Restricted Group as like as domain admins

Similar Messages

• DFS - The replication group cannot be created - insufficient permissions - NOT DOMAIN ADMIN, LOCAL ADMIN

  Hi,
  I am trying to setup DFS replication on tow servers. I am local admin on the servers but NOT domain account. Is it possible to create Replication group anyway? or should i contact the Domain administrator to the job?
  Thanks

  Hi,
  We cannot use local administrator to create a dfs replication group. By default, Domain Admins group can create a dfs replication group. You could also delegate to a user or group the ability to create replication groups and the user must add to the local Administrators
  group on the namespace server.
  For more detailed information, please refer to the article below:
  Delegate the Ability to Manage DFS Replication
  http://msdn.microsoft.com/en-us/library/cc771465.aspx
  Best Regards,
  Mandy 
  If you have any feedback on our support, please click
  here .
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Prevent Active Directory Parent Domain Admins from accessing Child Domain

  We want to prevent Parent domain administrators (or a similar profile?) from accessing and/or administering child domains. Is this possible, or do parent domain admins have irrevocable administrative access to any child domain?
  Asked another way, can a restricted profile be configured for administration of the parent domain that does not cross domain boundaries effectively isolating each domain's administrative needs?
  Thanks in advance for input and advice!
  Best regards.

  Sorry, I was replying again after I read your second paragraph. The parent domain is the Forest root. we have parentdomain.com
  parent.parentdomain.com
  child1.parentdomain.com
  child2.parentdomain.com
  child3.parentdomain.com
  We do not want the Domain Administrator for parentdomain.com to be able to administer, or preferably, even access the Child Domains.
  1.) Can we remove that user from "Enterprise Admin" role and assign a different role so that they can only administer parentdomain.com (effectively demoting that user)?
  2.) Promote a Child.parentdomain.com user to Enterprise Admin?
  Thanks sorry for the confusion.
  Ah ok.
  Yes, you can. the answer is the same basically. The group membership is what counts. So in the child domain, remove the enterprise admins group from the child domain admins groups. OR make sure the domain admins of the forest root are not members of the
  enterprise admins group. that way they are still only admins in the parent domain.
  It is really only depending on group members ship and including those groups in the child domain. by default the enterprise group is included for example, but nothing stops you from removing those groups.
  based on the group membership you can also deny them the ability to log on.
  the only thing you cannot prevent is the forest administrator account from doing something.
  One thing I would like to add though: any admin in the forest domain likely has the ability to still get access if he wants to force his way in.

• What should happen after removing restricted group GPO settings

  I created and applied restricted group settings in GPO 
  Computer Configuration -> Policies -> Windows Settgins -> Secuirty settings -> Restricted Groups
  which is linked to all production servers OU. I set up members of local administrators group to include only domain admins. This lead to removing all another accounts from local administrators group on all server. I was quite scared about this, I realize my
  mistake. So I remove this restricted groups settings from this GPO. Then on all servers previous configuration came back, all previously configured accounts are back in local administrator group. Is it normal behavior? I thought that these previously configured
  accounts will not back automatically

  This is the expected behavior since Windows XP/Windows Server 2003.
  Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

• Windows Server 2012 R2 non-default domain admin limitations

  Enivronment: Windows Server 2012 R2Problem: members of Domain Admins group are restricted in ways the default domain admin account is not. This is with or without UAC disabled; there are even more prompts with UAC enabled. Here are two examples:Attempt to copy to Public Desktop. Built-in domain admin or local admin account can do so without restriction; any other member of Domain Admins group is prompted for administrator permission (although clicking Continue proceeds without actually requiring further authentication/permission)Right-click -> Properties of hard drive in Explorer is missing Shadow Copies tab for non-default Domain Admin. Yes, I can simply right-click the drive and go to Configure Shadow Copies, so this one is not so important. But it is an inconsistency that means I have to access things just a bit differently...
  This topic first appeared in the Spiceworks Community

  I have already replied to that here: https://social.technet.microsoft.com/forums/windowsserver/en-US/b57abf72-90e6-44d7-93a5-0e57cb5404c9/nic-teaming-with-ws2012-ad
  I still do not see an MS statement saying that it is supported for DCs.
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• Disjoin computer from domain without being domain admin

  Windows Server 2008 R2 AD
  I have created a group to enable non-domain admin user/s to join computers to domain. we're trying to have the same set of users join computers to domain but we are unable to unless a domain admin deletes the old computername from the domain.
  is what we're trying to achieve possible? to allow non-domain admin users disjoin computers from domain?

