none
EMC Permissions Gone Part Deux

    Question

  • I noticed that someone on the forums has this exact same issue I'm having this very moment.  Unfortunately the fix that was given wasn't a fix that did me anygood.  So I'm reopening this and hoping David Strome or someone has an answer for me as I'm about to pull my hair out.

    My situation, we are in the need of upgrading our aging Group Wise server and we are considering going to Exchange.  So we setup a test environment on a server we were going to use as the new mail server.  It's running Windows Server 2008 R2 in a Hyper-V setup, it's connected to our domain and our domain has no other previous Exchange servers.  After installing it with no errors and loading up the EMC I get a "You don't have sufficent permissions to view this data" under Orginization Configuration.  I've also tried several cmdlets to check the roles and I'm told they don't exist.  I've checked the Role Groups in Active Directory Users and I'm using the account I installed the Exchange Server on and still no go and I'm at a complete loss.

    In the forum I read titled "EMC Permissions gone" I tried David's solution and nothing worked still.  Please help.

    Server 2008 R2 running Exchange Server 2010
    Using account I installed the Exchange server to manage it
    Missing several Exchange cmdlets
    mardi 13 octobre 2009 19:04

Réponses

  • Because we’ve seen this issue come up a couple of times on the forums, I’m going to outline the steps that correct it below. If you encounter a permissions issue, please read this post in its entirety before perform any steps. Performing the steps below is at your own risk.

    There’s an issue where, if setup fails at a specific point, subsequent attempts to install Exchange 2010 could result in the administrative management role assignments not being created. If this happens, you will receive errors saying you don’t have permissions to use the Exchange Management Console or Shell. If you look at the roles assigned to the Organization Management role group, you’ll see only roles that begin with “My”.

    IMPORTANT – If you receive permissions errors when attempting to open the console or the shell, the most common cause of this is the use of an application on the Exchange 2010 server that uses credentials other than the administrative credentials used to install Exchange 2010. To test whether this is the cause any permissions problems you’re experiencing, follow the New-PSSession instructions in the “EMC Permissions Gone” thread to open a manual shell connection. If you receive the correct permissions using this manual connection method, you have conflicting credentials in the Windows credential cache. Clear out those credentials and try again. If this doesn’t resolve your issue, please continue reading.

    To determine whether this issue is the reason you are missing permissions, perform the following steps on the Exchange 2010 server:

    (This procedure requires that you search in specific directions using the Find feature of your text editor. If your text editor doesn’t have a direction option with the Find feature, use Notepad)

    1.       Open the ExchangeSetup.Log file in a text editor. This file is located in x:\ExchangeSetupLogs where x is the Exchange 2010 installation drive.

    2.       Search from the top of the file in the down direction for the string Install-CannedRbacRoleAssignments

    3.       You should find a line that starts with the following (note: this line may indicate a failure, that can be ignored for the purpose of this discussion):

    [<installation date/time stamp>] [1] Executing 'Install-CannedRbacRoleAssignments -InvocationMode $RoleInstallationMode –DomainController…

    4.       Then search from this line in the up direction for the string $RoleInstallationMode

    5.       Look for “BuildToBuildUpgrade” in the following line:

    [<installation date/time stamp>] [2] Launching sub-task '$error.Clear(); $RoleInstallationMode = "BuildToBuildUpgrade"'.

    If you see BuildToBuildUpgrade on the RoleInstallationMode line, then a previous installation failure has caused this issue and the steps below should resolve it. If you see Install in the RoleInstallationMode line, do not perform the steps below. Your issue may have another cause. Start a new thread  and we’ll help you investigate your issue.

    WARNING     – The Install-CannedRbacRoleAssignments cmdlet could result in the loss of role assignment customizations in the Exchange 2010 organization. This cmdlet should only be run in association with the following procedure on new installations of Exchange 2010.

    IMPORTANT – The following procedure should only be performed if you’re experiencing this exact issue. Do not run the Install-CannedRbacRoleAssignments cmdlet or any other Exchange setup cmdlet (available only by using the Add-PSSnapin cmdlet below) without direction from Microsoft. Doing so could irreparably damage your Exchange installation.

    Do the following on the Exchange 2010 server using the same account used to install Exchange 2010.

    1)     Open Windows PowerShell (not the Exchange Management Shell)

    a.       If you have UAC enabled, right click Windows PowerShell and click Run as administrator.

    2)     Run Start-Transcript c:\RBAC.txt and press enter

    a.       This will start logging all commands and output you type to a text file.

    3)     Run Add-PSSnapin *setup and press enter

    a.       This adds the setup snap-in which contains the setup cmdlets used by Exchange during install. You may see errors about loading a format data file. You can ignore those errors.
    DO NOT run any other cmdlets in this snap-in without direction from Microsoft. Doing so could irreparably damage your Exchange installation.

    4)     Run Install-CannedRbacRoleAssignments -InvocationMode Install -Verbose and press enter.

    a.       This cmdlet should create the required role assignments between the role groups and roles that should have been created during setup.

    b.       Be sure you run with the Verbose switch so we can capture what the cmdlet does.

    5)     Run Remove-PSSnapin *setup and press enter

    6)     Run $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://<FQDN of Exchange 2010 server>/PowerShell/ -Authentication Kerberos and press enter

    a.       Be sure to replace <FQDN of Exchange 2010 server> with the FQDN of your server.

    7)     Run Import-PSSession $Session and press enter

    8)     Run Get-ManagementRoleAssignment and press enter

    9)     Run Stop-Transcript and press enter

    When you ran the Get-ManagementRoleAssignment cmdlet above, several dozen assignments should have been shown. If yes, try opening the EMC and see if you have permissions to do anything, such as create a new mailbox. If yes, then you’re set. If not, please start a new thread and indicate that you’ve already performed this procedure. We’ll try and help you investigate your issue. Save your setup logs and the RBAC.txt file to help with the investigation.

    Thanks,

    David.


    Senior Technical Writer - Exchange This posting is provided "AS IS" with no warranties, and confers no rights.
    jeudi 15 octobre 2009 22:39

Toutes les réponses

  • I noticed that someone on the forums has this exact same issue I'm having this very moment.  Unfortunately the fix that was given wasn't a fix that did me anygood.  So I'm reopening this and hoping David Strome or someone has an answer for me as I'm about to pull my hair out.

