none
Access is denied when running the command Get-ExchangeCertificate from non-local Exchange Server

    Question

  • As I click through the list of servers in the root of the “Server Configuration” node I get the below error on all servers except the one I am connected to.  Is this to be expected?

     The Exchange Certificate Operation has failed with an exception.  The error message is: Access is denied It was running the command ‘Get-ExchangeCertificate –server ‘cas01’


    Mike Crowley: MCT, MCSE, MCTS, MCITP: Enterprise Administrator / Messaging Administrator
    Friday, March 19, 2010 2:46 PM
    Moderator

Answers

  • This turned out to be a weird GPO issue.
    Mike Crowley: MCT, MCSE, MCTS, MCITP: Enterprise Administrator / Messaging Administrator
    Friday, March 19, 2010 7:53 PM
    Moderator

All replies

  • This turned out to be a weird GPO issue.
    Mike Crowley: MCT, MCSE, MCTS, MCITP: Enterprise Administrator / Messaging Administrator
    Friday, March 19, 2010 7:53 PM
    Moderator
  • Hi Mike

    We've got the same problem here in our test environment. Have you got a little more information on about you've solved this on your side?

    Thank you very much

     

    Tuesday, July 13, 2010 9:29 AM
  • I don't have access to that environment anymore, but I moved the server to a new, sub-ou with inheritance blocked.  Then i rebooted the server and it started working.  we then reviewed the gpos that were being applied and realized one was stopping a service or something (can’t remember).



    Mike Crowley
    Check out My Blog!

    Tuesday, July 13, 2010 1:32 PM
    Moderator
  • Thank you. We discovered about the same when moved to a new sub-ou. We even found out which GPO blocks it from running correctly, we're now currently reviewing this GPO.

    Thursday, July 15, 2010 4:42 PM
  • I found it to be a restricted local administrators group set via GPO.

     

    Once i added the exchange trusted subsystem group, the organizational management group and the service account for exchange to a new gpo applied to the ou, it worked.

    Tuesday, May 17, 2011 4:13 AM
  • Hi all,

    envrionment: exch 2010 with full domain and exchange admin rights.

    I am having simiar issue but its happening on 5 out 10 exchange servers also not only that but i cannot amend user property. i get Access denied and insuficient access rights while with same accounts on other servers we can do every admin stuff. it was working before. Management console or powershell no difference.

    any idea help will be appriciated.

    thanks


    T.Ali

    • Proposed as answer by chr0nicbit Tuesday, April 30, 2013 10:14 AM
    • Unproposed as answer by chr0nicbit Tuesday, April 30, 2013 10:14 AM
    Wednesday, November 28, 2012 10:46 PM
  • Hi All,

    Just started to get this error on my CAS array.

    You need to make sure that all members of the array have the groups added to the Local administrators group.

    So Add the following to Local Administrators

    1. Exchange Trusted Subsystem
    2. Organization Management

    Also ensure that the user account being used has the correct permissions for the Organisation.

    Matt

    • Proposed as answer by chr0nicbit Tuesday, April 30, 2013 10:18 AM
    Tuesday, April 30, 2013 10:18 AM
  • I settled up my home test lab in VMware EXSi 5.1. below is the config

    1 DC
    1 exchnage 2010 server sp3 - MB, HT, CA, UM,
    2 exchange 2010 servers mailbox ( with the intension to make a DAG)

    The installation went well, during the testing, my 2 mailbox server are throwing this error message: The Exchange Certificate operation has failed with an exception. The error message is: Access is denied

    I have checked everywhere on the internet and grand necessary permission, and even with the admin built dc account I still get the same issue.

    Please any idea in how to solve it? or the issue could be linked to ESXi?

    When i tried also to add to local group admin, it says that they aleady in the group, but I see only on user in local group which is Administrator.

    Thanks

    • Proposed as answer by St. Chretien Saturday, September 21, 2013 1:34 PM
    Friday, September 20, 2013 8:10 AM
  • I finally solve it by using sysprep.exe /generalize

    As I did a clone and forgot to use sysprep so the domain was still consider the first SID that was created with the first image. So sysprep.exe /generalize clear everything and generate a new sid. I reconfigure everything and all are okay now. I did not reinstall the exchange server.

    then re-add to domain, test and all work like a charme

    Thanks for all.

    Chretien
    • Proposed as answer by St. Chretien Saturday, September 21, 2013 1:34 PM
    Saturday, September 21, 2013 1:34 PM
  • I finally solve it by using sysprep.exe /generalize

    As I did a clone and forgot to use sysprep so the domain was still consider the first SID that was created with the first image. So sysprep.exe /generalize clear everything and generate a new sid. I reconfigure everything and all are okay now. I did not reinstall the exchange server.

    then re-add to domain, test and all work like a charme

    Thanks for all.

    Chretien
    Saturday, September 21, 2013 1:35 PM
  • This is old, but this was the answer for me. Added 1 and 2 to Administrators on each server and then added 1 and 2 to the account I was using to manage exchange. Worked instantly, no reboots needed. Thank you!

    ____________ Kyle

    Thursday, June 1, 2017 1:15 PM
  • I solved this, by running the Exchange management powershell console as administrator... 
    Thursday, September 28, 2017 2:22 AM
  • Had this issue with 2 servers. Turned out I couldn't connect to those servers using the Exchange Console either - WSMan error. After doing an IISreset on the faulty servers I could connect with the console and was able to check their certs.
    Wednesday, April 11, 2018 6:10 AM