none
2010 cmdlet access errors, running as Task under non-privileged account using RBAC

    Întrebare

  • Hi all,

    Consider this setup:
    Service account (dom\serv-acc) is ordinary AD (2008 level) user of single domain forest (dom), member of (Domain Users).
    Exchange (2010) On-Premise (Version 14.2 (Build 247.5)) organization (Org) has RBAC group (Recipient Management) assigned to this account.
    On Exchange server (ExchSrv01)(all roles, but Edge and UM) with Windows OS (2008 R2 SP1) - user right (Batch logon) is assigned to this account by local GPO.
    This account is used as running user for (Task Scheduler) task on this server, with following security options set: (Run whether user is logged on or not), (Run with highest privileges), (Configure for Windows Server 2008 R2).
    Task starts batch file (exchstart.cmd) == (PowerShell.exe -NonInteractive -command "Add-PSSnapin Microsoft.Exchange.Management.PowerShell.e2010;.  %1").
    When (%1) is file (script1.ps1), where cmdlet (Import-RecipientDataProperty -Picture) is been run - everything works well, (photos are imported successfuly), coz this account have right in AD to modify (Personal Information) permission set.

    Consider this problem:
    But, when (%1) is another file (script2.ps1), where 2 cmdlets (Get-MailboxFolderStatistics; Add-MailboxFolderPermission) are about to been run, there are additional errors in eventlog, in that order, details provided below question, and nothing works:
    1 error (0) for RPC fail;
    2 errors (1,2) for each cmdlet fail, errors have the same header, and same cause as I suppose, but different details level in EventData.

    When task with problematic script (%1 == script2.ps1) is running under account, that is (Domain Admins) member - everything works well, no errors.

    What I have already tried: setting access rights (Read, Full) for this account in ACL of AD object (CN=Microsoft System Attendant,CN=ExchSrv01,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Org,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=dom) - this action has no impact on problem, same errors appears in eventlog.

    Also, there is common error in eventlog, but it logged on start of both script files, that's why i suppose - that it has no impact on main problem, see end. There is no interactive logon session for this account on server.

    Please, help with this problem, coz I have no idea what/where to check further.

    Elevating permissions for this account with any Admin groups membership - is NOT the answer I'm looking for.
    Elevating some rights for this account by GPO in Windows OS or changing ACLs of Exchange/Windows objects - is acceptable, according to the "least privilege" scheme, that I'm trying to achieve.

    --
    Error0:
    Provider
       [ Name]  MSExchange ADAccess
       EventID 2152
       [ Qualifiers]  49156
    Process powershell.exe () (PID=7924). An remote procedure call (RPC) request to the Microsoft Exchange Active Directory Topology service failed with error 5 (Error 0x5 (Access is denied) from HrGetServersForRole).

    --
    Error1 & Error2, System:
    Provider
       [ Name]  MSExchange CmdletLogs
       EventID 6
       [ Qualifiers]  49152
    Cmdlet failed. Cmdlet <Cmd-Let>, parameters {...}

    --
    Error1 EventData:
    Get-MailboxFolderStatistics
       {Identity=dom/ou/MailUser}
       dom/ou/serv-acc
       ConsoleHost-Local
       7924
       3
       00:00:00.0468750
       View Entire Forest: 'True', 
       Microsoft.Exchange.Management.Tasks.MailboxFolderStatisticsException: Unable to retrieve mailbox folder statistics for mailbox dom/ou/MailUser.
     Failure: Error code -2146233088 occurred with message Cannot open mailbox /o=Org/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=ExchSrv01/cn=Microsoft System Attendant..
       22

