Tuesday, November 17, 2009

EMC "RBAC authorization returns Access Denied"

David Strome, MSFT

Because we’ve seen this issue come up a couple of times on the forums, I’m going to outline the steps that correct it below. If you encounter a permissions issue, please read this post in its entirety before perform any steps. Performing the steps below is at your own risk.

There’s an issue where, if setup fails at a specific point, subsequent attempts to install Exchange 2010 could result in the administrative management role assignments not being created. If this happens, you will receive errors saying you don’t have permissions to use the Exchange Management Console or Shell. If you look at the roles assigned to the Organization Management role group, you’ll see only roles that begin with “My”.

IMPORTANT – If you receive permissions errors when attempting to open the console or the shell, the most common cause of this is the use of an application on the Exchange 2010 server that uses credentials other than the administrative credentials used to install Exchange 2010. To test whether this is the cause any permissions problems you’re experiencing, follow the New-PSSession instructions in the “EMC Permissions Gone” thread to open a manual shell connection. If you receive the correct permissions using this manual connection method, you have conflicting credentials in the Windows credential cache. Clear out those credentials and try again. If this doesn’t resolve your issue, please continue reading.

To determine whether this issue is the reason you are missing permissions, perform the following steps on the Exchange 2010 server:

(This procedure requires that you search in specific directions using the Find feature of your text editor. If your text editor doesn’t have a direction option with the Find feature, use Notepad)

1. Open the ExchangeSetup.Log file in a text editor. This file is located in x:\ExchangeSetupLogs where x is the Exchange 2010 installation drive.

2. Search from the top of the file in the down direction for the string Install-CannedRbacRoleAssignments

3. You should find a line that starts with the following (note: this line may indicate a failure, that can be ignored for the purpose of this discussion):

[] [1] Executing 'Install-CannedRbacRoleAssignments -InvocationMode $RoleInstallationMode –DomainController…

4. Then search from this line in the up direction for the string $RoleInstallationMode

5. Look for “BuildToBuildUpgrade” in the following line:

[] [2] Launching sub-task '$error.Clear(); $RoleInstallationMode = "BuildToBuildUpgrade"'.

If you see BuildToBuildUpgrade on the RoleInstallationMode line, then a previous installation failure has caused this issue and the steps below should resolve it. If you see Install in the RoleInstallationMode line, do not perform the steps below. Your issue may have another cause. Start a new thread and we’ll help you investigate your issue.

WARNING – The Install-CannedRbacRoleAssignments cmdlet could result in the loss of role assignment customizations in the Exchange 2010 organization. This cmdlet should only be run in association with the following procedure on new installations of Exchange 2010.

IMPORTANT – The following procedure should only be performed if you’re experiencing this exact issue. Do not run the Install-CannedRbacRoleAssignments cmdlet or any other Exchange setup cmdlet (available only by using the Add-PSSnapin cmdlet below) without direction from Microsoft. Doing so could irreparably damage your Exchange installation.

Do the following on the Exchange 2010 server using the same account used to install Exchange 2010.

1) Open Windows PowerShell (not the Exchange Management Shell)

a. If you have UAC enabled, right click Windows PowerShell and click Run as administrator.

2) Run Start-Transcript c:\RBAC.txt and press enter

a. This will start logging all commands and output you type to a text file.

3) Run Add-PSSnapin *setup and press enter

a. This adds the setup snap-in which contains the setup cmdlets used by Exchange during install. You may see errors about loading a format data file. You can ignore those errors.
DO NOT run any other cmdlets in this snap-in without direction from Microsoft. Doing so could irreparably damage your Exchange installation.

4) Run Install-CannedRbacRoleAssignments -InvocationMode Install -Verbose and press enter.

a. This cmdlet should create the required role assignments between the role groups and roles that should have been created during setup.

b. Be sure you run with the Verbose switch so we can capture what the cmdlet does.

5) Run Remove-PSSnapin *setup and press enter

6) Run $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http:///PowerShell/ -Authentication Kerberos and press enter

a. Be sure to replace with the FQDN of your server.

7) Run Import-PSSession $Session and press enter

8) Run Get-ManagementRoleAssignment and press enter

9) Run Stop-Transcript and press enter

When you ran the Get-ManagementRoleAssignment cmdlet above, several dozen assignments should have been shown. If yes, try opening the EMC and see if you have permissions to do anything, such as create a new mailbox. If yes, then you’re set. If not, please start a new thread and indicate that you’ve already performed this procedure. We’ll try and help you investigate your issue. Save your setup logs and the RBAC.txt file to help with the investigation.




  1. Just wanted to let you know that this worked like a champ. Thanks! Eric

  2. This worked, thank you! Now on to a new question. I have Multiple 'Exchange Security Groups' and want to know which one(s) my Exchange installation is bound to? Any ideas?

  3. What can I said, just ... THANK YOU.
    That just save my work week :-)
    Best regards

  4. Had the issue, but the procedure didnt fix the problem. I opened a support case with Microsoft. Ended up doing the same thing but didnt fix the problem. We're doing a migration from Exchange 2003 to 2010. Possibly this fact has an impact on the script, or maybe not.

  5. I am setting up Exchange in a production envorinment (Migration from Exchange 2003 to 2010). I have checked the Exchange installation Log file, and everything described here was true. Yet the procedure proposed failed at step 6. Then we checked the group Organization Management group and saw that the group was empty. After entering the user to that group we were able to open the exchange management shell. We cannot op the console but that is caused by another issue (a dot in the netbios name).

  6. On step 6, whats is the text im supposed to repelace with my FQDN? if im for exampel got the FDQN name Exchange.labb.local?

  7. When running "$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://server.domain/ -Authentication Kerberos" i get the error "Connecting to remote server failed with the following error message : The WinRM client received an HTTP status code of 403 from the remote WS-Management service. For more information, see the about_Remote_Troubleshooting" Anyone got any ideas? //Sigge

  8. I've run all the steps OK, but at step 6 I get the same error about administrator not being in a management role. I've checked and the admin account IS a member of the correct role. So what's going on?

  9. if you can't get passed step 6 then try adding the account you are using to have full access to the program files folder and windows folder on the server in question

  10. "2. Search from the top of the file in the down direction for the string Install-CannedRbacRoleAssignments"

    Doesn't exist. I've searched the file every way possible and this item doesn't exist in the log file. That pretty much dead ends the whole thing.

  11. Excellent solution - thanks

  12. To All asking about the FQDN...

    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://server.domain/PowerShell/ -Authentication Kerberos

    Hopefully, this makes sense to you.

  13. Thank you, thank you; this procedure saved my bacon.

  14. Just like to say Thanks, worked like a dream

  15. I have been working in this issue for 3 o more weeks Thanks so much for your help, my EMC i sworking great now, thanks again.

  16. I have ran this on my exchange server 2010 and have had not luck. I have tried battling this for the last 2 weeks with now success. The only command that works is when I run this in my exchange power shell "get-pssnapin -registered | add-pssnapin -passthru" and then type in New-Mailbox it lets me create a new one but when you restart the power shell again it comes back with the same error saying cannot reconize the command new-mailbox.



  17. This has been a very valuable article. Thanks for your insight.

  18. RTD you are the best!

  19. Doesn't work for me

  20. Hi! On Step - $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http:///PowerShell/ -Authentication Kerberos - same error, that i want to fix - access denied(

  21. To my previlous post: solved, enabling Windows Authentification in PowerShell section (Exchange Back-End) in IIS snap-in

  22. Thanks a lot. You saved my Exchange after 3 weeks into the mess ...