    My situation, we are in the need of upgrading our aging Group Wise server and we are considering going to Exchange.  So we setup a test environment on a server we were going to use as the new mail server.  It's running Windows Server 2008 R2 in a Hyper-V setup, it's connected to our domain and our domain has no other previous Exchange servers.  After installing it with no errors and loading up the EMC I get a "You don't have sufficent permissions to view this data" under Orginization Configuration.  I've also tried several cmdlets to check the roles and I'm told they don't exist.  I've checked the Role Groups in Active Directory Users and I'm using the account I installed the Exchange Server on and still no go and I'm at a complete loss.

    In the forum I read titled "EMC Permissions gone" I tried David's solution and nothing worked still.  Please help.

    Server 2008 R2 running Exchange Server 2010
    Using account I installed the Exchange server to manage it
    Missing several Exchange cmdlets

    hi. I'm sorry you're running into this issue. Can you run Get-Command and send me the output so I can see exactly what cmdlets you have access to? Could you also confirm:

    * You're opening the Exchange Management Shell, and not Windows PowerShell, on the server where you installed Exchange 2010
    * You haven't created an Outlook profile on this server with alternate, non-administrative, credentials?
    * You have tried connecting manually to the server using the New-PSSession instructions in the "EMC Permissions gone" thread? Ideally, try connecting to the Exchange 2010 server from another domain-joined computer using the credentials used to install Exchange 2010. With this method you must use Windows PowerShell, and not the Exchange Management Shell.
    * Running Get-ManagementRoleAssignment fails both when using Exchange Management Shell and the manual connection method

    Did you experience any failures during setup? You mention install with no errors but I just want to determine whether you installed in stages and potentially an earlier stage may have failed (/PrepareAD specifically if you used the command line).

    If you're still unable to get permissions, please refer to the instructions in the previous thread to navigate AD using ADSIEdit and send me the information requested in those instructions. Also please include the ExchangeSetup.log file which should be in x:\ExchangeSetupLogs, where x is your installation drive.

    Thanks,
    David.

    Senior Technical Writer - Exchange This posting is provided "AS IS" with no warranties, and confers no rights.
    mardi 13 octobre 2009 20:27
  • I will get this information for you tomorrow when I get into work.  I can answer a few things here just to give you an idea of how I went about installing and what I tested.

    The location I'm installing Exchange 2010 is a new Virtual Server running off of Hyper-V.  The Server 2008 R2 machine was joined to the domain and then I proceeded to follow the instructions I found in the Technet Library to install a basic setup of Exchange.  I dabled in Exchange 2003 years ago but this is all new so I followed the commands to get the correct server roles setup under PowerShell.

    So the steps followed as this:
    * Logged into Server 2008 R2 as a domain admin
    * Extracted Exchange 2010 RC from Technet
    * Navigated to Folder and ran Setup.exe
    * Followed onscreen instruction and told it I wanted a typical setup
    * Supplied it with some information and it ran an alaysis of the system
    * I got two warnings, one I think was letting me know that I could no longer use 2007 instances which was fine seeing as this was a new isntallation
    * I clicked Install it ran through the motions and told me to click finish

    That's about it, I started up the EMC and was wondering why I had no options and started digging around on the web.

    As for the other above questions:
    * Yes I'm opening Exchange Management Shell, still missing the cmdlets
    * This is a fresh server, there should be no Outlook profile on this account and there should be no profiles anyways as we are currently using GroupWise as our mail server
    * I did try everything in your post from the "EMC Permissions gone" thread including trying running powershell from another domain connected computer with no luch.  If I try that I still can't run any cmdlets that are suggest in your post.  They still aren't recognized.
    * Yes I can't run Get-ManagementRoleAssignment at all, I just get told it's not recognized

    As for /PrepareAD is this done from the setup automatically if done in one giant step?  If not I never did that, seeing as I'm not sure I read were I was suppose to do that anyware.  I will get the information from ADSIEdit and from the setup logs tomorrow when I get into work.

    Thanks,
    Kevin
    • Proposé comme réponse sitesmithscott mercredi 23 novembre 2011 08:38
    mercredi 14 octobre 2009 02:38
  • hi Kevin.

    Yes, PrepareAD is performed automatically by the setup wizard if you don't do it manually first. Hopefully the setup log and the ADSI info will tell us what state your organization is in and what might be the reason why you're missing the permissions info.

    thanks,
    david.
    Senior Technical Writer - Exchange This posting is provided "AS IS" with no warranties, and confers no rights.
    mercredi 14 octobre 2009 05:03
  • David helped me get this solved.   Thank you very much for the quick response and help in getting this running.  Now on to testing.

    Kevin Phillips
    mercredi 14 octobre 2009 20:00
  • Because we’ve seen this issue come up a couple of times on the forums, I’m going to outline the steps that correct it below. If you encounter a permissions issue, please read this post in its entirety before perform any steps. Performing the steps below is at your own risk.

    There’s an issue where, if setup fails at a specific point, subsequent attempts to install Exchange 2010 could result in the administrative management role assignments not being created. If this happens, you will receive errors saying you don’t have permissions to use the Exchange Management Console or Shell. If you look at the roles assigned to the Organization Management role group, you’ll see only roles that begin with “My”.

    IMPORTANT – If you receive permissions errors when attempting to open the console or the shell, the most common cause of this is the use of an application on the Exchange 2010 server that uses credentials other than the administrative credentials used to install Exchange 2010. To test whether this is the cause any permissions problems you’re experiencing, follow the New-PSSession instructions in the “EMC Permissions Gone” thread to open a manual shell connection. If you receive the correct permissions using this manual connection method, you have conflicting credentials in the Windows credential cache. Clear out those credentials and try again. If this doesn’t resolve your issue, please continue reading.

    To determine whether this issue is the reason you are missing permissions, perform the following steps on the Exchange 2010 server:

    (This procedure requires that you search in specific directions using the Find feature of your text editor. If your text editor doesn’t have a direction option with the Find feature, use Notepad)

    1.       Open the ExchangeSetup.Log file in a text editor. This file is located in x:\ExchangeSetupLogs where x is the Exchange 2010 installation drive.