  Any local administrator can remove the computer from the domain but if the user has no appropriate permissions on AD, it will leave the computerobject orphaned in AD.
  If you need a user to be able to remove a computer object from AD you can delegate permissions for that. By default the Account Operators Group has the appropriate permissions.
  note that both permissions to create, change or delete (computer) objects in AD should not be granted lightly.
  http://support.microsoft.com/kb/818
  MCP/MCSA/MCTS/MCITP

• How do I configure roaming profiles to not apply to Domain Admins?

  Hi,
  I have a setup (Windows 2012 R2 on all servers) where roaming profiles and re-directed folders are applied through GPO to our RDS servers.
  We decied to change this so only users, and not Domain Admins will have these settings applied.
  Re-directed folders is a user setting, so that was changed easily, but the roaming profiles is applied to computer object.
  So my question is; how do I configure roaming profiles only for some users (or a security group) and not for Domain Admins?
  /KL_Dane
  KL_Dane

  Hi Dane,
  >>So my question is; how do I configure roaming profiles only for some users (or a security group) and not for Domain Admins?
  Sorry, this is not acheivable, for computer part policy settings apply to computer accounts, regardless of which user logs onto the computers.
  Best regards,
  Frank Shen
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Domain Admin doesn't have local Administrator privileges

  This was all done using Azure VMs.
  machine: server-dc
  Setup Windows 2012 R2 as a domain control with user 'testadmin'
  Domain: DEV
  Added a user 'domainadmin' and made a Member of all the same groups as testadmin (including Domain Admins)
  machine: server-a
  Setup Windows 2012 R2 with user 'localadmin'
  Joined server-a to the domain
  "DEV\Domain Admins" was automatically added to the local Administrators group
  Login to server-a as "DEV\testadmin"
   - full local admin rights (because is member of "DEV\Domain Admins" - correct?)
  Login to server-a as "DEV\domainadmin"
   - does NOT have local admin rights yet is a member of "DEV\Domain Admins"
  Why does "DEV\domainadmin" not have the exact same local admin rights on server-a that "DEV\testadmin" does?
  Thanks,
  Mike

  I'm still having problems.
  This account is in the local Administrators group so they should have permission to do these things.  I've tried your work around but still no luck.
  User Account Control: Run all administrators in Admin Approval Mode
   - Enabled (Default) is set
  User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
  - Elevate without prompting is set
  Machine rebooted
  UAC in Control Panel set to Never notify
  To clarify:
  User 'domainadmin' is a user created on the DC.
  Group 'Domain Admins' is a group created on the DC.
  'domainadmin' is a member of 'Domain Admins'
  'Domain Admins' is a member of the local Administrators group on SERVER-A
  So 'domainadmin' is in essence a member of the local Administrators group on SERVER-A.
  YET:
  When logged in to SERVER-A as 'domainadmin', from a command prompt:
  c:\del test.txt (a file created by 'localadmin')
  Access is denied.
  c:\iisreset
  Access denied,
  This user is a member of the local Administrators group - why can he not function as an Administrator?

