I am a Zivver admin
Configure and manage Zivver
Troubleshooting access permissions for functional accounts
Introduction
This article is meant for administrators who want to troubleshoot problems concerning access permissions for functional accounts. This troubleshooting guide can help if your organization uses the Zivver Synctool to synchronize functional accounts, so that it can be resolved as quickly as possible without needing to contact Zivver.
Functional accounts are general use email addresses such as servicedesk@example.com. Functional accounts are also called shared accounts or shared mailboxes. Users who have delegated access to a functional account are automatically logged in for that account in all clients, when users are logged in their personal account.
Prerequisites
You are administrator for Zivver.
Use the latest version of the Synctool.
You are administrator for the Synctool.
You have access to the (service)account which is used to configure the Synctool.
The configuration is saved in the ‘Appdata’ of the user that configured the Synctool. When you open the Synctool while logged in as a different user than the account used for synchronization, the configuration will not be visible. This will result in a blank configuration of the Synctool. You can resolve this by logging in with the account used to run the Synctool.You have access to and knowledge of Active Directory and Exchange, when you use these as input for the Synctool.
It is clear which functional accounts (read: email addresses) are affected and which users (read: email addresses) should have access permission to that functional account. Find out which functional accounts are affected and which users should have full access permission to that functional account before you continue.
For example: you know john.doe@example.com and jane.doe@example.com should have full access permission to servicedesk@example.com.The shared mailboxes and user mailboxes all reside in one and the same mail server. The Synctool can’t access delegations via PowerShell if the delegated user mailboxes reside in a different mail server (such as in hybrid Exchange environments where both Exchange Online and Exchange on-premise servers are used).
Generic troubleshooting - check this first
Read the following sections to check if the functional account has a Zivver account, then check if the account type is correct. After you have done both checks, use the table below to determine which chapter you should go to for troubleshooting your functional account.
Does the functional account has a Zivver account?
- Go to Accounts.
- Search for the functional account by using the search bar.
You can search for either the name or email address of the functional account.
If there is a Zivver account, it will appear in the list. If there is no Zivver account, go to Functional account is not created.
Is the functional account of Account type ‘Functional’ in Zivver?
Accounts in Zivver can be of different account types: normal, functional or administrator.
- Go to Accounts.
- Search for the functional account by using the search bar.
You can search for either the name or email address of the functional account. - Check if the functional account is listed as ‘Functional’ in the Account type column.
Find in the table below which chapter could help you troubleshoot based on the checks above.
Has Zivver account? | Account type ‘Functional’? | Chapter |
---|---|---|
No | N/a | Functional account is not created |
Yes | No | Functional account is a normal account in Zivver |
Yes | Yes | Access permissions missing |
Functional account is not created
If the functional account that you want to troubleshoot does not have a Zivver account, then the Synctool has not created an account or deleted a manually created account.
A functional account needs to have at least these three properties for the Synctool to create a Zivver functional account:
- Email address
Example: servicedesk@example.com - Name
Example: Servicedesk Mailbox - Delegates
Example: john@example.com has full access permission to servicedesk@example.com
Depending on the source you use to create functional accounts, you will find a matching troubleshooting guide in the chapters listed below. These guides can help you troubleshoot why the Synctool hasn’t created a functional account in Zivver or deleted a manually created account. If you are not sure which source you use, then follow these steps:
- Open the Synctool.
- At Step 1: Select sync profile, select the profile for functional accounts.
- At Step 3: Set up local users/group settings, check which option is selected at Source to use to sync users with Zivver.
- LDAP (incl active directory)
- Exchange (via PowerShell)
- Excel file (xlsx) or Comma or Tab Seperated file (csv)
- Functional account is not created with Exchange (on-premise or Office 365)
- Functional account is not created with (disabled) users in Active Directory (LDAP)
- Functional account is not created with security groups or distribution groups in Active Directory (LDAP)
- Functional account is not created with Excel file import
Functional account is not created with Exchange (on-premise or Office 365)
Supported from Synctool version 1.4.0 and up. Always make sure you are working with the latest version of the Synctool when troubleshooting.