    2.       Search from the top of the file in the down direction for the string Install-CannedRbacRoleAssignments

    3.       You should find a line that starts with the following (note: this line may indicate a failure, that can be ignored for the purpose of this discussion):

    [<installation date/time stamp>] [1] Executing 'Install-CannedRbacRoleAssignments -InvocationMode $RoleInstallationMode –DomainController…

    4.       Then search from this line in the up direction for the string $RoleInstallationMode

    5.       Look for “BuildToBuildUpgrade” in the following line:

    [<installation date/time stamp>] [2] Launching sub-task '$error.Clear(); $RoleInstallationMode = "BuildToBuildUpgrade"'.

    If you see BuildToBuildUpgrade on the RoleInstallationMode line, then a previous installation failure has caused this issue and the steps below should resolve it. If you see Install in the RoleInstallationMode line, do not perform the steps below. Your issue may have another cause. Start a new thread  and we’ll help you investigate your issue.

    WARNING     – The Install-CannedRbacRoleAssignments cmdlet could result in the loss of role assignment customizations in the Exchange 2010 organization. This cmdlet should only be run in association with the following procedure on new installations of Exchange 2010.

    IMPORTANT – The following procedure should only be performed if you’re experiencing this exact issue. Do not run the Install-CannedRbacRoleAssignments cmdlet or any other Exchange setup cmdlet (available only by using the Add-PSSnapin cmdlet below) without direction from Microsoft. Doing so could irreparably damage your Exchange installation.

    Do the following on the Exchange 2010 server using the same account used to install Exchange 2010.

    1)     Open Windows PowerShell (not the Exchange Management Shell)

    a.       If you have UAC enabled, right click Windows PowerShell and click Run as administrator.

    2)     Run Start-Transcript c:\RBAC.txt and press enter

    a.       This will start logging all commands and output you type to a text file.

    3)     Run Add-PSSnapin *setup and press enter

    a.       This adds the setup snap-in which contains the setup cmdlets used by Exchange during install. You may see errors about loading a format data file. You can ignore those errors.
    DO NOT run any other cmdlets in this snap-in without direction from Microsoft. Doing so could irreparably damage your Exchange installation.

    4)     Run Install-CannedRbacRoleAssignments -InvocationMode Install -Verbose and press enter.

    a.       This cmdlet should create the required role assignments between the role groups and roles that should have been created during setup.

    b.       Be sure you run with the Verbose switch so we can capture what the cmdlet does.

    5)     Run Remove-PSSnapin *setup and press enter

    6)     Run $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://<FQDN of Exchange 2010 server>/PowerShell/ -Authentication Kerberos and press enter

    a.       Be sure to replace <FQDN of Exchange 2010 server> with the FQDN of your server.

    7)     Run Import-PSSession $Session and press enter

    8)     Run Get-ManagementRoleAssignment and press enter

    9)     Run Stop-Transcript and press enter

    When you ran the Get-ManagementRoleAssignment cmdlet above, several dozen assignments should have been shown. If yes, try opening the EMC and see if you have permissions to do anything, such as create a new mailbox. If yes, then you’re set. If not, please start a new thread and indicate that you’ve already performed this procedure. We’ll try and help you investigate your issue. Save your setup logs and the RBAC.txt file to help with the investigation.

    Thanks,

    David.


    Senior Technical Writer - Exchange This posting is provided "AS IS" with no warranties, and confers no rights.
    jeudi 15 octobre 2009 22:39
  • David,

    I had the same issue and your instructions listed above fixed it.  Just wanted to say thank you!

    -Paul

    Nothing
    samedi 5 décembre 2009 20:36
  • Thanks for letting me know, Paul. Your feedback helps us understand how many people this impacts. Glad the steps above worked for you!

    David.
    Senior Technical Writer - Exchange This posting is provided "AS IS" with no warranties, and confers no rights.
    dimanche 6 décembre 2009 00:16
  • I followed David's script until $session where I had an error : see below

    My environment is :

    Before :

    MS Windows 2003 STD + MS Exchange 2003
    Second domain controller active.

    Now : (migration phase )
    New domain controller on MS Windows2008 R2
    FSMO roles not been transfered yet

    New Windows 2008 R2 where MS Exchange 2010 is installed ( netbios : exchange10 )

    Thanks

    Jean-Guy


    PS C:\Users\administrator.KICHECHEF> $Session=New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://exchange10.kichechef.xx/Powershell/ -Authentication Kerberos
    [exchange10.kichechef.lu] Connecting to remote server failed with the following error message : Access is denied. For m
    ore information, see the about_Remote_Troubleshooting Help topic.
        + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PSRemotingTransportExc
       eption
        + FullyQualifiedErrorId : PSSessionOpenFailed


    PS C:\Users\administrator.KICHECHEF> Import-PSSession $Session
    Import-PSSession : Cannot validate argument on parameter 'Session'. The argument is null. Supply a non-null argument an
    d try the command again.
    At line:1 char:17
    + Import-PSSession <<<<  $Session
        + CategoryInfo          : InvalidData: (:) [Import-PSSession], ParameterBindingValidationException
        + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.ImportPSSessionCommand
     

    PS C:\Users\administrator.KICHECHEF> Get-ManagementRoleAssignment
    The term 'Get-ManagementRoleAssignment' is not recognized as the name of a cmdlet, function, script file, or operable p
    rogram. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
    At line:1 char:29
    + Get-ManagementRoleAssignment <<<<
        + CategoryInfo          : ObjectNotFound: (Get-ManagementRoleAssignment:String) [], CommandNotFoundException
        + FullyQualifiedErrorId : CommandNotFoundException
    lundi 4 janvier 2010 15:31
  • Hi,

    I'm getting the exact same error as JGR-Rcarre above. I didn't bother doing steps 7 & 8 seeing as step 6 failed.

    It's a brand new Server 2008 R2 virtual machine with Exchange 2010 installed. I used to be able to open the Management Console but not anymore, I don't think anything has changed?

    Can anyone provide assistance?

    Thanks

    Ross
    mardi 12 janvier 2010 14:42
  • Hi Ross,

    I corrected my error with implementation of an ntp server in my domain and time synchro of all my machines on this ntp server.

    A time difference bigger than several minutes caused my issue.

