locked
Permission error on New-MailboxExportRequest for Mailbox Archive RRS feed

  • Question

  • SO we're getting rid of Enterprise Vault and moving back to Exchange native archiving.

    Part of this requires a new process for leavers and the only method I can see is to export mailbox and archive to PST, however....when I run the

    New-MailboxExportRequest ME -filepath \\server\export\ME\me.pst -isarchive

    I get a "Access to path is denied" error. However, if I run the same command and exclude the IsArchive switch, it all runs fine and exports the mailbox.

    Why, when I try to export the archive, do I get a permission error. I have permission to the mailbox, I have permission to the destination share. Exchange Trusted Subsystem has permission to the share. The server I'm running this on is an Exchange server. All Servers are Exchange 2013 CU9 (Can't upgrade until we have removed EV. Can't remove EV until we have a leavers policy!)

    I cannot use the search-mailbox ommand to export as most mailboxes will have over 10,000 items.

    Anyone, anywhere, any ideas?


    • Edited by NewbieNik73 Monday, December 5, 2016 1:45 PM title spelling error
    Monday, December 5, 2016 11:19 AM

All replies

  • Hi 

    Quest is having tools for this called Migration Manager for Email Archive.

    Monday, December 5, 2016 12:21 PM
  • But why pay for something that is a native tool?

    I realise Quest do aid in the migration from EV to Exchange, but that's not my question. The question is around why Powershell thinks there is a difference in permissions from Exporting a mailbox as to exporting a mailbox's archive.

    • Edited by NewbieNik73 Monday, December 5, 2016 12:53 PM
    Monday, December 5, 2016 12:49 PM
  • you were looking for ideas, i'm proposing one :) 
    Monday, December 5, 2016 1:01 PM
  • True, but ideas on why a standard powershell command is throwing errors. Sorry.

    We have a tool doing the EV migration already, Archive Shuttle by QuadroTech (It's very good).

    My issue is around people who leave from now on. Before we would archive their mailbox, but now we want to copy their mailbox and Archive into a group mailbox that legal and FOI can search. All is fine, apart from exporting the Exchage Archive to .pst. All articles I've read say this is possible and a tried and tested practice, but for some reason the Archive fails (mailbox is fine) I'm trying to figure out why, then I can issue my script which automates all the HelpDesk jobs for a leaver into one simple command.

    Monday, December 5, 2016 1:07 PM
  • Hi,

    Based on my test, I don't reproduce this issue in my lab.
    Also, I do not find any useful information for this issue, I'll do research and post here if I get a update.

    Meanwhile, please try to create a test user and enable archive mailbox, then try to export for testing.
    Also, move problematic mailbox to other database if test mailbox works fine.


    Best Regards,

    Allen Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, December 6, 2016 9:19 AM
  • Allen,

    Thanks for that. I have tried exporting other Archives on different servers and databases, but they all fail with the same error. We keep our Archive databases on their own servers different to the mailboxes, SO i'm assuming they are missing a permission of some sort. Administrator groups have the same members on all exchange servers. The account I'm using is an Organisational Admin with Records Management membership and an unrestricted scope.

    It's really bugging me as I have a powershell script that will, once I sort this, export both mailbox and archive of user to a Leavers mailbox, remove the group membership of the user, delete the mailbox, disable and move the AD account to an OU that is cleaned after 6 months. Unfortunately, this fails on the first hurdle of exporting the mailbox archive... Grrr.

    Nik

    Tuesday, December 6, 2016 9:40 AM
  • After a bit more of a thorough investigation, it is the 2 Archive DBs on one server that is stopping us from extracting to a pst file. THis is a relief, but still means we have the same issue.

    Local Admin groups are the same. DBs look identical with no errors. Mailbox permissions are obviously fine as when the Archvie is moved we can export the pst.

    Can anyone think of a reason why an admin user who can export any mailbox and archive on all of the other servers cannot export a pst file from any mailbox hosted on any DBs hosted on one particular server? Got to be server related, but where?

     
    Tuesday, December 6, 2016 2:40 PM
  • please check you share if you have "EVERYONE" rights.

    this

    New-MailboxExportRequest -Mailbox "xyz" -FilePath "\\server\exUtil$\xyz_archive.pst" -IsArchive

    work's fine on our Environment.

    Per default nobody can Export, you must create a role

    New-ManagementRoleAssignment -Role "Mailbox Import Export" -User "YourExportUser"

    Command Powershell close windows!!!!


