information:

Accessing and Exiting the Cisco Unity Administrator—This section explains how to access and exit the Cisco Unity Administrator.

Browsing to Another Cisco Unity Administrator from the Local Cisco Unity Administrator—When multiple Cisco Unity servers are networked together, you can access the Cisco Unity Administrator on another Cisco Unity server.

Cisco Unity Administrator Accounts—This section describes the type of accounts that you can use to access the Cisco Unity Administrator, and the ways in which you create additional accounts or grant administrative rights to existing accounts so that they can be used to administer Cisco Unity.

For information on changing the authentication method used by the Cisco Unity Administrator and defining account policies for Cisco Unity Administrator logons, passwords, and lockouts, refer to the Cisco Unity Security Guide. The guide is available at http://www.cisco.com/en/US/products/sw/voicesw/ps2237/prod_maintenance_guides_list.html.

Accessing and Exiting the Cisco Unity Administrator

To learn about accessing and exiting the Cisco Unity Administrator, see the following sections:

Logging On to the Cisco Unity Administrator

Exiting the Cisco Unity Administrator

Logging On to the Cisco Unity Administrator

Although the way in which you log on to the Cisco Unity Administrator depends on the type of authentication that it uses, the account that you use to log on remains the same: you can use either the administration account that was selected when Cisco Unity was installed, or you can use an applicable Windows domain account. For information on which accounts can be used to access the Cisco Unity Administrator, see the "About the Accounts That Can Be Used to Administer Cisco Unity" section.


Note Until you create a Cisco Unity subscriber account for the purpose of administering Cisco Unity, you must use the Windows credentials associated with the administration account that was selected when Cisco Unity was installed to log on to the Cisco Unity Administrator. See the "Cisco Unity Administrator Accounts" section for details.


To log on to the Cisco Unity Administrator, use the applicable procedure in this section. Note that Cisco Unity does not permit more than five administrators to access the Cisco Unity Administrator at the same time.

To protect the Cisco Unity Administrator from unauthorized access, refer to the "Determining Which Authentication Method to Use for the Cisco Unity Administrator and Status Monitor" section in the "Authentication for Cisco Unity Applications" chapter of the Cisco Unity Security Guide. The guide is available at http://www.cisco.com/en/US/products/sw/voicesw/ps2237/prod_maintenance_guides_list.html.

To Log On to the Cisco Unity Administrator When It Uses Integrated Windows Authentication


Step 1 Log on to Windows on the Cisco Unity server (or a remote computer) by using either the administration account that was selected when Cisco Unity was installed, or an applicable Windows domain account.

Step 2 If you logged on to the Cisco Unity Administrator on the Cisco Unity server, right-click the Cisco Unity icon in the status area of the taskbar, and click Launch System Admin.

If you logged on to the Cisco Unity Administrator on a computer other than the Cisco Unity server, start Internet Explorer, and go to http://<Cisco Unity server name>/web/sa.

Step 3 If Internet Explorer prompts you, enter either the user name, password, and domain for the administration account that was selected when Cisco Unity was installed, or an applicable Windows domain account.


To Log On to the Cisco Unity Administrator When It Uses Anonymous Authentication


Step 1 Log on to Windows on the Cisco Unity server (or a remote computer) by using any domain account that has the right to log on locally.

Step 2 If you logged on to the Cisco Unity Administrator on the Cisco Unity server, right-click the Cisco Unity icon in the status area of the taskbar, and click Launch System Admin.

If you logged on to the Cisco Unity Administrator on a computer other than the Cisco Unity server, start Internet Explorer, and go to http://<Cisco Unity server name>/web/sa.

Step 3 On the Cisco Unity Log On page, enter either the user name, password, and domain for the administration account that was selected when Cisco Unity was installed, or enter the user name, password, and domain for an applicable Windows domain account, and click Log On.

You can use the settings on the Authentication page in the Cisco Unity Administrator to specify whether the Log On offers the following options:

Remember User Name

Remember Password

Remember Domain

When you specify that Cisco Unity will remember your user name, password, or domain, you will not have to enter them the next time that you log on. Instead, the fields are automatically populated in the Log On page.


