Cannot manage mail accounts through ECP recieve Access Denied RRS feed

  • Question

  • Hello,

    I am running Exchange 2010 sp1 on windows server 2008 r2 sp1

    I am a member of the Exchange Organization Administrators role and recieve the error Access Denied when trying to manage mail accounts though ECP.

    If I add my account to the Help Desk role it works.

    This started happening after I recently applied SP1 and rollup updates 1 - 3.

    I have the following entry in the event log related to this.

    Any suggestions to resolve this?

    Log Name:      Application
    Source:        MSExchange Control Panel
    Date:          6/16/2011 2:24:12 PM
    Event ID:      4
    Task Category: General
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      MyServer.MyDomain.ORG
    Current user: 'Domain\UserAcct'
    Request for URL 'https://mail.MyDomain.org/ecp/default.aspx?exsvurl=1&mkt=en-US' failed with the following error:
    Microsoft.Exchange.Configuration.Authorization.CmdletAccessDeniedException: The user "Domain.MyDomain.ORG/Users/UserAcct" on behalf of "Domain.MyDomain.ORG/Users/ManagedUserAcct" doesn't have any of the management roles required to create the impersonated runspace.
       at Microsoft.Exchange.Configuration.Authorization.ExchangeRunspaceConfiguration.LoadRoleCmdletInfo(String organizationName, IList`1 roleTypeFilter, List`1 sortedRoleEntryFilter, IList`1 logonUserRequiredRoleTypes, List`1 implicitRoleIds)
       at Microsoft.Exchange.Configuration.Authorization.ExchangeRunspaceConfiguration..ctor(IIdentity logonIdentity, IIdentity impersonatedIdentity, ExchangeRunspaceConfigurationSettings settings, IList`1 roleTypeFilter, List`1 sortedRoleEntryFilter, IList`1 logonUserRequiredRoleTypes, Boolean callerCheckedAccess)
       at Microsoft.Exchange.Management.ControlPanel.RbacContext.<.ctor>b__5()
       at Microsoft.Exchange.Data.Storage.LazilyInitialized`1.get_Value()
       at Microsoft.Exchange.Data.Storage.LazilyInitialized`1.op_Implicit(LazilyInitialized`1 delayInitialized)
       at Microsoft.Exchange.Management.ControlPanel.RbacSession..ctor(RbacContext context, SessionPerformanceCounters sessionPerfCounters, EsoSessionPerformanceCounters esoSessionPerfCounters)
       at Microsoft.Exchange.Management.ControlPanel.StandardSession..ctor(RbacContext context)
       at Microsoft.Exchange.Management.ControlPanel.StandardSession.Factory.CreateNewSession()
       at Microsoft.Exchange.Management.ControlPanel.RbacSession.Factory.CreateSession()
       at Microsoft.Exchange.Management.ControlPanel.RbacContext.CreateSession()
       at Microsoft.Exchange.Management.ControlPanel.RbacSettings.CreateSession()
       at Microsoft.Exchange.Management.ControlPanel.AuthenticationSettings..ctor(HttpContext context)
       at Microsoft.Exchange.Management.ControlPanel.RbacModule.Application_PostAuthenticateRequest(Object sender, EventArgs e)
       at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
       at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)




    Friday, June 17, 2011 2:39 AM

All replies

  • Make sure you are a member of Recipient Management Group.
    Gulab | MCITP: Exchange 2010-2007 | Skype: Gulab.Mallah | Blog: www.ExchangeRanger.Blogspot.com
    Friday, June 17, 2011 6:28 AM
  • Tried that, as being members of both Organization and Recipient Management Roles it does not work.

    Recieve the error: Sorry! Access Denied.  You don't have permission to open this page. If you're a new user or were recently assigned credentials, please wait 15 minutes and try again.

    If I am a member of both Organization and Helpdesk Management Roles it works.

    I would expect that all I would need is the Organization Management Role to manage another user through ECP.





    • Proposed as answer by kevy007 Friday, August 12, 2016 6:05 AM
    Friday, June 17, 2011 2:13 PM
  • Hi,

    Please try to create a new user, then add this user to the Organization Management group. Test to see if you can manage mail accounts.

    If the issue persists, please check if the Recipient Management role group contains the following roles:

    1. Log into the ECP by Administrator account.

    2. Expand to Roles&Auditing, locate " Organization Management ".

    3. On the right panel, see “Assigned Roles" section. It should contain the following roles:

    Distribution Groups

    Mail Enabled Public Folders

    Mail Recipient Creation

    Mail Recipients

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Thanks Gen Lin-MSFT
    Tuesday, June 21, 2011 2:25 AM
  • Thanks for the suggestion.

    When I checked the assigned roles for Organization Management all that you mentioned were listed.

    This was not the case when this issue started.

    The list of assigned roles has increased by about a third.

    I do not know what is causing this and it did not start until after applying Exchange SP1.

    Is there a powershell command that can be used to re-generate the default role assignments for the Organization Management Role?


    Tuesday, June 21, 2011 12:58 PM
  • Check:

    -         -  Login to OWA as Administrator or any login that has access to ECP (click Options)

    -          - click Options

    -         - Select to manage:  My Organizations

    -         - Double click on the user has Denied Access to ECP

    -         - Expand Mailbox Settings

    -         - Role Assignment Policy should be Default Role Assignment Policy

    In my case, the Role Assignment Policy for the user is blank.

    Wednesday, August 29, 2012 11:02 PM