Verify PowerShell modules are enabled
When synchronizing from Exchange on-premise or Office365, the Zivver Synctool uses PowerShell to query functional accounts. Make sure that the machine from which you are running the Synctool has PowerShell and the PowerShell Exchange module installed. If the PowerShell Exchange module is not installed, then the Synctool will show all the functional accounts with zero access permissions.
Check entries with full access permission in Exchange
The Synctool only creates accounts that have users with access permissions. The Synctool only synchronized Full Access permissions from Exchange. Send As and Send on Behalf permissions are not synchronized by the Synctool.
Verify that the functional account has users/groups with Full Access permission in Exchange. You can use the steps from Create a functional account manually and make and exception in the Synctool to change the access permissions for the account
Check shared mailbox types to include in the Synctool
- Open the Synctool.
- At Step 1: Select sync profile, select the profile for functional accounts.
- Click the tab Step 3: Set up local user/group settings.
- Check Mailbox types to sync in the central column.
The checked boxes should match the mailbox types you want to include the synchronization.
For example: If there are mailboxes of type Group Mailboxes
you want to synchronize to Zivver from Exchange, make sure you also check the box for GroupMailbox
in the central column of step 3 of the Synctool. The Synctool will only include the mailbox types that are checked in the central column at Step 3: Set up local user/group settings.
Verify the functional account is located within the OU filter
- Open the Synctool.
- At Step 1: Select sync profile, select the profile for functional accounts.
- Click the tab Step 3: Set up local user/group settings.
- Check the value after OU to filter on.
This is an optional filtering option which filters on Organizational Units in Exchange. This optional filter can be used to narrow down which functional accounts to synchronize from Exchange. If there is no value after OU to filter on, then you should skip the next paragraph.
If there is an Organizational Unit specified in the Synctool, check if the functional account is within that Organizational Unit in Exchange. If it’s not, add it to the Organizational Unit or remove the value in the Synctool for OU to filter on.
If you pick the latter option, please go to Step 4: Synchronize users/groups and check the tab New/Changed Groups. Verify the Synctool will not create any unintended functional accounts because you removed the OI to filter on.
Check filtering options in the Synctool
- Open the Synctool.
- At Step 1: Select sync profile, select the profile for functional accounts.
- Click the tab Step 3: Set up local user/group settings.
- Under Filtering options check if the box Apply filter on user/groups is checked.
If the box Apply filter on user/groups is not checked, then you should skip the next paragraph.
When the box Apply filter on user/groups is checked, the email addresses that are specified in the text box at Filter values act as a positive or negative filter depending on the option chosen below:
- Apply as positive filter (include in selection upon match)
- Apply as negative filter (exclude from selection upon match)
If Apply as positive filter is selected, then make sure the email address of the functional account is included in the text box at Filter values.
If Apply as negative filter is selected, then make sure the email address of the functional account is not included in the text box at Filter values.
Check mailbox type in Exchange
Currently, the Synctool does not support the synchronization of user mailboxes from Exchange.
If the functional account is a user mailbox in Exchange, then you have two options. You can either convert the user mailbox to a shared mailbox in Exchange or create the functional account manually in Zivver and make an exception in the Synctool.
Converting user mailboxes to shared mailboxes in Exchange
Read Microsoft’s documentation how to convert user mailboxes to shared mailboxes for Exchange or Office365.
Important: Determine the impact of converting a user mailbox to a shared mailbox to your environment before implementing these changes. Read the implications of converting a mailbox in the above linked articles.
Create a functional account manually and make and exception in the Synctool
The first step is to create a functional account.
- Create a functional account.
Read the steps here. - Grant access to that functional account.
Read the steps here.
After creating a functional account, make sure the Synctool does not disable this account.
- Open the Synctool.
- At Step 1: Select sync profile, select the profile for functional accounts.