• SQL Windows Authentication with Login of AD Group 'Domain Admins'

  Having a bit of a difficulty with Microsoft SQL Server 2012 windows authentication integration...
  The server is setup to have Windows authentication used as its means of login authentication. No issues with this other than a strange error that occurs on multiple SQL servers in our domain: 
  When a login is created for domain group "[domain]\Domain Admins", users within this AD group cannot connect to the SQL server through the Management Studio. The error that SQL server gives is Error 18456, Sate 11, i.e. "Valid login but server
  access failure"
  However when a different AD group is added as a login (like [domain]\[group]), users from this group can successfully log into SQL server. It seems that adding any other group, even groups from a different domain, grants successful authentication as I would
  expect EXCEPT the AD group 'Domain Admins".
  Is there some restriction/security feature at play here on this AD group that makes using the 'Domain Admins' group as a login not possible? 
  Andrew

  Yes, this group was removed and readded just yesterday to try to fix the issue.
  Here is the output of the command:
  class
  class_desc
  major_id
  minor_id
  grantee_principal_id
  grantor_principal_id
  type
  permission_name
  state
  state_desc
  105
  ENDPOINT
  2
  0
  2
  1
  CO  
  CONNECT
  G
  GRANT
  105
  ENDPOINT
  3
  0
  2
  1
  CO  
  CONNECT
  G
  GRANT
  105
  ENDPOINT
  4
  0
  2
  1
  CO  
  CONNECT
  G
  GRANT
  105
  ENDPOINT
  5
  0
  2
  1
  CO  
  CONNECT
  G
  GRANT

• How to restrict users working on Windows 7 clients from accessing Windows Explorer and other systems in the network through Group Policy with a domain controller running on Windows Server 2008 r2

  Dear All,
  We are having an infrastructure setup of around 500 client computers managed through group policy.
  Recently the domain controllers have been migrated from Windows Server 2003 to Server 2008 R2.
  Since this account requires extremely strict environment, we need to figure the solution for restricting the users from access anything locally.
  It would be great if you can assist me with the following query.
  How to restrict users logged on Windows 7 clients from accessing Windows Explorer and browsing other systems in the network through Group Policy with a domain controller running on Windows Server 2008 r2 ?
  Can we disable Network Tab on the left hand pane ?
  explorer.exe is blocked already, but users are able to enter the Windows Explorer by clicking on the name which is visible on the Start Menu.

  >   * explorer.exe is blocked already, but users are able to enter the
  >     Windows Explorer by clicking on the name which is visible on the
  >     Start Menu.
  You cannot block explorer.exe when you do not replace the shell - the
  desktop you see effectively IS explorer.exe...
  Your requirement sounds like you need a custom shell:
  http://gpsearch.azurewebsites.net/#2812
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• Group Policy changes cause Access Denied error for Domain Admin account

  Hi All,
  I am battling to get WSUS to work, and I think the route cause is problems editing the domain and domain controller group policy objects.
  We have 1 DC, approx 20 clients. 1 GPO for DC, 1 GPO for clients. Ther e is a link to the default domain GPO in our staff (users) OU, I don't know if it should be there or not.
  I log in as domain administrator, right-click the domain GPO in GPMC, click Edit.
  Find the setting I want to edit (specify intranet microsoft update service location), double click.
  Change something, click OK.
  I get error:
  Unhandled exception has occurred in a component in your application. If you click Continue, the application will ignore this error and attempt to continute.
  Access is denied. (Exception from HRESULT: 0x80070005
  (E_ACCESSDENIED)).
  I have followed the steps in the links posted by Brent in another post called: "restricting-domain-admin-account-to-edit-group-policies" (no links allowed for my account yet sorry) and the user does have edit settings, delete, modify security delecation.
  PLEASE NOTE: the solution may very well be something very simple/basic. I am reasonably computer savvy, but have just upgraded the whole network for an NGO on a voluntary basis. Never seen a sever before I came here, but I'm the best they have. Please bare
  that in mind when offering advice :)
  Any help appreciated!
  James