    Regards,

    JGR
    • Proposé comme réponse Ross Petrie vendredi 15 janvier 2010 09:35
    mercredi 13 janvier 2010 14:45
  • I also have exactly the same error following the procedure above:

    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://cas.xxx.local/PowerShell/ -Authentication Kerberos
    [cas.tursa.local] Connecting to remote server failed with the following error message : Access is denied. For more info
    rmation, see the about_Remote_Troubleshooting Help topic.
        + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PSRemotingTransportExc
       eption
        + FullyQualifiedErrorId : PSSessionOpenFailed

    Access Denied is the same error I get starting the Exchange Powershell and the Exchange console trying to connect to the Microsoft Exchange On-Premises container.

    Same as brand new Server 2008 R2 server with Exchange 2010 Client access role only being installed. Already have existing Exchange 2007 server and domain was prepped etc.

    my clocks are in sync, can it be some other keberos error? Using the install account domain administrator. Nothing of interest in event log by way of errors etc.
    jeudi 4 février 2010 05:59
  • Hi David!

    I am facing the same issue in my Lab environment, tried all the steps of your proposed solution above but cannot get the permissions back.

    In my Lab there is a Exchange 2003 Server. Some months ago I have tried to installe Exchange 2010 (RC1) on a different Machine but the Setup failed. I could not find the time to search for a solution so I postponed it to the availibility of the RTM release.
    Some days ago I installed the RTM with some troubles. I had to use ADSIEdit to remove the old objects before Setup worked.

    Anyway, I was able to install 2010 and it worked well. I have also installed an Outlook 2007 Client on the server (another application requires a MAPI client) and it worked well - also in the EMC.
    Today I have created a second Profile for Outlook with a non-Administrator User. Just for some testing. And since then I am facing these troubles.

    I have tried to remove the Profile - no difference.
    I have uninstalled Outlook - no difference.
    I have gone through your steps above - no difference.

    If you want to I can send you the ExchangeSetup.log and the RBAC.txt file - really appreciate your help!

    Kind regards,
    Matt

    jeudi 4 février 2010 15:58
  • ok guys here we go i followed davids instructions to the t except for the second to the last command....

    get-managementroleassignment

    and then i get this

    PS U:\> Get-ManagmentRoleAssignment
    The term 'Get-ManagmentRoleAssignment' is not recognized as the name of a cmdlet, function, script file, or operable pr
    ogram. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
    At line:1 char:28
    + Get-ManagmentRoleAssignment <<<<
        + CategoryInfo          : ObjectNotFound: (Get-ManagmentRoleAssignment:String) [], CommandNotFoundException
        + FullyQualifiedErrorId : CommandNotFoundException
     
    PS U:\> Get-ManagementRoleAssignment
    The term 'Get-ManagementRoleAssignment' is not recognized as the name of a cmdlet, function, script file, or operable p
    rogram. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
    At line:1 char:29
    + Get-ManagementRoleAssignment <<<<
        + CategoryInfo          : ObjectNotFound: (Get-ManagementRoleAssignment:String) [], CommandNotFoundException
        + FullyQualifiedErrorId : CommandNotFoundException
     
    PS U:\> Get -ManagementRoleAssignment
    The term 'Get' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spellin
    g of the name, or if a path was included, verify that the path is correct and try again.
    At line:1 char:4
    + Get <<<<  -ManagementRoleAssignment
        + CategoryInfo          : ObjectNotFound: (Get:String) [], CommandNotFoundException
        + FullyQualifiedErrorId : CommandNotFoundException
     
    PS U:\> Get-ManagementRoleAssignment
    The term 'Get-ManagementRoleAssignment' is not recognized as the name of a cmdlet, function, script file, or operable p
    rogram. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
    At line:1 char:29
    + Get-ManagementRoleAssignment <<<<
        + CategoryInfo          : ObjectNotFound: (Get-ManagementRoleAssignment:String) [], CommandNotFoundException
        + FullyQualifiedErrorId : CommandNotFoundException
     
    PS U:\> stop-transcript
    **********************
    Windows PowerShell Transcript End
    End time: 20100208171410


    i dunno what else.... to do i knpw exchange is working p[erfectly fine i just need to add an external dns server to verify address...
    lundi 8 février 2010 22:19
  • When I execute $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://<FQDN of Exchange 2010 server>/PowerShell/ -Authentication Kerberos
    I am getting the same access denied error.
    Is there some-thing else I could try?
    mardi 9 février 2010 21:34
  • I have exactly the same problem. It started after installing OCS 2007R2 on the DC/Exchange 2010 server. I tried everything in the threads, disabled IP V6, enabled it, changed DNS settings for the machine to only register the active network card, deinstalled OCS, but no luck.

    Same question as Alex: is there anything else I can do?

    I did notice one thing: OWA still runs, but the EWS directory is inaccessible. Now I have the feeling EMC is actually using the IIS virtual directory. Security settings are ok for the EWS directory, but when I access the ews directory directly I get a access denied error, even when using the account Exchange 2010 was installed with. Creating a new account with admin rights, remote powershell, etcetera. That didn't work either.

    Could it be a solution to reinstall Exchange 2010, as it might (hopefully) recreate the right security settings?
    jeudi 11 février 2010 20:53
  • I've failed at step 6 ($Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://<FQDN of Exchange 2010 server>/PowerShell/ -Authentication Kerberos)
    getting the same access denied error.

    Please advice

    Thanks in advance

    mercredi 17 février 2010 15:24
  • I am having this same exact issue.

    "It started after installing OCS 2007R2 on the DC/Exchange 2010 server. I tried everything in the threads, disabled IP V6, enabled it"

    "I did notice one thing: OWA still runs, but the EWS directory is inaccessible."

    I would appreciate any help,

    Rosa
    jeudi 18 février 2010 18:16
  • I've failed at step 6 ($Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://<FQDN of Exchange 2010 server>/PowerShell/ -Authentication Kerberos)
    getting the same access denied error.