- Click the second tab Step 2: Set up Zivver settings.
- Check Apply filter on users/groups.
- Select Group email address at Filter field.
- Type in the email address of the functional account you just created at Filter values.
Do you need to add multiple email addresses? Enter a line break after each email address to add multiple email addresses to Filter values. - Select Apply as negative filter (exclude from selection upon match).
- Verify at Step 4: synchronize users/groups that the functional account is not listed under the tab Missing groups.
Newly created functional account could be missing access permissions
Check Access permissions missing if the above methods helped you find out why the functional account was not synchronized, but still (some) are missing. Visit Still need help? if none of the above helped you find out why the functional account was not synchronized.
Functional account is not created with (disabled) users in Active Directory
Always make sure you are working with the latest version of the Synctool when troubleshooting.
Check if the (disabled) user has an email address
Find the user in AD that should become a functional account in Zivver and check the attribute editor for that user to see if the mail attribute has an entry. The Synctool only synchronized AD users when they have an email address.
Verify the user resides within the Base DN
- Open the Synctool.
- At Step 1: Select sync profile, select the profile for functional accounts.
- Click the tab Step 3: Set up local user/group settings.
- Note the value at Base DN.
- Verify the user that should have access permissions to the functional account in Zivver, resides within the Base DN configured the Synctool.
For example: If you have set the Base DN to OU=subdivision,OU=division,DC=local,DC=example
, make sure that the users that should be granted access permission to the functional account reside within the OU subdivision
.
Consider choosing a Base DN higher up in the AD domain such as OU=division,DC=local,DC=example
or DC=local,DC=example
, if the user does not reside within the current configured Base DN.
Check access permissions
The Synctool only synchronized functional accounts when they have access permissions given to them. In the Synctool At Step 1: Select sync profile, select the profile for functional accounts and select the tab Step 3: Set up local user/group settings.
- Open the Synctool.
- At Step 1: Select sync profile, select the profile for functional accounts.
- Click the tab Step 3: Set up local user/group settings.
- At Members in the central column, scroll down the list and note which boxes are checked.
The Synctool uses the AD attributes that are checked to synchronize access permission to functional accounts in Zivver. Frequently used attributes are ‘MemberOf’ and ‘MsExchDelegateListLink’. - Find the (disabled) user in AD and check for entries in the corresponding AD attributes from the previous step. If there are no entries in AD for the attributes checked in the Synctool, then the Synctool will not create a functional account.
There could be various reasons why there are no entries. To fix this problem either find out why there is no entry in the chosen attribute or manually enter the users that should have access permission to the functional account. You can use the following article from Microsoft to troubleshoot automapping of ‘MsExchDelegateListLink’.
Check filtering options in the Synctool
- Open the Synctool.
- At Step 1: Select sync profile, select the profile for functional accounts.
- Click the tab Step 3: Set up local user/group settings.
- Under Filtering options check if the box Apply filter on user/groups is checked.
If the box Apply filter on user/groups is not checked, then you should skip the next paragraph.
When the box Apply filter on user/groups is checked, the Synctool will only synchronize functional accounts who match the filter criteria given in Filter field and Filter values. After setting the filter field and filter values, there are two filter types:
- Apply as positive filter (include in selection upon match)
- Apply as negative filter (exclude from selection upon match)
If Apply as positive filter is selected, then make sure the email address of the functional account is included in the text box at Filter values.
If Apply as negative filter is selected, then make sure the email address of the functional account is not included in the text box at Filter values.
Newly created functional account could be missing access permissions
Check Access permissions missing if the above methods helped you find out why the functional account was not synchronized, but still (some) are missing. Visit Still need help? if none of the above helped you find out why the functional account was not synchronized.
Functional account is not created with security groups or distribution groups in Active Directory
Always make sure you are working with the latest version of the Synctool when troubleshooting.
Check if the SG or DG has an email address
Find the SG or DG in AD and check the attribute editor to see if mail has an entry. The Synctool only synchronized a SG or DG when it has an email address.