  More diagnostic info:
  Inside GPMC, there's Group Policy Results.
  If I right-click, Result Wizard, choose this computer, it works fine showing default domain controllers policy with alert that it's enforced.
  If I browse for another PC (it comes up as Domain\PC name), click Next, I get error:
  Failed to connect to DOMAIN\PCNAME due to the error listed below. Ensure that the Windows Management Instrumentation (WMI) service is enabled on the target computer, and consult the event log of the target computer for further details.
  Details: the RPC server is unavailable.
  If you need the recent related events, I will post them. I also checked that service on the client - it's automatic and started.
  PPS Clients are all Win 7, PCs are 32bit, laptops are 64. Server is Windows Server 2012 Datacenter. WSUS when clicking Help -> About from the snap-in/GUI: 6.2.9200.16384.
  PPPS Directory browsing for the whole WSUS object in IIS is enabled, thanks to SorinAlbu over at Spiceworks post WSUS and IIS.
  PPPPS Launching IE and loading http://servername:8530/iuident.cab fails 404 error from both clients and server. That file in C:\Program Files\Update Services\WebServices\Root\iuident.cab doesn't exist. Maybe because we recently removed the WSUS role and reinstalled
  it, to check if something went wrong the first time? It's all been configured using the snapin/GUI, but the new installation of the role hasn't yet connected to the Microsoft Update servers.
  PPPPPS Added the Application Server role with default settings as recommended by the step by step guide to WSUS at Technet. Still no dice.

• New security group then added into either built in administrator or domain admin group

  I am having windows 2012 R2 DC so i need to create administrator group please let me know if we create new security group then added into either built in administrator or domain admin group it will work? i have tried but not working any other alternative
  methods to get admin access

  Controlling local group membership could be done by GPOs:
  Using Group Policy Restricted Groups: http://social.technet.microsoft.com/wiki/contents/articles/20402.active-directory-group-policy-restricted-groups.aspx
  Using a startup script that adds a domain group as member of a local group: http://technet.microsoft.com/en-us/library/bb490706.aspx
  If you have manually added a domain security group to local Administrators group of a computer and you still see that the members are not admins then you can do the following:
  Logoff and logon again and see if that helps
  If you are using a universal group then you be having a problem with the membership. More details here: http://www.windowsdevcenter.com/pub/a/windows/2004/06/15/fsmo.html. You can try converting the group to a global one for testing.
  Adding a user to Domain Admins group will make you, by default, a local administrator on domain-joined Windows Systems. This is because, domain admins are, by default, members of local Administrators group. However, you should make the membership of Domain
  Admins group very limited and only for users who do global domain administration.
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• Difference between Domain Admins & Built-In Administrators Group ?

  Hi,
  I am new to AD and would like to seek your advice.
  If a user (say Peter) is a member of the Built-In Administrators Group but not a member of the Domain Admins Group in Active Directory, does it mean that
  1) Peter can still manage Domain Objects but with some limitations ?  What he cannot manage ?
  2) Peter can remote access all workstations and servers in the Domain ?
  Thanks

  See: 
  http://technet.microsoft.com/en-us/library/cc756898(v=WS.10).aspx
  Administrators:
  Description:  Members of this group have full control of all domain controllers in the domain. By default, the Domain Admins and Enterprise Admins groups are members of the Administrators group. The Administrator account is also a default
  member. Because this group has full control in the domain, add users with caution.
  Default user rights:  Access this computer from the network; Adjust memory quotas for a process; Back up files and directories; Bypass traverse checking; Change the system time; Create a pagefile; Debug programs; Enable computer and user
  accounts to be trusted for delegation; Force a shutdown from a remote system; Increase scheduling priority; Load and unload device drivers; Allow log on locally; Manage auditing and security log; Modify firmware environment values; Profile single process;
  Profile system performance; Remove computer from docking station; Restore files and directories; Shut down the system; Take ownership of files or other objects.
  Domain Admins:
  Description:  Members of this group have full control of the domain. By default, this group is a member of the Administrators group on all domain controllers, all domain workstations, and all domain member servers at the time they are
  joined to the domain. By default, the Administrator account is a member of this group. Because the group has full control in the domain, add users with caution.
  Default user rights:  Access this computer from the network; Adjust memory quotas for a process; Back up files and directories; Bypass traverse checking; Change the system time; Create a pagefile; Debug programs; Enable computer and user
  accounts to be trusted for delegation; Force a shutdown from a remote system; Increase scheduling priority; Load and unload device drivers; Allow log on locally; Manage auditing and security log; Modify firmware environment values; Profile single process;
  Profile system performance; Remove computer from docking station; Restore files and directories; Shut down the system; Take ownership of files or other objects.
  These groups are the most powerful in a domain and should NOT be used for day-to-day (lower level) administration.  That's the beauty of Active Directory Domain Services.  You don't need god-like rights to operate a domain (create users, groups,
  manage attributes, etc.) and should not use these accounts for this kind of administration.
  Additionally, don't logon locally to your workstations, notebooks etc. with these accounts.  Doing so leaves data behind on the computer that is possible to compromise of the domain.
  David Shaw [MSFT]