    Please advice

    Thanks in advance


    Same thing for me too.
    When the Install-CannedRbacRoleAssignments stops, its right after "Install-CannedRbacRoleAssignments : Used domain controller <FQDN> to read object CN=Organisation Management, OU=Microsoft Exchange Security Groups, DC=..."
    Then is says "Install-CannedRbacRoleAssignments : Ending Processing".
    Let me know if you need full log.
    Thanks
    mercredi 24 février 2010 19:45
  • Opened a case with microsoft support a few hours ago.
    So far no luck. ill have an update tomorrow if things change.
    We reran the script many times, verified some permissions in AD, some things in adsiedit, tried a couple things in powershell but still the same error message when we try to run "$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://<FQDN of Exchange 2010 server>/PowerShell/ -Authentication Kerberos".
    jeudi 25 février 2010 03:02
  • Hello,
    Here are the results of the Microsoft Supprt Call.
    After doing the procedure above and not having any results here are the changes we made.

    Open ADSIEdit
    choose Configuration
    Go in CN=Configuration,CN=Services,CN=Microsoft Exchange and right click on the CN=<<DOMAIN>> and go to properties.
    Click on the security tab.
    Look for the group Exchange Servers and check the "Read" permission. Then click on Advanced and check "Include inheritable permissions..."

    The tech support engineer told me that by default the group has Read permission. We dont know why it didnt but after that, i was able to open the Exchange Managment Console.

    It doesnt mean my exchange 2010 is working properly, but at least i can open my EMC.
    Hope it helps others.
    • Proposé comme réponse KlestrupJeppe samedi 16 avril 2011 07:00
    vendredi 26 février 2010 14:40
  • I checked my permission in ADSIEDIT as above and already have Exchange Servers with correct permission.

    I also have OCS server 2007 R2 installed same as RosaBolivar.

    The access denied error is stopping the Exchange cmdlets from being loaded, so any solution that requires running Exchange cmdlets is not the right way to go for this problem.
    dimanche 28 février 2010 22:44
  • David,
    First thanks for taking the time to put this procedure together, I too have started a "Transition" deployment of 2010 only to run itno this road block of not being able to open the EMC or EMS without logon errors.  All of the setup steps prior to the actual install /PrepareLegacyEchangePermissions, /PrepareSchema, /PrepareAD, /PrepareDomain as well as the install itself all went without a error or warning.

    I did howerver find the reference to "BuildtoBuildUpgrade" on the "RoleInstallationMode" line.  Though there was no previous install of Exchange on this server.  I to followed you advice and got as far as step 6 before getting the same logon failure with badu username or password that I was getting trying to start EMC and EMS.  I have stopped at this point in the procedure as going on I feel would be fruitless.

    At this point I am at a loss as to what to try next, some have mentioned using adsi edit to check settings but I can not find the things that they are referencing using that tool.
    {I did find the things that were referenced finally, and it was already set as it should be}

    Any help you could provide would be greatly appreciated.

    Some info that may be helpful:
    The existing Exchange environment is 2003 single forest with 2 Exchange servers[one Enterprise, one Standard] both Server 2003 sp2
    Time is set correctly and ntp server is in use.
    AD servers are two 2008 and one 2003 mix but all at 2003 functional mode
    The new Exchange 2010 server is 2008R2
    I also have all the logs if that is of any help

    Thanks
    Eamonn

    UPDATE:
    I have been working with an Engineer from MS for the last 2 days on this issue.  Each day he would send me a list of things to check and send back logs and settings from the server in question.  All the settings that we checked with ADSI Edit were as they should be, so he had me do the following:

    Create a new Domain Admin Account with membership in the "Organizational Management" group.  Log back into the Exchange server as this user and try the EMC and EMS again.

    Well it works now, I have no idea why as the account I installed with is a member of the same group.

    I have asked for an explanation of what he thinks happened, but it's such a simple fix thats it's worth a try for anyone else still stuck like I was.  I am going to wait to hear back from him before I go any further and will post any responses I get from him as to the reasons.

    Thanks to all

    ***UPDATE 2***
    response back from MS as follows, Item 1 did not work for me item 2 did:

    I think the possible cause should be related to the corrupt profile of the administrator account. Let’s try following action plan to fix it:

     1.Remove the administrator account from “organization management” group and add it back, check if this issue is gone. If the problem is still there, try step 2.

    2. 
    Clean up the credential cache:
    a. On this new Exchange 2010 server, Open a cmd prompt and type  control keymgr.dll, and then enter. 
    b. Click Back up, and then follow the instructions to save the current entries. 
    c. Delete any entry that matches the names of the Exchange servers and domain controllers in your organization. Typically, you want to clear all entries.  
    d. Try to open the Exchange Management Console.

    • Proposé comme réponse edoyle jeudi 11 mars 2010 19:19
    • Modifié edoyle lundi 15 mars 2010 14:11
    jeudi 4 mars 2010 22:03
  • Eamonn's situation sounds just like mine but my configuration is slightly different, in case it is useful to know the similarity/difference

    I too have the BuildtoBuildUpgrade on the RoleInstallationMode (can't help but think the cause of this error is the root cause of what's wrong) on a server that has never had Exchange of any sort installed.
    All my other exchange servers are already 2007 std edition no 2003 left for some time now. All DCs are Server 2008 or 2008R2, forest and domain is at 2008 functional level.
    I have sucessfully installed another server 2008R2 with CAS, HUB and database Exchange 2010 roles, it can administer itself but not the server with CAS only role.
    This server that has failed has only CAS Exchange 2010 role on server 2008R2 and is in the same site as the 2007 servers, diferent site to the working 2010 server.

    Cheers,
    Mark.
    lundi 8 mars 2010 02:24
  • for those who still have a problem not fixed by this answer I have created a new thread:
    http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/fbdb590c-d6aa-43eb-9198-9c96123ce32f
    jeudi 11 mars 2010 23:52
  • I have exactly the same set up and still no luck. Currently looking at AD and IIS. Anyone who has anything to add?
    lundi 19 avril 2010 03:53
  • David,

     

    I am having this exact issue on a new Exchange 2010 install. 

    What happened was I attempted an install without first running setup /PrepareLegacyExchangePermissions

    I think this caused the mailbox install to fail.

    I then tried to uninstall the mailbox role, but it cannot because there is a public folder that needs to be moved.

    Both the EMC and Exchange Shell give Access denied, so I can't move the public folder to uninstall!

    I performed the above and have a RBAC.txt file and Exchange setup logs.

    Any help you can provide is greatly appreciated.

     

    dimanche 2 mai 2010 00:33
  • Excellent Post!!! This was solved my issue. But I was not able to run the following command.

