locked
rights show assigned but cannot do... RRS feed

  • Question

  • New install of Ex2k10 that had lots of problems (flawed migration from SBS2k3). finally got Ex to install without errors and all services to start clean, no errors. Began configuring starting from Org and when I got to creating address policies I got:

    cmdlet Get-EmailAddressPolicy is not present in the role definition for the current user It was running the command 'Get-EmailAddressPolicy -Identity 'Default Policy".

    when I run get-ManagementRoleAssignment I show this account as having organization management and this also shows in the RBAC UI. Event viewer shows ID 6 in MSExchange Management which echoes the above error; other logs show nothing.

    So, what gives here?

    Friday, April 6, 2012 9:16 PM

Answers

  • Please post the event 6 to help you better. Lets run the following command

    Get-ManagementRoleEntry "*\Get-EmailAddressPolicy"

    Name                           Role                      Parameters
    ----                           ----                      ----------
    Get-EmailAddressPolicy         E-Mail Address Policies   {Debug, DomainController, ErrorAction, ErrorVariable, Ident...
    Get-EmailAddressPolicy         View-Only Configuration   {Debug, DomainController, ErrorAction, ErrorVariable, Ident...

    Get-Emailaddresspolicy cmd comes under above management role. Now lets verify if these roles are getting applied to your admin account or not.

    Get-Managmentroleassignment -roleassignee adminaccount | ft role

    Can you create a test admin account and add it to Organization management role group and test to run the command Get-emailaddresspolicy. Using test account we can rule out if this issue is related to a user or its something with RBAC.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Hasnain Shaikh| My blogs: http://messagingserversupport.com

    Sunday, April 8, 2012 11:08 AM
  • Hello,

    When you want user can use this commmand "Get-EmailAddressPolicy", you need grant him these permissions:

    Organization Management

    Server Management

    I suggest you follow this document to grant user permission, then check this issue will occur or not:

    Get-EmailAddressPolicy (Detailed Description)
    http://technet.microsoft.com/en-us/library/bb124117.aspx

    Thanks,

    Evan


    Evan Liu

    TechNet Community Support

    Monday, April 9, 2012 7:10 AM
    Moderator

All replies

  • Hi Daniel,

    you says that you have migrated from Exchange 2003 (SBS) to Exch2010. Do you prepare the Organisation with:

    /PrepareLegacyExchangePermissions, /pl
            Prepares the permissions in a legacy forest.
            Use this parameter only if you have Exchange 2003 servers in your organization.

    /PrepareAD

    /PrepareSchema

    /PrepareDomain

    ??

    Arne


    Arne Tiedemann | Active Directory and Exchange specialist

    Saturday, April 7, 2012 8:47 PM
  • Please post the event 6 to help you better. Lets run the following command

    Get-ManagementRoleEntry "*\Get-EmailAddressPolicy"

    Name                           Role                      Parameters
    ----                           ----                      ----------
    Get-EmailAddressPolicy         E-Mail Address Policies   {Debug, DomainController, ErrorAction, ErrorVariable, Ident...
    Get-EmailAddressPolicy         View-Only Configuration   {Debug, DomainController, ErrorAction, ErrorVariable, Ident...

    Get-Emailaddresspolicy cmd comes under above management role. Now lets verify if these roles are getting applied to your admin account or not.

    Get-Managmentroleassignment -roleassignee adminaccount | ft role

    Can you create a test admin account and add it to Organization management role group and test to run the command Get-emailaddresspolicy. Using test account we can rule out if this issue is related to a user or its something with RBAC.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Hasnain Shaikh| My blogs: http://messagingserversupport.com

    Sunday, April 8, 2012 11:08 AM
  • Hello,

    When you want user can use this commmand "Get-EmailAddressPolicy", you need grant him these permissions:

    Organization Management

    Server Management

    I suggest you follow this document to grant user permission, then check this issue will occur or not:

    Get-EmailAddressPolicy (Detailed Description)
    http://technet.microsoft.com/en-us/library/bb124117.aspx

    Thanks,

    Evan


    Evan Liu

    TechNet Community Support

    Monday, April 9, 2012 7:10 AM
    Moderator
  • Any updates?

    Thanks,

    Evan


    Evan Liu

    TechNet Community Support

    Saturday, April 14, 2012 5:00 AM
    Moderator