Verify users that are member of the SG or DG
If a SG or DG has no members, then the Synctool will not create a functional account.
- Find the SG or DG in AD.
- Double-click the SG or DG.
- Click the Members tab.
- Check for members.
Add members to the SG or DG if there aren’t any. The Synctool will create a functional account in the next synchronization. Members that are added will get access permission to the functional account in Zivver.
Verify the user resides within the Base DN
- Open the Synctool.
- At Step 1: Select sync profile, select the profile for functional accounts.
- Click the tab Step 3: Set up local user/group settings.
- Note the value at Base DN.
- Verify the members of the SG or DG reside within the Base DN configured the Synctool.
For example: If you have set the Base DN to OU=subdivision,OU=division,DC=local,DC=example
, make sure that the users that should be granted access permission to the functional account reside within OU=subdivision
.
Consider choosing a Base DN higher up in the AD domain such as OU=division,DC=local,DC=example
or DC=local,DC=example
, if the user does not reside within the current configured Base DN.
Newly created functional account could be missing access permissions
Check Access permissions missing if the above methods helped you find out why the functional account was not synchronized, but still (some) are missing. Visit Still need help? if none of the above helped you find out why the functional account was not synchronized.
Functional account is not created with Excel file import
Always make sure you are working with the latest version of the Synctool when troubleshooting.
Verify the correct tab in Excel is used
The sheet contains two tabs, each tab has its own purpose. The User Accounts tab is used to synchronize user accounts. The Groups tab is used to synchronize functional accounts. Verify that the input for functional accounts is in the Groups tab.
Check for syntax errors
If there are missing entries (each column needs to have at least one entry per row) or incorrect entries in the Excel file, then the Synctool will not create a functional account. Also check that access permissions in the GroupMembers column is separated with a semicolon.
For example: john.doe@example.com;jane.doe@example.com
Newly created functional account could be missing access permissions
Check Access permissions missing if the above methods helped you find out why the functional account was not synchronized, but still (some) are missing. Visit Still need help? if none of the above helped you find out why the functional account was not synchronized.
Functional account is a normal account in Zivver
If a shared mailbox has a Zivver account but the Account type is Normal
then there could be two causes:
- A user created a Zivver account for that email address before the domain was claimed in Zivver. This is a free account. Free accounts are always created as
Normal
account type. - The Synctool user profile synchronized a user account instead before the functional account profile could create a functional account. This can happen when a functional account is a user in AD.
Follow these steps:
- Check the Synctool logs at
\AppData\Roaming\Zivver\Synctool\Logs
.
Make sure you check the AppData for the user who is used to run the Synctool. - Open the latest log file in a text editor that has the name of the Synctool functional accounts profile in it.
The log file should look like:DD-MM-YYYY HH:MM:SS - Zivver Sync log - Silent - Profile Shared mailboxes.txt
. - Search in the log file for an error message for the functional account. The error message should look like:
Error processing John Doe (john.doe@example.com) with status code ‘Forbidden’. You are not allowed to add this address to your organization. Does the account belong to a registered domain name?
No error message
Possibly you cannot find an error message like described above for the functional account. Then, first you must do checks on the Synctool configuration or the source, for example Exchange, AD. Go to Functional account is not created to troubleshoot why the Synctool does not attempt to create a functional account for this shared mailbox.
Error message
Possibly you find an error message like described above. Then, then this means that the Synctool attempts to create a functional account in Zivver. But the Synctool cannot do that, because there is already a normal account. The Synctool cannot convert normal accounts to functional accounts. To resolve this, do these steps to convert the account type.
- Go to Accounts in Zivver.
- Search for the functional account in the search bar above the list of accounts.
- Click change settings edit for the functional account.
- Scroll down to the Account type pane.
- Select Functional account.
Configured aliases will be lost in the process of converting a normal account to a functional account. Add the aliases after converting at step 6. - Click SAVE CHANGES.
- Add aliases if they were configured for the normal account.