    "Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://<FQDN of Exchange 2010 server>/PowerShell/ -Authentication Kerberos"


    Error...

    ==========================================================================================

    Import-PSSession : Cannot validate argument on parameter 'Session'. The argument is null. Supply a non-null argument an
    d try the command again.
    At line:1 char:17
    + Import-PSSession <<<<  $Session
        + CategoryInfo          : InvalidData: (:) [Import-PSSession], ParameterBindingValidationException
        + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.ImportPSSessionCommand

     

    Would be thankful if you could explain me about this. <my Email ID : sankar.n@prodapt.com>

    ==========================================================================================

    Thanks!

    Sankar N.

    samedi 15 mai 2010 22:04
  • *Deleted the non relevant quote info*

    ***UPDATE 2***
    response back from MS as follows, Item 1 did not work for me item 2 did:

    I think the possible cause should be related to the corrupt profile of the administrator account. Let’s try following action plan to fix it:

     1.Remove the administrator account from “organization management” group and add it back, check if this issue is gone. If the problem is still there, try step 2.

    2. 
    Clean up the credential cache:
    a. On this new Exchange 2010 server, Open a cmd prompt and type  control keymgr.dll, and then enter. 
    b. Click Back up, and then follow the instructions to save the current entries. 
    c. Delete any entry that matches the names of the Exchange servers and domain controllers in your organization. Typically, you want to clear all entries.  
    d. Try to open the Exchange Management Console.


    Yes! This solution did the trick!

    For me the command: "Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://FQDN of Exchange 2010 server/PowerShell/ -Authentication Kerberos.

    Also displayed the access denied error. However removing the administrator account from the "Organisation Management" group did the trick.

    Remember to logoff first after you have removed and then added the account to the group.

    mercredi 9 juin 2010 07:36
  • This worked for me, thanks heaps.

     

     

    vendredi 11 juin 2010 04:56
  • Well guys.

    I tried everything, including the steps David Outlined above. After Step 6, the error I get is:

    [SERVERNAME.DOMAIN.local] Connecting to remote server failed with the following error message : WinRM cannot process the request. The following error occured while using Kerberos authentication: The network path was not found. 

     Possible causes are:

      -The user name or password specified are invalid.

      -Kerberos is used when no authentication method and no user name are specified.

      -Kerberos accepts domain user names, but not local user names.

      -The Service Principal Name (SPN) for the remote computer name and port does not exist.

      -The client and remote computers are in different domains and there is no trust between the two domains.

     After checking for the above issues, try the following:

      -Check the Event Viewer for events related to authentication.

      -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.

     Note that computers in the TrustedHosts list might not be authenticated.

       -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.

        + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PSRemotingTransportException    + FullyQualifiedErrorId : PSSessionOpenFailed PS

    ---------------------------------------

    I did some of my own troubleshooting, and tried to review the settings for WinRM. (I uninstalled, and reinstalled). Typing in the command in a administrator powershell (winrm quickconfig -transport:https), produces the following error:

    WinRM already is set up to receive requests on this machine.

    WSManFault

        Message

            ProviderFault

                WSManFault

                    Message = Cannot create a WinRM listener on HTTPS because this machine does not have an appropriate certificate. To be used for SSL, a certificate must have a CN matching the hostname, be appropriate for Server Authentication, and not be expired, revoked, or self-signed.

    Error number:  -2144108267 0x80338115

    Cannot create a WinRM listener on HTTPS because this machine does not have an appropriate certificate. To be used for SSL, a certificate must have a CN matching the hostname, be appropriate for Server Authentication, and not be expired, revoked, or self-signed.

    Question: What names needs to be on my certificate? Is this referring to the exchange certificate?

     

    My next troubleshooting step: winrm enumerate winrm/config/listener

    Listener

        Address = *

        Transport = HTTP

        Port = 5985

        Hostname

        Enabled = true

        URLPrefix = wsman

        CertificateThumbprint

        ListeningOn = 127.0.0.1, 192.168.10.4, 192.168.10.16, ::1, fe80::100:7f:fffe%15, fe80::5efe:192.168.10.4%12, fe80::5

    efe:192.168.10.16%12

    So, In essence, I am screwed.  It seems to randomly work. EMC worked until 6/11/2010 (for about 2 months), then it just stopped.

    My setup logs show all sorts of fun errors, and I have the output from the C:\RBAC.txt file as well. Step 6 failed of Davids steps. The domain accountreset below did not work, and I have no credentials stored in the keymgr.dll command.

    This is so crazy, for a company of this size, that I will probably lose my job for this. But, I will fix it while they replace me lol. So, can anyone offer assistance?

    jeudi 17 juin 2010 21:54
  • I think the possible cause should be related to the corrupt profile of the administrator account. Let’s try following action plan to fix it:

      1. Remove the administrator account from “organization management” group and add it back, check if this issue is gone. If the problem is still there, try step 2.

    2. 
    Clean up the credential cache:
    a. On this new Exchange 2010 server, Open a cmd prompt and type  control keymgr.dll, and then enter. 
    b. Click Back up, and then follow the instructions to save the current entries. 
    c. Delete any entry that matches the names of the Exchange servers and domain controllers in your organization. Typically, you want to clear all entries.  
    d. Try to open the Exchange Management Console.

    This was the solution that worked for me. Tried everything else.

    Thank you very much

    jeudi 16 septembre 2010 07:22
  • Hi,

     

    after many hours of headache....I was unable to launch the EMC or shell using the main administrator account. I was getting the winrm client cannot access the Server, access is denied verify kerberos etc, I was getting event id 16 RBAC authorization returns acccess is denied for user (main admin acct).

    I had been thru so many articles and finally I did a search for the Administrator acct in AD, and found it had been moved to the  "Domain Admins" OU in AD...so I moved it back to the default "users" Ou and this resolved my problem, hope this helps others...

     

    Thanks

    vendredi 17 septembre 2010 15:48
  • Thank you, Thank you, Thank you

    Without Guys like you David, the world would still be flat :)

    jeudi 7 octobre 2010 15:27
  • Hello

     

    I cannot open EMC, but I can run powershell and add-pssnapin *e2010* and run some exchange command.