• Restricted Group setting in GPO is not configured after domain join

  Hi all,
  I'm configuring a GPO as part of a test environment in which I create a custom GPO for within an OU, it configures fine and I can RDP (using the settings in the GPO) to the domain controller. However, when I add a computer to the AD domain, I cannot RDP
  using the user, I can log on locally though. After looking into it further I've found that the setting I have applied to my Restricted Group is not being brought across properly. The group I need is in the restricted group but it is not appearing as a member
  of Administrators (in the "Member of") column. I have an 'X' in red next to the group giving the usual check win logon log file. The content of which is:
  Make a local copy of \\shire6.vce\sysvol\shire6.vce\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
  GPLinkDomain 
  Make a local copy of \\shire6.vce\SysVol\shire6.vce\Policies\{6D41C716-CDD9-457E-AB89-02C4192226FF}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
  GPLinkOrganizationUnit 
  Process GP template gpt00000.dom.
  This is not the last GPO.
  Monday, April 27, 2015 3:36:03 PM
  Copy undo values to the merged policy.
  ----Un-initialize configuration engine...
  Process GP template gpt00001.inf.
  Monday, April 27, 2015 3:36:03 PM
  ----Configuration engine was initialized successfully.----
  ----Reading Configuration Template info...
  ----Configure User Rights...
  Configure S-1-5-32-545.
  remove SeInteractiveLogonRight.
  Configure S-1-5-32-551.
  remove SeInteractiveLogonRight.
  Configure S-1-5-32-555.
  remove SeRemoteInteractiveLogonRight.
  Configure S-1-5-21-330840483-2018858548-1314766947-1104.
  add SeInteractiveLogonRight.
  add SeRemoteInteractiveLogonRight.
  Configure S-1-5-32-544.
  User Rights configuration was completed successfully.
  ----Configure Group Membership...
  Configure SHIRE6\System_Admins.
  successfully added object to Administrators.
  new memberof tattoo list: *S-1-5-32-544,
  Group Membership configuration was completed successfully.
  ----Configure Security Policy...
  0
  Undo value for group policy setting <MinimumPasswordLength> was saved.
  0
  Undo value for group policy setting <PasswordHistorySize> was saved.
  42
  Undo value for group policy setting <MaximumPasswordAge> was saved.
  0
  Undo value for group policy setting <MinimumPasswordAge> was saved.
  1
  Undo value for group policy setting <PasswordComplexity> was saved.
  0
  Undo value for group policy setting <RequireLogonToChangePassword> was saved.
  0
  Undo value for group policy setting <ClearTextPassword> was saved.
  Configure password information.
  0
  Undo value for group policy setting <LockoutBadCount> was saved.
  0
  Undo value for group policy setting <ForceLogoffWhenHourExpire> was saved.
  Configure account force logoff information.
  System Access configuration was completed successfully.
  LSA anonymous lookup names setting : existing SD = D:(D;;0x800;;;AN)(A;;0xf1fff;;;BA)(A;;0x20801;;;WD)(A;;0x801;;;AN)(A;;0x1000;;;LS)(A;;0x1000;;;NS)(A;;0x1000;;;S-1-5-17)(A;;0x801;;;AC).
  0
  Undo value for group policy setting <LSAAnonymousNameLookup> was saved.
  Configure LSA anonymous lookup setting.
  Configure machine\system\currentcontrolset\control\lsa\nolmhash.
  Mismatch       - machine\system\currentcontrolset\control\lsa\nolmhash.
  Undo value for group policy setting <machine\system\currentcontrolset\control\lsa\nolmhash> was saved.
  Configuration of Registry Values was completed successfully.
  Configure event audit settings.
  0
  Undo value for group policy setting <AuditPrivilegeUse> was saved.
  0
  Undo value for group policy setting <AuditAccountLogon> was saved.
  Audit/Log configuration was completed successfully.
  ----Configure available attachment engines...
  Configuration of attachment engines was completed successfully.
  ----Un-initialize configuration engine...
  this is the last GPO.
  Make a local copy of \\shire6.vce\sysvol\shire6.vce\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
  GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
  Make a local copy of \\shire6.vce\SysVol\shire6.vce\Policies\{6D41C716-CDD9-457E-AB89-02C4192226FF}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
  GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
  Process GP template gpt00000.dom.
  This is not the last GPO.
  Monday, April 27, 2015 3:42:06 PM
  Copy undo values to the merged policy.
  ----Un-initialize configuration engine...
  Process GP template gpt00001.inf.
  Monday, April 27, 2015 3:42:06 PM
  ----Configuration engine was initialized successfully.----
  ----Reading Configuration Template info...
  ----Configure User Rights...
  Configure S-1-5-21-330840483-2018858548-1314766947-1104.
  Configure S-1-5-32-544.
  User Rights configuration was completed successfully.
  ----Configure Group Membership...
  Configure SHIRE6\System_Admins.
  old memberof tattoo list: *S-1-5-32-544,
  object already member of Administrators.
  new memberof tattoo list: *S-1-5-32-544,
  Group Membership configuration was completed successfully.
  ----Configure Security Policy...
  Configure password information.
  Configure account force logoff information.
  System Access configuration was completed successfully.
  LSA anonymous lookup names setting : existing SD = D:(D;;0x800;;;AN)(A;;0xf1fff;;;BA)(A;;0x20801;;;WD)(A;;0x801;;;AN)(A;;0x1000;;;LS)(A;;0x1000;;;NS)(A;;0x1000;;;S-1-5-17)(A;;0x801;;;AC).
  Configure LSA anonymous lookup setting.
  Configure machine\system\currentcontrolset\control\lsa\nolmhash.
  Configuration of Registry Values was completed successfully.
  Audit/Log configuration was completed successfully.
  ----Configure available attachment engines...
  Configuration of attachment engines was completed successfully.
  ----Un-initialize configuration engine...
  this is the last GPO.
  Any help would be much appreciated.
  Thanks,
  Adrian