- Open the Synctool.
- At Step 1: Select sync profile, select the profile for functional accounts.
- Click Step 4: Synchronize users/groups.
- Click Yes at the pop-up Get changes?.
- Click Run synchronizations.
- Select Yes at the pop-up Confirm actions.
- Click No at the pop-up Get changes?.
- At
\AppData\Roaming\Zivver\Synctool\Logs
, verify that theZivver Sync log
does not contain an error message with status code ‘Forbidden’ for the functional account.
The shared mailbox is now a functional account in Zivver and will be updated by the Synctool. If you are missing access permissions for the functional account in Zivver, please go to Access permissions missing.
Access permissions missing
If the functional account that you want to troubleshoot has a Zivver account and is of account type Functional
, then the most likely cause is missing or incomplete access permissions.
Depending on the source you use to create functional accounts, you will find a matching troubleshooting guide in the chapters listed below. These guides can help you troubleshoot why the Synctool hasn’t synchronized all access permissions to a functional account in Zivver. If you are not sure which source you use, then follow these steps:
- Open the Synctool.
- At Step 1: Select sync profile, select the profile for functional accounts.
- At Step 3: Set up local users/group settings, check which option is selected at Source to use to sync users with Zivver.
- LDAP (incl active directory)
- Exchange (via PowerShell)
- Excel file (xlsx) or Comma or Tab Separated file (csv)
- Access permissions missing with Exchange (on-premise or Office 365)
- Access permissions missing with (disabled) users in Active Directory (LDAP)
- Access permissions missing with security groups or distribution groups in Active Directory (LDAP)
- Access permissions missing with Excel file import
Access permissions missing with Exchange (on-premise or Office 365)
Supported from Synctool version 1.4.0 and up. Always make sure you are working with the latest version of the Synctool when troubleshooting.
User has no Zivver account
If a functional account misses access permission to a user, then verify at Accounts that the user has a Zivver account. If the user if not listed on the accounts page, then they don’t have a Zivver account. Read the Synctool manual before continuing in this chapter.
Check entries with full access permission in Exchange
The Synctool only synchronized Full Access permissions from Exchange. Verify that the functional account has users/groups with Full Access permission in Exchange. Send As and Send on Behalf permissions are not synchronized by the Synctool.
Verify PowerShell modules are enabled
When synchronizing from Exchange on-premise or Office365, the Zivver Synctool uses PowerShell to query functional accounts. Make sure that the machine from which you are running the Synctool has PowerShell and the PowerShell Exchange module installed.
Additionally, make sure the PowerShell Active Directory Module is installed when Full Access has been assigned to Active Directory groups. Otherwise this might result in the a functional account in Zivver with 0 access permissions.
missing access permissions not resolved
Visit Still need help? if none of the above helped you find out why the access permissions for the functional account are not synchronized.
Access permissions missing with (disabled) users in Active Directory
Always make sure you are working with the latest version of the Synctool when troubleshooting.
User has no Zivver account
If a functional account misses access permission to a user, then verify at Accounts that the user has a Zivver account. If the user is not listed on the accounts page, then there is no Zivver account. Read the Synctool manual before continuing in this chapter.
Check access permissions
The Synctool reads access permissions from an AD attribute. Therefore the AD attribute that is chosen in the Synctool to synchronize access permissions needs to contain the user or group that should have access permissions to the functional account in Zivver.
- Open the Synctool.
- At Step 1: Select sync profile, select the profile for functional accounts.
- Click the tab Step 3: Set up local user/group settings.
- At Members in the central column, scroll down the list and note which boxes are checked.
The Synctool uses the AD attributes that are checked to synchronize access permission to functional accounts in Zivver. A frequent used attribute is ‘MsExchDelegateListLink’. - Find the (disabled) user in AD and check the attribute(s) written down in the previous step for entries. The user or group that should have access permission should be found in said attribute(s).