    I had tried to remove the administrators account from organization management and add it back? back still there

    and in the control keymgr.dll , i didnt have any entry

    lundi 18 octobre 2010 14:04
  • I have posted this on another post, but I'll repost it here, for those who can still start up EMC here is a stupid solution. 

    I dont understand why this is so complicated to resolve, visited so many sites, forums and nothing worked... and these solutions can do more damage then good if you do something wrong....

    this problem was caused by outlook changing EMC configuration, don't know why this happens, and can be solved easly if there was a change login account option on each forest added ( ADD ON NEXT SP PLEASE OR UPDATE!!! )

    .....hence the solution.....

    Re-add the forest on your EMC with the right login and problem solved, but you have two forests one with permision and the old one without. Dont know how to delete the old one( another option missing ) in EMC. 

    This does not solve the problem of accessing the old forest dir but give you access to the same forest in another dir in EMC which is, in my opinion very importante. 

    Hope it helps the ones who still cant access EMC organization.

    lundi 18 octobre 2010 14:31
  • Dear ForiousAngelPT,

    Could you provide more detail step ?

     

    lundi 18 octobre 2010 15:49
  • hello sorry for not posting details so here goes.

     

    - Open EMC 

    - Right click "Microsoft Exchange" the root dir

    - Choose "Add Exchange Forest..."

    - Give organization a name and choose the server where the exchange server is.

    - I didnt check the "login with default credentials"  that way I choose the login and you can place to remember it.

     

    Later.

    lundi 18 octobre 2010 21:20
  • hello sorry for not posting details so here goes.

     

    - Open EMC 

    - Right click "Microsoft Exchange" the root dir

    - Choose "Add Exchange Forest..."

    - Give organization a name and choose the server where the exchange server is.

    - I didnt check the "login with default credentials"  that way I choose the login and you can place to remember it.

     

    Later.


    Thank, but it wout work for me
    mardi 19 octobre 2010 02:46
  • why?

     

    mardi 19 octobre 2010 16:03
  • Thanks David and FuriousAngel it save my day !
    mercredi 8 décembre 2010 10:50
  • Edoyle, thank you so much. Finnally I fix my problem with your action plan. My issue was the same: Limited access to the EMC and EMS.

     

    Thank you so much again :)

    jeudi 7 avril 2011 20:35
  • Hi David,

    I faced the same issue on support call and followed your article. Issue resolved.

    Just wanted to ask if the previous installation failed and second attempt is successful and getting error. Does that mean like Role assignments are not created completly/partially between roles and role groups

    Thanks for your valuable post.

     

    Amit Harne

    lundi 2 mai 2011 03:15
  • Thank you thank you thank you. I have had this exact problem and I was ready to tear my hair out, trying to do an upgrade from 2003 to 2010.
    dimanche 15 mai 2011 23:10
  • Hi David,

    My particular installation failed during the Transport server Role installation due to a certificate not being in the correct store. I corrected this problem and re reran the installation without any further problems, but I think that the Transport Server role installation is incomplete.

     

    I have tried your steps as above and I have run into an issue on step 6: 

     

    [progroupmail01] Connecting to remote server failed with the following error message : Access is denied. For more infor

    mation, see the about_Remote_Troubleshooting Help topic.

        + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PSRemotingTransportExc

       eption

        + FullyQualifiedErrorId : PSSessionOpenFailed

     

    I am using the Enterprise admin account to execute these commands. Any ideas?

     

    Thanks,

    Steven

    mardi 7 juin 2011 09:27
  • thanks a ton. that worked for me. 
    lundi 13 juin 2011 10:57
  • Thank you alot. This worked for me as well.
    vendredi 22 juillet 2011 12:38
  • Thanks much !!!

    this worked for me also..


    Subs
    mercredi 10 août 2011 07:24
  • I also had an issue at step 6:

    6)     Run $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://<FQDN of Exchange 2010 server>/PowerShell/ -Authentication Kerberos and press enter

    a.       Be sure to replace <FQDN of Exchange 2010 server> with the FQDN of your server.

    When I placed the FQDN in the field, I found however that I was able to place the server name without the local domain name and the rest of the procedure worked. I was still unable to run the EMC or  EMS.

    I ran the EMS tool which gave the access denied error for the FQDN. I then connected via Connect-ExchangeServer servername sans the domain name and it connected.

    I modified the shortcut for the EMS from -auto at the end to the servername again sans the domain and it ran.

    Going back to the EMC I added an Exchange Forest by right-click  Add Exchange Forest on the Microsoft Exchange node and placed the server name in there. I was then able to run all the functions.

    I don't know if this poses a problem continuing in the long run. I'd appreciate any feedback on where I may have something wrong with the server name in the DNS but have looked and ensured it has the FQDN everywhere.

    My server is also the PDC and GC, and we are migrating from an existing Exchange 2003 server on another machine.

     Thanks,

     

    Ruffin

    jeudi 15 septembre 2011 13:31
  • Thanks a lot dude. You saved my ass..cheers!
    lundi 3 octobre 2011 12:26
  • I also had an issue at step 6:

    6)     Run $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://<FQDN of Exchange 2010 server>/PowerShell/ -Authentication Kerberos and press enter

    a.       Be sure to replace <FQDN of Exchange 2010 server> with the FQDN of your server.

    When I placed the FQDN in the field, I found however that I was able to place the server name without the local domain name and the rest of the procedure worked. I was still unable to run the EMC or  EMS.

    I ran the EMS tool which gave the access denied error for the FQDN. I then connected via Connect-ExchangeServer servername sans the domain name and it connected.

    I modified the shortcut for the EMS from -auto at the end to the servername again sans the domain and it ran.

    Going back to the EMC I added an Exchange Forest by right-click  Add Exchange Forest on the Microsoft Exchange node and placed the server name in there. I was then able to run all the functions.

    I don't know if this poses a problem continuing in the long run. I'd appreciate any feedback on where I may have something wrong with the server name in the DNS but have looked and ensured it has the FQDN everywhere.

    My server is also the PDC and GC, and we are migrating from an existing Exchange 2003 server on another machine.

     Thanks,

     

    Ruffin


    Hi there,

    this worked for me exactly the same way it did for you. Thanks for the hint. Everything else mentioned here or in other threads (time sync, kerbauth.dll, user permissions, reset of SPNs) did not help.