    --
    Error2 EventData:
    Add-MailboxFolderPermission
       {Identity=dom/ou/MailUser:\Folder, User=ReadersGroup, AccessRights={Reviewer}}
       dom/ou/serv-acc
       ConsoleHost-Local
       7924
       3
       00:00:00.0468750
       View Entire Forest: 'True', 
       Microsoft.Exchange.Data.Storage.ConnectionFailedTransientException: Cannot open mailbox /o=Miratech/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=MTX-MAIL-01/cn=Microsoft System Attendant.
     ---> Microsoft.Mapi.MapiExceptionLogonFailed: MapiExceptionLogonFailed: Unable to make connection to the server. (hr=0x80040111, ec=1010)
     Diagnostic context: Lid: 47655 EMSMDBPOOL.EcPoolCreateSession called [length=330] Lid: 64039 EMSMDBPOOL.EcPoolCreateSession returned [ec=0x3F2][length=110][latency=0] Lid: 41073 StoreEc: 0x3F2 Lid: 48243 Lid: 50033 StoreEc: 0x3F2 Lid: 1494
     ---- Remote Context Beg ----
     Lid: 1219 StoreEc: 0x80070005 Lid: 3225 StoreEc: 0x8004010F Lid: 1091 StoreEc: 0x80070005 Lid: 32233 Lid: 13488 StoreEc: 0x3F2 Lid: 28780 Lid: 20076 StoreEc: 0x3F2 Lid: 57713 StoreEc: 0x3F2 Lid: 49009 StoreEc: 0x3F2 Lid: 1750
     ---- Remote Context End ----
     Lid: 52465 StoreEc: 0x3F2 Lid: 60065 Lid: 33777 StoreEc: 0x3F2 Lid: 59805 Lid: 52209 StoreEc: 0x3F2 Lid: 56583 Lid: 52487 StoreEc: 0x3F2 Lid: 19778 Lid: 27970 StoreEc: 0x3F2 Lid: 17730 Lid: 25922 StoreEc: 0x3F2
     at Microsoft.Mapi.MapiExceptionHelper.ThrowIfError(String message, Int32 hresult, SafeExInterfaceHandle iUnknown, Exception innerException)
     at Microsoft.Mapi.ExRpcConnection.Create(ConnectionCache connectionCache, ExRpcConnectionCreateFlag createFlags, ConnectFlag connectFlags, String serverDn, String userDn, String user, String domain, String password, String httpProxyServerName, Int32 ulConMod, Int32 lcidString, Int32 lcidSort, Int32 cpid, Int32 cReconnectIntervalInMins, Int32 cbRpcBufferSize, Int32 cbAuxBufferSize, Client xropClient, Byte[] clientSessionInfo, TimeSpan connectionTimeout)
     at Microsoft.Mapi.MapiStore.OpenMapiStore(String serverDn, String userDn, String mailboxDn, Guid guidMailbox, Guid guidMdb, String userName, String domainName, String password, String httpProxyServerName, ConnectFlag connectFlags, OpenStoreFlag storeFlags, CultureInfo cultureInfo, Boolean wantRedirect, String& correctServerDN, ClientIdentityInfo clientIdentity, String applicationId, Client xropClient, Boolean wantWebServices, Byte[] clientSessionInfo, TimeSpan connectionTimeout)
     at Microsoft.Mapi.MapiStore.OpenMailbox(String serverDn, String userDn, String mailboxDn, String userName, String domainName, String password, ConnectFlag connectFlags, OpenStoreFlag storeFlags, CultureInfo cultureInfo, WindowsIdentity windowsIdentity, String applicationId)
     at Microsoft.Exchange.Data.Storage.MailboxSession.ForceOpen(MapiStore linkedStore)
     --- End of inner exception stack trace ---
     at Microsoft.Exchange.Data.Storage.MailboxSession.ForceOpen(MapiStore linkedStore)
     at Microsoft.Exchange.Data.Storage.MailboxSession.Initialize(MapiStore linkedStore, LogonType logonType, ExchangePrincipal owner, DelegateLogonUser delegateUser, Object identity, OpenMailboxSessionFlags flags, GenericIdentity auxiliaryIdentity)
     at Microsoft.Exchange.Data.Storage.MailboxSession.<>c__DisplayClass12.<CreateMailboxSession>b__10(MailboxSession mailboxSession)
     at Microsoft.Exchange.Data.Storage.MailboxSession.InternalCreateMailboxSession(LogonType logonType, ExchangePrincipal owner, CultureInfo cultureInfo, String clientInfoString, IAccountingObject budget, Action`1 initializeMailboxSession, InitializeMailboxSessionFailure initializeMailboxSessionFailure)
     at Microsoft.Exchange.Data.Storage.MailboxSession.CreateMailboxSession(LogonType logonType, ExchangePrincipal owner, DelegateLogonUser delegateUser, Object identity, OpenMailboxSessionFlags flags, CultureInfo cultureInfo, String clientInfoString, PropertyDefinition[] mailboxProperties, IList`1 foldersToInit, GenericIdentity auxiliaryIdentity, IAccountingObject budget)
