none
Exchange Sync Losing Setting RRS feed

  • Question

  • Hello,

    I have configured the PWA2010 - Exchange 2007 sync with the following commands:

    Add-ADPermission -Identity (get-exchangeserver).DistinguishedName -User (Get-User -Identity DOMAINNAME\SERVICEACCT| select-object).identity -extendedRights ms-Exch-EPI-Impersonation

    Add-ADPermission -Identity "Firstname Lastname" -User DOMAINNAME\SERVICEACCT -extendedRights ms-Exch-EPI-May-Impersonate

    And after that, it works.  Then, sometime after the first sync, and some time there after, for some users, this setting disappears.  The sync fails.  i then need to run the second command over again.  The command completes without warning.  I know the setting is lost because if i run the second command on some other users, it gives me an error, saying the ACE already exists for the impersonation.

    Anyone have any clue into this?

    TIA,

    Ian

    Wednesday, April 6, 2011 6:26 PM

Answers

  • As you know that Projectserver doesn't change the settings in Exchange server, recommend to do the troubleshooting with the help of exchange server log.

    Since there is no warning when you executed the command at the second time, suspecting that the accounts lost the impersonation due to some reasons.

    Monitor whether the issue occurs for the same account or the users from the same group. Observe the membership of those accounts.

    http://msdn.microsoft.com/en-us/library/bb204095(v=exchg.80).aspx

    The ms-Exch-EPI-Impersonation permission gives the caller the ability to submit an impersonation call through the Client Access server. This does not mean that the caller has permission to access any particular account. Permission to impersonate on a server is set on the security descriptor of the Server object in Active Directory. The calling account cannot be a member of any administrator group. This permission is explicitly denied to those groups.

    I second Joseph, please post a thread in Exchange Forum to identify the issue.


    Cheers. Happy troubleshooting !!! Sriram E - MSFT Enterprise Project Management
    Friday, April 8, 2011 2:30 PM
    Moderator

All replies

  • It also happened to me with a couple of users when I configured my project server dev environment.

    I had to execute a few times the second command for those users in order to activate the exchange sync again for them.

    I'd have to ask them if it is still working but it was a very strange behaviour of the Exchange server losing the users' settings.

    Have you asked in the Exchange forum?

    Thursday, April 7, 2011 9:13 AM
  • As you know that Projectserver doesn't change the settings in Exchange server, recommend to do the troubleshooting with the help of exchange server log.

    Since there is no warning when you executed the command at the second time, suspecting that the accounts lost the impersonation due to some reasons.

    Monitor whether the issue occurs for the same account or the users from the same group. Observe the membership of those accounts.

    http://msdn.microsoft.com/en-us/library/bb204095(v=exchg.80).aspx

    The ms-Exch-EPI-Impersonation permission gives the caller the ability to submit an impersonation call through the Client Access server. This does not mean that the caller has permission to access any particular account. Permission to impersonate on a server is set on the security descriptor of the Server object in Active Directory. The calling account cannot be a member of any administrator group. This permission is explicitly denied to those groups.

    I second Joseph, please post a thread in Exchange Forum to identify the issue.


    Cheers. Happy troubleshooting !!! Sriram E - MSFT Enterprise Project Management
    Friday, April 8, 2011 2:30 PM
    Moderator
  • I'm seeing the same problem on 2 of our accounts, which both happen to be in the Domain Admins group.  Have you solved this issue? 

    The permission seem to be lost after about 15-30 minutes. 

    Any Ideas?

    Thanks,

    Zach

    Sunday, August 28, 2011 10:13 PM
  • I am having the same problem.

    A few accounts are losing the permission setting and I have to re-apply all the time.

    What's wrong?

    Wednesday, February 29, 2012 11:04 AM
  • Its a know behaviour in Exchange server if the user is belongs to Domain Admin group.


    Cheers. Happy troubleshooting !!! Sriram E - MSFT Enterprise Project Management

    Wednesday, February 29, 2012 6:18 PM
    Moderator
  • In my case the accounts that are losing the permission setting are not domain admins.

    What could be then?

    Thursday, March 1, 2012 7:38 AM
  •  As you know that Project server cannot remove this permission from exchange server, i may need to contact Exchange Admin team to check the reason.

    Analyse the user permissions and check at what frequency it got removed and check with exchange team.


    Cheers. Happy troubleshooting !!! Sriram E - MSFT Enterprise Project Management

    Sunday, March 4, 2012 2:58 AM
    Moderator