Exchange 2010, SnapDrive & SnapManager Security

Here's what you need to know.

• The SnapManager service account needs to be a member of the Exchange role "Organization Management" (Yes, that's the current instruction from Engineering but by all means read it here and ask your local SE to confirm (June 5, 2010))
  
• The SnapManager service account needs to be a member of the local administrators group on the Exchange server and, obviously, it needs to be able to log on as a service - it being, well, a service.
• The SnapDrive service account needs to be a local administrator on the server and be able to log on as a service.
• On the firewall allow COM+, HTTPS and SnapDrive (swsvc.exe) through.
  

Did a lot of testing with various Exchange 2010 management roles (i.e group membership) and because they're not very granular when it comes down to the nitty gritty the only workable solution is to put the SnapManager account into the Org role.