Exiting the Cisco Unity Administrator

To Exit the Cisco Unity Administrator


Step 1 Click the Log Off button on the lower left area of the Cisco Unity Administrator page.

Step 2 Exit Internet Explorer.


Browsing to Another Cisco Unity Administrator from the Local Cisco Unity Administrator

Each Cisco Unity Administrator provides links to the Cisco Unity Administrator websites on other networked Cisco Unity servers. By clicking the links, you can access subscriber accounts and other Cisco Unity objects on another Cisco Unity server simply by browsing to the Cisco Unity Administrator on the Cisco Unity server on which those accounts and objects were created.

When you want to find a subscriber account, but do not know on which Cisco Unity server in the network the account was created, you can search for it from any subscriber page in the Cisco Unity Administrator on your local Cisco Unity server by using the Find icon.

When the Cisco Unity Administrator uses the Integrated Windows authentication method, you are not required to re-enter your Windows domain account credentials when you browse to another Cisco Unity Administrator website from your local Cisco Unity server. Note that this is true only if you log on to the Cisco Unity Administrator on your local server by using the credentials of a Windows domain account that is associated with a Cisco Unity subscriber account that has appropriate class of service (COS) rights on the remote Cisco Unity server.

However, when the Cisco Unity Administrator uses the Anonymous authentication method, you are prompted to enter authentication credentials regardless of the account you used to log on to the Cisco Unity Administrator on your local server. In this case, simply enter the applicable credentials for the Cisco Unity Administrator website that you want to access.

To Browse to Another Cisco Unity Administrator on a Networked Cisco Unity Server


Step 1 Near the bottom of the navigation bar on the left side of the Cisco Unity Administrator interface, click Unity Servers. The Server Chooser page appears.

Step 2 From the list, click the server that you want to access.

Step 3 If prompted, enter the applicable credentials to gain access to the Cisco Unity Administrator that you want to access.

Another instance of the Cisco Unity Administrator appears in a separate browser window. This is the Cisco Unity Administrator website of the Cisco Unity server that you selected.


Do the following procedure to use the Cisco Unity Administrator on your local Cisco Unity server to search for subscriber accounts on other Cisco Unity servers in the network.

To Search for Subscriber Accounts Created on a Cisco Unity Server Other than Your Local Cisco Unity Server


Step 1 In the Cisco Unity Administrator, go to any Subscribers > Subscribers page.

Step 2 Click the Find icon.

Step 3 Indicate whether to search by alias, extension, first name, or last name.

Step 4 Enter the applicable alias, extension, or name. You also can enter * to display a list of all subscribers, or enter one or more characters or values followed by * to narrow your search.

Step 5 Check the Search All Cisco Unity Servers check box.

Step 6 Click Find.

Step 7 On the list of matches, click the name of the subscriber to display the record.

Step 8 If prompted, enter the applicable credentials to gain access to the Cisco Unity Administrator that you want to access.

Another instance of the Cisco Unity Administrator appears in a separate browser window. This is the Cisco Unity Administrator website of the Cisco Unity server on which the subscriber account was created. The subscriber profile page is displayed in the new browser window.


Cisco Unity Administrator Accounts

See the following sections:

About the Accounts That Can Be Used to Administer Cisco Unity

Creating Subscriber Accounts That Can Be Used to Access the Cisco Unity Administrator

Granting Administrative Rights to Other Cisco Unity Servers

About the Accounts That Can Be Used to Administer Cisco Unity

To access the Cisco Unity Administrator, administrators can use one of the following accounts:

Administration account

This is the account that was selected during installation to administer Cisco Unity. The administration account is automatically associated with a Cisco Unity subscriber account that has COS rights to access the Cisco Unity Administrator.

A Windows domain account associated with a Cisco Unity subscriber account that has COS rights to access the Cisco Unity Administrator

In order for administrators to log on to the Cisco Unity Administrator on the Cisco Unity server, this account must be a member of one of the following Admins groups, as applicable:

Domain Admins group (when the Cisco Unity server is a domain controller)

Local Administrators group (when the Cisco Unity server is a member server)

Otherwise, the account must at least have the right to log on locally so that administrators can log on to the Cisco Unity Administrator from a computer other than the Cisco Unity server.