     at Microsoft.Exchange.Data.Storage.MailboxSession.ConfigurableOpen(ExchangePrincipal mailbox, MailboxAccessInfo accessInfo, CultureInfo cultureInfo, String clientInfoString, LogonType logonType, PropertyDefinition[] mailboxProperties, InitializationFlags initFlags, IList`1 foldersToInit, IAccountingObject budget)
     at Microsoft.Exchange.Data.Storage.MailboxSession.OpenAsAdmin(ExchangePrincipal mailboxOwner, MailboxAccessInfo accessInfo, LogonType logonType, CultureInfo cultureInfo, String clientInfoString, Boolean useLocalRpc, Boolean ignoreHomeMdb, Boolean recoveryDatabase)
     at Microsoft.Exchange.Data.Storage.MailboxSession.OpenAsAdmin(ExchangePrincipal mailboxOwner, CultureInfo cultureInfo, String clientInfoString, Boolean useLocalRpc, Boolean ignoreHomeMdb, GenericIdentity auxiliaryIdentity)
     at Microsoft.Exchange.Data.Storage.Management.XsoMailboxDataProviderBase..ctor(ExchangePrincipal mailboxOwner, String action)
     at Microsoft.Exchange.Data.Storage.Management.MailboxFolderDataProviderBase..ctor(ADSessionSettings adSessionSettings, ADUser mailboxOwner, String action)
     at Microsoft.Exchange.Management.StoreTasks.SetMailboxFolderPermissionBase.CreateSession()
     at Microsoft.Exchange.Configuration.Tasks.DataAccessTask`1.InternalStateReset()
     at Microsoft.Exchange.Configuration.Tasks.SetObjectTaskBase`2.InternalStateReset()
     at Microsoft.Exchange.Configuration.Tasks.SetTenantADTaskBase`3.InternalStateReset()
     at Microsoft.Exchange.Management.StoreTasks.SetTenantXsoObjectWithFolderIdentityTaskBase`1.InternalStateReset() at Microsoft.Exchange.Configuration.Tasks.Task.ProcessRecord()
       ServerTransient
       Microsoft.Mapi.MapiExceptionLogonFailed: MapiExceptionLogonFailed: Unable to make connection to the server. (hr=0x80040111, ec=1010)
     Diagnostic context: Lid: 47655 EMSMDBPOOL.EcPoolCreateSession called [length=330] Lid: 64039 EMSMDBPOOL.EcPoolCreateSession returned [ec=0x3F2][length=110][latency=0] Lid: 41073 StoreEc: 0x3F2 Lid: 48243 Lid: 50033 StoreEc: 0x3F2 Lid: 1494
     ---- Remote Context Beg ----
     Lid: 1219 StoreEc: 0x80070005 Lid: 3225 StoreEc: 0x8004010F Lid: 1091 StoreEc: 0x80070005 Lid: 32233 Lid: 13488 StoreEc: 0x3F2 Lid: 28780 Lid: 20076 StoreEc: 0x3F2 Lid: 57713 StoreEc: 0x3F2 Lid: 49009 StoreEc: 0x3F2 Lid: 1750
     ---- Remote Context End ----
     Lid: 52465 StoreEc: 0x3F2 Lid: 60065 Lid: 33777 StoreEc: 0x3F2 Lid: 59805 Lid: 52209 StoreEc: 0x3F2 Lid: 56583 Lid: 52487 StoreEc: 0x3F2 Lid: 19778 Lid: 27970 StoreEc: 0x3F2 Lid: 17730 Lid: 25922 StoreEc: 0x3F2
     at Microsoft.Mapi.MapiExceptionHelper.ThrowIfError(String message, Int32 hresult, SafeExInterfaceHandle iUnknown, Exception innerException)
     at Microsoft.Mapi.ExRpcConnection.Create(ConnectionCache connectionCache, ExRpcConnectionCreateFlag createFlags, ConnectFlag connectFlags, String serverDn, String userDn, String user, String domain, String password, String httpProxyServerName, Int32 ulConMod, Int32 lcidString, Int32 lcidSort, Int32 cpid, Int32 cReconnectIntervalInMins, Int32 cbRpcBufferSize, Int32 cbAuxBufferSize, Client xropClient, Byte[] clientSessionInfo, TimeSpan connectionTimeout)
     at Microsoft.Mapi.MapiStore.OpenMapiStore(String serverDn, String userDn, String mailboxDn, Guid guidMailbox, Guid guidMdb, String userName, String domainName, String password, String httpProxyServerName, ConnectFlag connectFlags, OpenStoreFlag storeFlags, CultureInfo cultureInfo, Boolean wantRedirect, String& correctServerDN, ClientIdentityInfo clientIdentity, String applicationId, Client xropClient, Boolean wantWebServices, Byte[] clientSessionInfo, TimeSpan connectionTimeout)
     at Microsoft.Mapi.MapiStore.OpenMailbox(String serverDn, String userDn, String mailboxDn, String userName, String domainName, String password, ConnectFlag connectFlags, OpenStoreFlag storeFlags, CultureInfo cultureInfo, WindowsIdentity windowsIdentity, String applicationId)
     at Microsoft.Exchange.Data.Storage.MailboxSession.ForceOpen(MapiStore linkedStore)