    CH

    Wednesday, December 7, 2016 6:27 AM
  • Thanks Chris,

    But the permission issue is not with the share, it's with accessing the Archive mailbox I think. As I said, Ive tested the same path with the users mailbox and that's fine. I have established it is exporting the archive mailbox from one particular Exchange Server. If I move the archive DB off that server, I can export it fine. I just can't seem to find which permission is stopping me.

    Wednesday, December 7, 2016 12:30 PM
  • do have you two Exchange Servers 2010, 2013? than you should move user and Archiv Mailbox on your new 2013 server

    Chris


    • Edited by -- Chris -- Wednesday, December 7, 2016 2:19 PM
    Wednesday, December 7, 2016 1:02 PM
  • 4 x 2013 servers for mailboxes (In one DAG) 2 x 2013 servers hosting archive mailboxes. One of those servers is fine, the other throws the permission errors.
    Wednesday, December 7, 2016 3:28 PM
  • Hi,

    Sorry for delay.

    Since this issue only occurs on this special server, please open the folder path of Mailbox database, then open Properties to check and compare the permission configuration (compare settings with worked DB).

    Meanwhile, open ADSI Edit and connect to Configuration partition, then navigate to:
    CN=Databases,CN=Exchange Administrative Group 
    (FYDIBOHF23SPDLT),CN=Administrative Groups,
    CN=<Organization Name>,CN=Microsoft Exchange,
    CN=Services,CN=Configuration
    Then, check and compare the permission settings.


    Best Regards,

    Allen Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, December 12, 2016 6:38 AM
  • Thanks Allen,

    Checked both NTFS and ADSI permissions for the server and 2 databases it hosts and they are identical to the permissions on a server and database that works fine.

    Exchange Trusted Subsystem and my administration account has full permissions to server, database, NTFS database, NTFS target folder, target share and mailboxes I'm trying to export.

    I have also made my account a domain admin, Organisational admin and ensured I have all export permissions with scope to include the entire organisation. Still get permission denied.?

    Is there a ADSI comparison tool you're aware of?


    • Edited by NewbieNik73 Monday, December 12, 2016 8:52 AM
    Monday, December 12, 2016 8:51 AM
  • So, in anger last night I drained the databases on that server and removed them. I then uninstalled Exchange form the offending server and rebooted it.

    I then re-installed Exchange and re-created the databases. I moved my archive onto one of the databases and ran the new-mailboxexportrequest command.....

    same error. What The Hell???

    It's not the path. I can export other archives/mailboxes from other servers to it. It's not the mailbox I'm exporting. If i move the archive to the other server, I can export it fine.

    It HAS to be permissions on the Server, somewhere. Administrator group is the same as the other servers (Domain Admin, Exchange Trusted SubSystem, Organization Mgmt)

    Administrators have Full Access to the drive and folders hosting the database as does Organization Mgmt and System.

    Anyone? Please? This is driving me crazy....

    Tuesday, December 13, 2016 9:55 AM
  • Incident raised with MS Support teams.. Will keep you informed.
    Tuesday, December 13, 2016 10:44 AM
  • It turns out the issue is with access to the share location on that server, however it is not your normal permissions issue.

    The Share is fine. I can create, modify and delete items. I can use powershell to  create, modify and delete items. I can use Exchange Shell to create, modify and delete items. I CANNOT create .pst files from Exchange Shell there. It seems the Exchange commands do not have permissions to that share or ANY share I create on that server.

    The workaround is to create the pst files on another share on another server. Microsoft are investigating this behaviour as all server permission, NTFS permissions and Share permissions are the same across multiple servers./?

    • Proposed as answer by Allen_WangJF Friday, December 16, 2016 2:08 AM
    Wednesday, December 14, 2016 3:05 PM
  • Hi,

    I'm also planing to escalate this issue before you arise a support ticket with Microsoft.
    Anyway, thank you for your sharing, and it's very appreciate to update this thread if you get result from Microsoft.

    Thanks again.


    Best Regards,

    Allen Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, December 16, 2016 2:08 AM
  • Workaround - Provide Full/Modify access to "Exchange Trusted Subsystem" and “System” in Share and permission tap.
    Friday, September 14, 2018 7:19 PM
  • Note you have to run the command from the Exchange server - it doesn't work if you run the command from a non-exchange server with exchange powershell installed. This is what tripped me up.
    Thursday, December 12, 2019 12:47 AM