  > I cannot RDP using the user
  Any error message?
  Greetings/Grüße,
  Martin
  Mal ein
  gutes Buch über GPOs lesen?
  Good or bad GPOs? - my blog…
  And if IT bothers me -
  coke bottle design refreshment (-:

• Unity 7.0 - AD Domain Admin Group

  I have Unity 7.0 with failover, AD, and Exchange 2010.  Unity accounts are created in AD in the Domain Admin Group.  Most that I have read states if Unity is a domain controller it needs to be in the Domain Admin group.  I do not know how to see if Unity is a domain controller and do not know why (previous to me), Unity was setup in the Domain Admin Group.
  Can you help me understand why Unity might be setup in the Domain Admin Group, reasons?
  Thanks,

  Melinda;
  -> if you use the tools depot option in the unity server you will see an option called dc\gc reconnect tool to check if unity looks at itself as a domain controller; here is a link that will give you more informaiton on this tool;  http://www.ciscounitytools.com/Applications/Unity/DCGCReconnect/Help/DCGCConnectionManager.htm
  -> Can you clarify if you are asking whether the unity reference account ( unityinstall/unimgstoresvc/unitydirsvc) needs to be domain admin or not ? If you query is related to the above mentioned accounts ; what permissions do they need is documented in the following link;
  http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/unity/5x/installation/guide/umexfo/5xcuigumefox/5xcuigumefo070.html
  -i hope this helps.