    --
    Common Error:
     Provider
       [ Name]  Microsoft-Windows-User Profiles Service
       EventID 1511
     Security
       [ UserID]  S-1-5-21-points-to-this-account-in-domain
    Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.

    • Editat de visax 27 iunie 2012 13:30
    27 iunie 2012 13:29

Răspunsuri

  • After turning on Analytic log of WinRM, error appeared in more details: (Error Code: 1359; Error String:The function: RegisterGPNotification failed unexpectedly. GetLastError=-2147024882).
    Searching led to problem details, that appeared as was suspected: ACL of service has only interactive users by default ... the service is (Group Policy Client) (GPSVC).
    (http://www.powershellcommunity.org/Forums/tabid/54/aft/5720/Default.aspx)
    (http://connect.microsoft.com/PowerShell/feedback/details/536492/powershell-remoting-fails-from-asp-net-web-site)

    1. After applying new SDDL to ACL of, standard connection to EMS (RemoteExchange.ps1) from scheduled task is OK.
    So we can generalize solution: to change ACLs (sc sdset) of services (SCMANAGER; w3svc; GPSVC), by adding according principal's ACE to source SDDL strings (sc sdshow) of each service.
    In my case, ACE for batch users (A;;*;;;S-1-5-3) was added as clone of interactive users ACE (A;;*;;;IU).
    But saving modified ACL of (GPSVC) is to be done with extra step, as admins can't write ACL of this service, only SYSTEM can, therefore use (schtasks /create /ru system; schtasks /run) technique.

    2. Alternate connection to EMS (Add-PSSnapin Microsoft.Exchange.Management.PowerShell.e2010) still have same errors, as expected.

    Any ideas are welcome, I may post updates if any progress.

    • Marcat ca răspuns de visax 15 august 2012 08:47
    15 august 2012 08:46

Toate mesajele

  • Get-MailboxFolderStatistics
       {Identity=dom/ou/MailUser}

    Add-MailboxFolderPermission
       {Identity=dom/ou/MailUser:\Folder

    Is MailUser an existed mailbox?

    A member of Recipient Management Role Group have the permission to run the above two cmdlets.

    Could you please test the script2.ps1 inside the EMS(Run as dom\serv-acc) first, does it work?

    Scripting with the Exchange Management Shell

    http://technet.microsoft.com/library/94c22e59-7460-4563-af20-79544c2bc2ff.aspx


    Frank Wang

    TechNet Community Support

    28 iunie 2012 07:51
  • Hi visax,

    Any updates?


    Frank Wang

    TechNet Community Support

    2 iulie 2012 02:09
  • Hi, Frank.

    MailUser is an existing mailbox.

    I've run script2.ps1 inside the EMS, under (dom\serv-acc) RunAs session - it DOES work and sets mailbox folder permissions successfuly!

    Hope, we can narrow now this problem to (Interactive users) limitation of SCM object ACL (http://msdn.microsoft.com/en-us/library/windows/desktop/ms685981(v=vs.85).aspx), due to Error0 description. If it is, how we can assign access to SCM for (this account) or for (Batch Logon) security principal?

    If there is another option - I'm ready to listen!