    Still I would like to know, if I have to fear for future problems. Right now I have 2 Exchange Organisations in my EMC, the default one, which is not working and the newly created, which connects to the servername (without FQDN). This is no optimal solution for handing it over to the customer.

    I assume the problem lies somewhere in the depths between IIS, Kerberos, DNS and AD, but I have no clue where to look.

    Just for completeness, my configuration:
    - Freshly installed Win2008R2 DC/GC into existing 2003 domain
    - Freshly installed EX2010 SP1 (MB, CA, HT roles) on another fresh Win2008R2 into exisiting 2003 organisation

    Is there any new information regarding this problem?

    Cheers, Tobias

    vendredi 21 octobre 2011 10:56
  • hi, on the exchange instance, in step 4 i get this error:

    PS C:\Users\administrator.SMSDEV> Install-CannedRbacRoleAssignments -InvocationMode Install -Verbose
    VERBOSE: [23:07:44.879 GMT] Install-CannedRbacRoleAssignments : Initializing Active Directory server settings for the
    local Windows PowerShell session.
    Could not find any Global Catalog in forest SMSDEV.com.au.
    At line:1 char:1
    +  <<<< Install-CannedRbacRoleAssignments -InvocationMode Install -Verbose
        + CategoryInfo          : NotSpecified: (:) [], ADExternalException
        + FullyQualifiedErrorId : 174BE63C

    PS C:\Users\administrator.SMSDEV>

    please guide.

    vendredi 3 février 2012 23:08
  • Solved My Problem and saved the day ... thx!
    mardi 13 mars 2012 13:56
  • Hello,
    Here are the results of the Microsoft Supprt Call.
    After doing the procedure above and not having any results here are the changes we made.

    Open ADSIEdit
    choose Configuration
    Go in CN=Configuration,CN=Services,CN=Microsoft Exchange and right click on the CN=<<DOMAIN>> and go to properties.
    Click on the security tab.
    Look for the group Exchange Servers and check the "Read" permission. Then click on Advanced and check "Include inheritable permissions..."

    The tech support engineer told me that by default the group has Read permission. We dont know why it didnt but after that, i was able to open the Exchange Managment Console.

    It doesnt mean my exchange 2010 is working properly, but at least i can open my EMC.
    Hope it helps others.
    Solved My Problem ....  Thx Bepe...
    mardi 13 mars 2012 13:59
  • Thanks a ton; this has worked for me and saved a lot of time rather than re-installation....
    • Proposé comme réponse Bittukk jeudi 14 juin 2012 11:20
    jeudi 14 juin 2012 11:19
  • Mine was also caused by a Time Sync issue.       The exchange server was a VM and was set to sync time with the host hyper-v server instead of the Domain.      I synced the time on the exchange server with the domain, but still had a problem connecting - I had to actually restart the exchange server and have all of the exchange services start with the correct time before I could connect. 
    mercredi 21 novembre 2012 15:07
  • Thanks David, you are a life saver.
    mercredi 29 mai 2013 11:42
  • Just wanted to say thanks David....these instructions fixed my issue.  After removing my old Exchange 2003 server I cleaned up metadata and raised the functionality level from 2003 to 2008 R2.  A few hours later I had the issue where I couldn't log in to any server otehr then DC's (which was fixed by rebooting all DC's).  But then I couldn't get into EMC.  I deleted all my Microsoft Exchange default groups (per this site: http://careexchange.in/how-to-recreate-corrupted-microsoft-security-groups-in-exchange-2010/ ) and cleaned up ASDI using LDP.exe (which was fun...) then reran the setup with the /PrepareAD which fixed that but still didn't let me use EMC or the power shell.  Your instructions finished it up and all is back to normal.
    mercredi 12 juin 2013 00:28
  • Hello

    I realise that this is an old thread, but I had the same problem and found a new/different solution.

    My problem occurred after upgrading to Ex10SP3.  Everything with the SP3 upgrade went smoothly, no errors, services all running properly, mail flow okay etc.  But I was unable to use the management console or shell.  I kept getting the Access Denied errors.

    After a couple of hours of tooling around trying various things I found on some discussion threads, I decided to look for Kerberos/PowerShell threads.  Once thing lead to another, and I resolved my problem the following way.

    Open IIS Manager, go to the PowerShell virtual directory, double-click Modules, and I noticed 2 x Kerbauth modules.  One was 'Native' and the other 'Managed'.  The 'managed' one was also all in lower case (not that this should matter?).  From what I have read, this is supposed to be 'Native' so I deleted the 'managed' instance and then the EMC + Shell started working again.  No restarting services, rebooting server, just relaunched the management apps.

    Hope this helps someone

    Cheers
    -Brendan


    mardi 7 janvier 2014 23:44
  • I noticed that someone on the forums has this exact same issue I'm having this very moment.  Unfortunately the fix that was given wasn't a fix that did me anygood.  So I'm reopening this and hoping David Strome or someone has an answer for me as I'm about to pull my hair out.

    My situation, we are in the need of upgrading our aging Group Wise server and we are considering going to Exchange.  So we setup a test environment on a server we were going to use as the new mail server.  It's running Windows Server 2008 R2 in a Hyper-V setup, it's connected to our domain and our domain has no other previous Exchange servers.  After installing it with no errors and loading up the EMC I get a "You don't have sufficent permissions to view this data" under Orginization Configuration.  I've also tried several cmdlets to check the roles and I'm told they don't exist.  I've checked the Role Groups in Active Directory Users and I'm using the account I installed the Exchange Server on and still no go and I'm at a complete loss.

    In the forum I read titled "EMC Permissions gone" I tried David's solution and nothing worked still.  Please help.

    Server 2008 R2 running Exchange Server 2010
    Using account I installed the Exchange server to manage it
    Missing several Exchange cmdlets

    OUTLOOK is the reason!!!

    HELLO.... if your problem occurred after adding an Outlook account on the server, the fix is to remove all the accounts from outlook and add the administrator exchange account, while adding it click the more configurations button and then on the security tab, ckeck the option 'Always ask for the loggin credentials', close and open outlook again and when the loggin windows appear put the administrator credentials and check the box 'remember me', then go to EMC and check if it works, this FIX IT FOR ME... hope it helps...

    mardi 24 juin 2014 15:22