There could be various reasons why there are no entries. To fix this problem either find out why there is no entry in the chosen attribute or manually enter the users that should have access permission to the functional account. You can use the following article from Microsoft to troubleshoot automapping of ‘MsExchDelegateListLink’.
Verify the user resides within the Base DN
- Open the Synctool.
- At Step 1: Select sync profile, select the profile for functional accounts.
- Click the tab Step 3: Set up local user/group settings.
- Note the value at Base DN.
- Verify the user that should have access permissions to the functional account in Zivver, resides within the Base DN configured the Synctool.
For example: If you have set the Base DN to OU=subdivision,OU=division,DC=local,DC=example
, make sure that the users that should be granted access permission to the functional account reside within the OU subdivision
.
Consider choosing a Base DN higher up in the AD domain such as OU=division,DC=local,DC=example
or DC=local,DC=example
, if the user does not reside within the current configured Base DN.
missing access permissions not resolved
Visit Still need help? if none of the above helped you find out why the access permissions for the functional account are not synchronized.
Access permissions missing with security groups or distribution groups in Active Directory
Always make sure you are working with the latest version of the Synctool when troubleshooting.
User has no Zivver account
If a functional account misses access permission to a user, then verify at Accounts that the user has a Zivver account. If the user if not listed on the accounts page, then they don’t have a Zivver account. Read the Synctool manual before continuing in this chapter.
Verify users that are member of the SG or DG
If a user is not member of the SG or DG, then the Synctool will not grant access permission to the functional account in Zivver.
- Find the SG or DG in AD.
- Double-click the SG or DG.
- Click the Members tab.
- Verify the user you are missing in the access permission of the functional account in Zivver is a member of the said SG or DG.
Add the user to the SG or DG if they are missing. The Synctool will grant access permission to that user for the functional account in Zivver with the next synchronizations.
Verify the user resides within the Base DN
- Open the Synctool.
- At Step 1: Select sync profile, select the profile for functional accounts.
- Click the tab Step 3: Set up local user/group settings.
- Note the value at Base DN.
- Verify the members of the SG or DG reside within the Base DN configured the Synctool.
For example: If you have set the Base DN to OU=subdivision,OU=division,DC=local,DC=example
, make sure that the users that should be granted access permission to the functional account reside within OU=subdivision
.
Consider choosing a Base DN higher up in the AD domain such as OU=division,DC=local,DC=example
or DC=local,DC=example
, if the user does not reside within the current configured Base DN.
missing access permissions not resolved
Visit Still need help? if none of the above helped you find out why the access permissions for the functional account are not synchronized.
Access permissions missing with Excel file import
Always make sure you are working with the latest version of the Synctool when troubleshooting.
User has no Zivver account
If a functional account misses access permission to a user, then verify at Accounts that the user has a Zivver account. If the user if not listed on the accounts page, then they don’t have a Zivver account. Read the Synctool manual before continuing in this chapter.
Check for syntax errors
Any syntax errors could lead to missing access permissions for functional accounts in Zivver. Common syntax errors are:
- Typos in the email address.
- Leading or trailing spaces in the GroupMembers column.
- Incorrect stacking of multiple user accounts in the GroupMembers column.
A correct example syntax in the Zivver Users import template Excel spreadsheet is shown below:
GroupName | GroupEmailAddres | GroupMembers |
---|---|---|
Servicedesk | servicedesk@example.com | john.doe@example.com;jane.doe@example.com |
missing access permissions not resolved
Visit Still need help? if none of the above helped you find out why the access permissions for the functional account are not synchronized.
Still need help?
Could not find the information that solves your problem? Please contact support with the following information:
- What version of the Synctool are you using?
See the bottom left corner when opening the Synctool. - Did you check the prerequisites and generic troubleshooting steps?
- How do you synchronize functional accounts?
- Exchange (on-premise or Office 365)
- Disabled users in Active Directory
- Excel file import
- Security or distribution groups
- What are the email addresses of the functional account affected and which email addresses should have access to which functional accounts?
Please attach this information to a support request.
Contact support