David Strome, MSFT
Because we’ve seen this issue come up a couple of times on the forums, I’m going to outline the steps that correct it below. If you encounter a permissions issue, please read this post in its entirety before perform any steps. Performing the steps below is at your own risk.
There’s an issue where, if setup fails at a specific point, subsequent attempts to install Exchange 2010 could result in the administrative management role assignments not being created. If this happens, you will receive errors saying you don’t have permissions to use the Exchange Management Console or Shell. If you look at the roles assigned to the Organization Management role group, you’ll see only roles that begin with “My”.
IMPORTANT – If you receive permissions errors when attempting to open the console or the shell, the most common cause of this is the use of an application on the Exchange 2010 server that uses credentials other than the administrative credentials used to install Exchange 2010. To test whether this is the cause any permissions problems you’re experiencing, follow the New-PSSession instructions in the “EMC Permissions Gone” thread to open a manual shell connection. If you receive the correct permissions using this manual connection method, you have conflicting credentials in the Windows credential cache. Clear out those credentials and try again. If this doesn’t resolve your issue, please continue reading.
To determine whether this issue is the reason you are missing permissions, perform the following steps on the Exchange 2010 server:
(This procedure requires that you search in specific directions using the Find feature of your text editor. If your text editor doesn’t have a direction option with the Find feature, use Notepad)
1. Open the ExchangeSetup.Log file in a text editor. This file is located in x:\ExchangeSetupLogs where x is the Exchange 2010 installation drive.
2. Search from the top of the file in the down direction for the string Install-CannedRbacRoleAssignments
3. You should find a line that starts with the following (note: this line may indicate a failure, that can be ignored for the purpose of this discussion):
4. Then search from this line in the up direction for the string $RoleInstallationMode
5. Look for “BuildToBuildUpgrade” in the following line:
If you see BuildToBuildUpgrade on the RoleInstallationMode line, then a previous installation failure has caused this issue and the steps below should resolve it. If you see Install in the RoleInstallationMode line, do not perform the steps below. Your issue may have another cause. Start a new thread and we’ll help you investigate your issue.
WARNING – The Install-CannedRbacRoleAssignments cmdlet could result in the loss of role assignment customizations in the Exchange 2010 organization. This cmdlet should only be run in association with the following procedure on new installations of Exchange 2010.
IMPORTANT – The following procedure should only be performed if you’re experiencing this exact issue. Do not run the Install-CannedRbacRoleAssignments cmdlet or any other Exchange setup cmdlet (available only by using the Add-PSSnapin cmdlet below) without direction from Microsoft. Doing so could irreparably damage your Exchange installation.
Do the following on the Exchange 2010 server using the same account used to install Exchange 2010.
1) Open Windows PowerShell (not the Exchange Management Shell)
a. If you have UAC enabled, right click Windows PowerShell and click Run as administrator.
2) Run Start-Transcript c:\RBAC.txt and press enter
a. This will start logging all commands and output you type to a text file.
3) Run Add-PSSnapin *setup and press enter
a. This adds the setup snap-in which contains the setup cmdlets used by Exchange during install. You may see errors about loading a format data file. You can ignore those errors.
DO NOT run any other cmdlets in this snap-in without direction from Microsoft. Doing so could irreparably damage your Exchange installation.
4) Run Install-CannedRbacRoleAssignments -InvocationMode Install -Verbose and press enter.
a. This cmdlet should create the required role assignments between the role groups and roles that should have been created during setup.
b. Be sure you run with the Verbose switch so we can capture what the cmdlet does.
5) Run Remove-PSSnapin *setup and press enter
6) Run $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://
a. Be sure to replace
7) Run Import-PSSession $Session and press enter
8) Run Get-ManagementRoleAssignment and press enter
9) Run Stop-Transcript and press enter
When you ran the Get-ManagementRoleAssignment cmdlet above, several dozen assignments should have been shown. If yes, try opening the EMC and see if you have permissions to do anything, such as create a new mailbox. If yes, then you’re set. If not, please start a new thread and indicate that you’ve already performed this procedure. We’ll try and help you investigate your issue. Save your setup logs and the RBAC.txt file to help with the investigation.