locked
how to get Credentials to create new mailbox? RRS feed

  • Question

  • Dummy question...

    User is member of the group:

    domainA.com/Microsoft Exchange Security Groups/Organization Management

    And by "Get-ManagementRoleAssignment -role "Mail Recipient Creation" I can see above group have such credentials in E2010.

    ...but still "new-mailbox" is unknown command.

    What I have forgot to do?


    Petri

    Wednesday, May 9, 2012 2:41 PM

Answers

  • Hi,

    If you have an OU called "Microsoft Exchange Protected Groups" you can be sure that you did prepare the AD with the split-permission model.


    From the Technet article I posted earlier:

    The following happens when you enable Active Directory split permissions either through the Setup wizard or by running setup.com with the /PrepareAD and /ActiveDirectorySplitPermissions:true parameters:

        An organizational unit (OU) called Microsoft Exchange Protected Groups is created.
        The Exchange Windows Permissions security group is created in the Microsoft Exchange Protected Groups OU.
        The Exchange Trusted Subsystem security group isn't added to the Exchange Windows Permissions security group.


    Martina Miskovic

    • Marked as answer by Xiu Zhang Tuesday, May 15, 2012 6:44 AM
    Thursday, May 10, 2012 11:50 AM

All replies

  • Are you running this from the Exchange Management Shell?

    Sukh

    Wednesday, May 9, 2012 2:44 PM
  • Yes....or trying to do so. Also I tried to set public folder credentials, to that I got "access denied"...

    I tried also tried to use GUI but the same results.

    I can create the account using the ADUC and then enable-mailbox.


    Petri

    Wednesday, May 9, 2012 4:30 PM
  • Can you create a new profile on the server fo this user and test again.  I assume the account is logging onto the server?

    Sukh

    • Proposed as answer by Xiu Zhang Thursday, May 10, 2012 7:28 AM
    Wednesday, May 9, 2012 4:51 PM
  • Hi,

    Please run Get-ManagementRoleAssignment -roleassignee user |fl role to check the roles that this user has.

    Note: To mail-enable public folders, the Mail Enabled Public Folders role must be used.

    By the way, how many Exchange Servers in the network?

    How many Domain controllers?


    Xiu Zhang

    TechNet Community Support

    Thursday, May 10, 2012 7:27 AM
  • Dummy question...

    User is member of the group:

    domainA.com/Microsoft Exchange Security Groups/Organization Management

    And by "Get-ManagementRoleAssignment -role "Mail Recipient Creation" I can see above group have such credentials in E2010.

    ...but still "new-mailbox" is unknown command.

    What I have forgot to do?


    Petri

    Hi,
    Exchange 2010 SP1 came with two types of permissions models (Shared or split) and if chosed "split-model" during the Exchange 2010 installation, that would explain why you can't run new-mailbox but enable-mailbox works.
    Some other examples of cmdlets that will not work when using the split permission model is: New-Mailcontact, New-Distributiongroup and Remove-Mailbox.



    If you had any other version of Exchange installed in your Org, before you installed Exchange 2010 SP1/SP2 the above is not an answer to why you can't run new-mailbox etc, but if you didn't..keep on reading.

    You can change the permission model if you want to. It's all described in the Technet article below.
    But in short you need to prepare your AD again:
    setup.com /PrepareAD and /ActiveDirectorySplitPermissions:false


    Understanding Split Permissions
    http://technet.microsoft.com/en-us/library/dd638106.aspx




    Martina Miskovic

    Thursday, May 10, 2012 8:03 AM
  • Martina could well be right, most go for shared rather than split which is the default.  Can you confirm what you went with?

    Sukh

    Thursday, May 10, 2012 9:47 AM
  • Hi Martina,

    No other server version installed. It is actually my test environment so I have one Exchange and one DC.

    Is there any change to check the split permission status?


    Petri

    Thursday, May 10, 2012 11:13 AM
  • Hi,

    If you have an OU called "Microsoft Exchange Protected Groups" you can be sure that you did prepare the AD with the split-permission model.


    From the Technet article I posted earlier:

    The following happens when you enable Active Directory split permissions either through the Setup wizard or by running setup.com with the /PrepareAD and /ActiveDirectorySplitPermissions:true parameters:

        An organizational unit (OU) called Microsoft Exchange Protected Groups is created.
        The Exchange Windows Permissions security group is created in the Microsoft Exchange Protected Groups OU.
        The Exchange Trusted Subsystem security group isn't added to the Exchange Windows Permissions security group.


    Martina Miskovic

    • Marked as answer by Xiu Zhang Tuesday, May 15, 2012 6:44 AM
    Thursday, May 10, 2012 11:50 AM