Until you create a Cisco Unity subscriber account specifically for the purpose of administering Cisco Unity, you must use the Windows credentials associated with the administration account that was selected when Cisco Unity was installed to log on to the Cisco Unity Administrator.

Consider using an alternative to the administration account, if you want to do the following:

Limit the use of the administration account. The COS assigned to the administration account has full system access rights to the Cisco Unity Administrator. This means that not only can the administration account access all pages in the Cisco Unity Administrator, but it also has read, edit, add, and delete privileges for all Cisco Unity Administrator pages.

Ensure that there are additional accounts available that can be used to access the Cisco Unity Administrator if the administration account is deleted or corrupted.

The Cisco Unity subscriber accounts that are used to access the Cisco Unity Administrator must have the appropriate COS rights. COS rights specify which tasks, if any, administrators can do in the Cisco Unity Administrator. For example, some subscriber accounts that are used for administrator access can be associated with a COS that provides read-only access, or that restricts administrators to access of specific pages in the Cisco Unity Administrator for the purpose of unlocking accounts or changing passwords. (For more information, see the "Class of Service System Access Settings" section on page 11-5.)

In addition to COS rights, subscriber accounts that are used to access the Cisco Unity Administrator must be associated with a Windows domain account.

To create additional subscriber accounts for the purposes of accessing the Cisco Unity Administrator, complete the procedures in the "Creating Subscriber Accounts That Can Be Used to Access the Cisco Unity Administrator" section. If you prefer not to create a specific subscriber account for each administrator who needs to access the Cisco Unity Administrator, you can use the GrantUnityAccess utility to associate one or more Windows domain accounts with a single subscriber account. For more information about using the GrantUnityAccess utility, see the "Granting Administrative Rights to Other Cisco Unity Servers" section.


Note As a best practice, we recommend that Cisco Unity administrators not use the same subscriber account to log on to the Cisco Unity Administrator that they use to log on to the Cisco PCA to manage their own Cisco Unity accounts. In addition, they should not use Unity service accounts to administer Cisco Unity.


Creating Subscriber Accounts That Can Be Used to Access the Cisco Unity Administrator

To create additional subscriber accounts for the purposes of accessing the Cisco Unity Administrator, you use the same procedures that you use for creating regular subscriber accounts (as detailed in the "Creating Subscriber Accounts" chapter. However, if you want administrators to be able to log on to the Cisco Unity Administrator on the Cisco Unity server, you will also need to add their Windows domain accounts either to the local Administrators group—when the Cisco Unity server is a member server—or to the Domain Admins group—when the Cisco Unity server is a domain controller. You can do the applicable procedures in this section either before or after you create subscriber accounts. Until this is done, administrators can access the Cisco Unity Administrator only from another computer.

To Add the Windows Domain Account to the Local Administrators Group (When the Cisco Unity Server Is a Member Server)


Step 1 On the Cisco Unity server, on the Windows Start menu, click Programs > Administrative Tools > Computer Management.

Step 2 In the left pane of the Computer Management MMC, expand System Tools > Local Users and Groups.

Step 3 In the left pane, click Users.

Step 4 In the right pane, double-click the administration account.

Step 5 In the Properties dialog box, click the Member Of tab.

Step 6 Click Add.

Step 7 In the Select Groups dialog box, in the top list, double-click Administrators.

Step 8 Click OK to close the Select Groups dialog box.

Step 9 Click OK to close the Properties dialog box.

Step 10 Close the Computer Management MMC.


To Add the Windows Domain Account to the Domain Admins Group (When the Cisco Unity Server Is a Domain Controller)


Step 1 On the Cisco Unity server, log on to Windows by using an account that is a member of the Domain Admins group.

Step 2 On the Windows Start menu, click Programs > Microsoft Exchange > Active Directory Users and Computers or click Programs > Administrative Tools > Active Directory Users and Computers.

Step 3 In the left pane, expand the domain, and click Users.

Step 4 In the right pane, double-click the name of the administration account.

Step 5 Click the Members Of tab.

Step 6 Click Add.

Step 7 In the Select Groups dialog box, in the top list, double-click Domain Admins.

Step 8 Click OK to close the Select Groups dialog box.