    2 iulie 2012 16:06
  • Frank? or Anyone? :)

    Could U lead me to some info about SCM access change?
    Or workaround of EMS cmdlets connection init (HrGetServersForRole)? ...can't find out how to enforce Powershell to connect to server directly when using (Add-PSSnapin) method, but not a (RemoteExchange.ps1)

    6 iulie 2012 14:29
  • Could anyone look?

    Update: adding permission for (S-1-5-3) to SCM and service (was spotted w3svc) - do not lead to any success if task connecting with (Add-PSSnaping), error the same...

    But if I use (RemoteExchange.ps1) now new error - fires from WinRM, Error: 1359 (... internal ...) - not so much explanatory :(

    9 august 2012 17:30
  • Now:

    1. Running with (RemoteExchange.ps1):
    1.1. interactive, still OK:
     - WinRM: (Creating WSMan Session. The connection string is: http://ExchSrv01.dom/powershell?serializationLevel=Full;ExchClientVer=14.2.247.5;PSVersion=2.0),(WSMan Create Session operation completed successfuly)
     - MSExchange CmdletLogs, ServerRemoteHost-Unknown: (Cmdlet succeeded. Cmdlet Add-MailboxFolderPermission)
    execution OK, with results on receipients.
    1.2. batch task, after adding (S-1-5-3) to SDDL of services (SCMANAGER,w3svc,MSExchangeSA), new ERRORs:
     - WinRM: (Creating WSMan Session. The connection string is: http://ExchSrv01.dom/powershell?serializationLevel=Full;ExchClientVer=14.2.247.5;PSVersion=2.0),(WSMan Create Session operation failed, error code 1359);
     - EMS: An internal error occurred.
       +CategoryInfo : InvalidArgument: (http://ExchSrv01...tVer=14.2.247.5:Uri) [], PSInvalidOperationException
       +FullyQualifiedErrorId : CreateRemoteRunspaceFailed.
    Script not executed at all.

    2. Running with (Add-PSSnapin Microsoft.Exchange.Management.PowerShell.e2010):
    2.1., 2.2.- interactive and batch task, old ERRORs, see original post:
     - MSExchange ADAccess: (Process powershell.exe () (PID=xxxxx). An remote procedure call (RPC) request to the Microsoft Exchange Active Directory Topology service failed with error 5 (Error 0x5 (Access is denied) from HrGetServersForRole));
     - MSExchange CmdletLogs, ConsoleHost-Local (Get-MailboxFolderStatistics, Add-MailboxFolderPermission): Cannot open mailbox /o=.../cn=Microsoft System Attendant. Microsoft.Mapi.MapiExceptionLogonFailed: MapiExceptionLogonFailed: Unable to make connection to the server. (hr=0x80040111, ec=1010)
    While other cmdlets (Get-User, Get-Mailbox) in this (script2.ps1) session - executed OK.

    Any ideas anyone?

    13 august 2012 12:21
  • After turning on Analytic log of WinRM, error appeared in more details: (Error Code: 1359; Error String:The function: RegisterGPNotification failed unexpectedly. GetLastError=-2147024882).
    Searching led to problem details, that appeared as was suspected: ACL of service has only interactive users by default ... the service is (Group Policy Client) (GPSVC).
    (http://www.powershellcommunity.org/Forums/tabid/54/aft/5720/Default.aspx)
    (http://connect.microsoft.com/PowerShell/feedback/details/536492/powershell-remoting-fails-from-asp-net-web-site)

    1. After applying new SDDL to ACL of, standard connection to EMS (RemoteExchange.ps1) from scheduled task is OK.
    So we can generalize solution: to change ACLs (sc sdset) of services (SCMANAGER; w3svc; GPSVC), by adding according principal's ACE to source SDDL strings (sc sdshow) of each service.
    In my case, ACE for batch users (A;;*;;;S-1-5-3) was added as clone of interactive users ACE (A;;*;;;IU).
    But saving modified ACL of (GPSVC) is to be done with extra step, as admins can't write ACL of this service, only SYSTEM can, therefore use (schtasks /create /ru system; schtasks /run) technique.

    2. Alternate connection to EMS (Add-PSSnapin Microsoft.Exchange.Management.PowerShell.e2010) still have same errors, as expected.

    Any ideas are welcome, I may post updates if any progress.

    • Marcat ca răspuns de visax 15 august 2012 08:47
    15 august 2012 08:46