locked
Exchange 2007 Certificate view on Power shell RRS feed

  • Question

  • Hi,

    Here we have Exchange 2007 with Multiple administrator account. if i use my admin account for checking Get-ExchangeCertificate| fl am getting an error that 

    Get-ExchangeCertificate : Unable to create Internet Information Services (IIS)

    directory entry. Error message is: Access is denied.

    . HResult = -2147024891.

    At line:1 char:24

    + Get-ExchangeCertificate  <<<< | fl

     

    But if i use Administrator (Inbuilt) account i can able to view the certificate in Exchange Management Shell.

     

    Any idea what permission needs to be done in my admin account? i already added in Exchange Organization Administrator.

     

    can any one please tell how can i fix this problem?

     

    regards

    Kris

    Tuesday, March 1, 2011 2:48 AM

Answers

  • Hi:
       To run the Get-ExchangeCertificate cmdlet, the account you use must be delegated the following:

    • Exchange View-Only Administrator role

    To run the Get-ExchangeCertificate cmdlet on a computer that has the Edge Transport server role installed, you must log on by using an account that is a member of the local Administrators group on that computer.

    For more information about permissions, delegating roles, and the rights that are required to administer Microsoft Exchange Server 2007, see Permission Considerations.

     

    • Proposed as answer by Terence Yu Monday, March 7, 2011 1:01 AM
    • Marked as answer by Gavin-Zhang Monday, March 7, 2011 2:08 AM
    Wednesday, March 2, 2011 2:19 AM
  • On Tue, 1 Mar 2011 05:44:07 +0000, Lotusnotes wrote:
     
    >No. not in the local administrative group
     
    Then you won't have access to the certificate store. If you add the
    exchange organization admins group to the local administrators group
    you'll be able to do the things that an admin should be able to do.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    • Proposed as answer by Terence Yu Monday, March 7, 2011 1:01 AM
    • Marked as answer by Gavin-Zhang Monday, March 7, 2011 2:08 AM
    Wednesday, March 2, 2011 3:09 AM

All replies

  • On Tue, 1 Mar 2011 02:48:56 +0000, Lotusnotes wrote:
     
    >Here we have Exchange 2007 with Multiple administrator account. if i use my admin account for checking Get-ExchangeCertificate| fl am getting an error that
    >
    >Get-ExchangeCertificate : Unable to create Internet Information Services (IIS)
    >
    >directory entry. Error message is: Access is denied.
    >
    >. HResult = -2147024891.
    >
    >At line:1 char:24
    >
    >+ Get-ExchangeCertificate <<<< | fl
    >
    >
    >
    >But if i use Administrator (Inbuilt) account i can able to view the certificate in Exchange Management Shell.
    >
    >Any idea what permission needs to be done in my admin account? i already added in Exchange Organization Administrator.
    >
    >can any one please tell how can i fix this problem?
     
    Is that account also in the local administrators group on the server?
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Tuesday, March 1, 2011 4:10 AM
  • No. not in the local administrative group
    Tuesday, March 1, 2011 5:44 AM
  • Hi:
       To run the Get-ExchangeCertificate cmdlet, the account you use must be delegated the following:

    • Exchange View-Only Administrator role

    To run the Get-ExchangeCertificate cmdlet on a computer that has the Edge Transport server role installed, you must log on by using an account that is a member of the local Administrators group on that computer.

    For more information about permissions, delegating roles, and the rights that are required to administer Microsoft Exchange Server 2007, see Permission Considerations.

     

    • Proposed as answer by Terence Yu Monday, March 7, 2011 1:01 AM
    • Marked as answer by Gavin-Zhang Monday, March 7, 2011 2:08 AM
    Wednesday, March 2, 2011 2:19 AM
  • On Tue, 1 Mar 2011 05:44:07 +0000, Lotusnotes wrote:
     
    >No. not in the local administrative group
     
    Then you won't have access to the certificate store. If you add the
    exchange organization admins group to the local administrators group
    you'll be able to do the things that an admin should be able to do.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    • Proposed as answer by Terence Yu Monday, March 7, 2011 1:01 AM
    • Marked as answer by Gavin-Zhang Monday, March 7, 2011 2:08 AM
    Wednesday, March 2, 2011 3:09 AM
  • Hi
      Do you have anything to update ?
    Friday, March 4, 2011 8:52 AM