Step 9 Click OK to close the Properties dialog box.

Step 10 Close Active Directory Users and Computers.


Granting Administrative Rights to Other Cisco Unity Servers

Rather than create subscriber accounts on each server for each person who needs to administer Cisco Unity, you can use the GrantUnityAccess utility to associate any number of Windows domain accounts with a single Cisco Unity subscriber account. GrantUnityAccess maintains a table of the associated Windows domain accounts and Cisco Unity subscriber accounts that Cisco Unity references when someone tries to access the Cisco Unity Administrator (regardless of the authentication method used by the Cisco Unity Administrator). This table is used to determine whether to permit someone access to the Cisco Unity Administrator.

Before you use GrantUnityAccess, consider the following:

The Windows domain account(s) that you want to associate with a subscriber account must either be in the same domain as the Cisco Unity server or in a trusted domain. In addition, if you want administrators to be able to log on to the Cisco Unity Administrator on the Cisco Unity server, you must add the Windows domain account to the applicable Admins group (see the "Creating Subscriber Accounts That Can Be Used to Access the Cisco Unity Administrator" section for a detailed procedure.) Otherwise, the domain account must at least have the right to log on locally so that administrators can log on to the Cisco Unity Administrator from a computer other than the Cisco Unity server.

As a best practice, the Windows domain accounts that are associated with subscriber accounts should require strong passwords. Set your domain account policy in Windows to require them.

You can associate multiple domain accounts with a single subscriber account.

You can associate Windows domain account(s) with any subscriber account, as long as the subscriber account has COS rights to access the Cisco Unity Administrator. This includes the administration account that was selected when Cisco Unity was installed.

Because the administration account is associated with a COS that offers unlimited access to the Cisco Unity Administrator, consider associating the Windows domain account(s) used by administrators with a different subscriber account that you create on each Cisco Unity server—one that has more limited COS rights. In this way, you can customize the level of access for the administrators in your organization. (For more information, see the "Class of Service System Access Settings" section on page 11-5.)

If there are several servers that the administrators need access to, you can create a batch file that contains the commands to grant access to the applicable servers. In this way, you can avoid entering the commands repeatedly.

Use the following procedure to run GrantUnityAccess. Note that you cannot run GrantUnityAccess remotely across a network, so you will need to run it on each Cisco Unity server that you want to make accessible, and for each account that you want to map. See the "Sample GrantUnityAccess Arguments" section for an example of how this utility is used, and for argument syntax details.

To Use the GrantUnityAccess Utility


Step 1 Log on to Windows on the Cisco Unity server by using either the administration account that was selected when Cisco Unity was installed or a Windows domain account that is a member of the local Administrators group on the Cisco Unity server.

Step 2 On the Cisco Unity server desktop, double-click the Cisco Unity Tools Depot icon.

Step 3 In the left pane, expand Diagnostic Tools, and double-click Grant Unity Access to display a command prompt window.

Step 4 To associate a Windows domain account with a Cisco Unity subscriber account, enter:

GrantUnityAccess -u <Domain>\<UserAlias> -s <UnitySubscriberAlias>


Sample GrantUnityAccess Arguments

For example, assume that JSmith and KChen are the aliases of administrators who need access to the Cisco Unity Administrator on another Cisco Unity server, and that their Windows domain accounts are in a domain called NewYorkDomain. To associate their Windows domain accounts with the administration account that was selected when Cisco Unity was installed, run GrantUnityAccess two times as follows:

GrantUnityAccess -u NewYorkDomain\JSmith -s <UnitySubscriberAlias for administration account>

GrantUnityAccess -u NewYorkDomain\KChen -s <UnitySubscriberAlias for administration account>

Rather than specifying the administration account, you could associate the Windows domain account for Neil Jones with the subscriber account for Kelly Bader instead:

GrantUnityAccess -u NewYorkDomain\NJones -s KBader

To obtain a list of accounts that have been associated with Cisco Unity subscriber accounts, enter:

GrantUnityAccess -l

To delete an association made previously using GrantUnityAccess, enter:

GrantUnityAccess -u <Domain>\<UserAlias> -s <UnitySubscriberAlias> -d

To display information about these and other arguments, enter:

GrantUnityAccess -?