Hello, I am running Exchange 2010 sp1 on windows server 2008 r2 sp1 I am a member of the Exchange Organization Administrators role and recieve the error Access Denied when trying to manage mail accounts though ECP. If I add my account to the Help Desk role it works. This started happening after I recently applied SP1 and rollup updates 1 - 3. I have the following entry in the event log related to this. Any suggestions to resolve this? Log Name: Application Source: MSExchange Control Panel Date: 6/16/2011 2:24:12 PM Event ID: 4 Task Category: General Level: Error Keywords: Classic User: N/A Computer: MyServer.MyDomain.ORG Description: Current user: 'Domain\UserAcct' Request for URL 'https://mail.MyDomain.org/ecp/default.aspx?exsvurl=1&mkt=en-US' failed with the following error: Microsoft.Exchange.Configuration.Authorization.CmdletAccessDeniedException: The user "Domain.MyDomain.ORG/Users/UserAcct" on behalf of "Domain.MyDomain.ORG/Users/ManagedUserAcct" doesn't have any of the management roles required to create the impersonated runspace. at Microsoft.Exchange.Configuration.Authorization.ExchangeRunspaceConfiguration.LoadRoleCmdletInfo(String organizationName, IList`1 roleTypeFilter, List`1 sortedRoleEntryFilter, IList`1 logonUserRequiredRoleTypes, List`1 implicitRoleIds) at Microsoft.Exchange.Configuration.Authorization.ExchangeRunspaceConfiguration..ctor(IIdentity logonIdentity, IIdentity impersonatedIdentity, ExchangeRunspaceConfigurationSettings settings, IList`1 roleTypeFilter, List`1 sortedRoleEntryFilter, IList`1 logonUserRequiredRoleTypes, Boolean callerCheckedAccess) at Microsoft.Exchange.Management.ControlPanel.RbacContext.<.ctor>b__5() at Microsoft.Exchange.Data.Storage.LazilyInitialized`1.get_Value() at Microsoft.Exchange.Data.Storage.LazilyInitialized`1.op_Implicit(LazilyInitialized`1 delayInitialized) at Microsoft.Exchange.Management.ControlPanel.RbacSession..ctor(RbacContext context, SessionPerformanceCounters sessionPerfCounters, EsoSessionPerformanceCounters esoSessionPerfCounters) at Microsoft.Exchange.Management.ControlPanel.StandardSession..ctor(RbacContext context) at Microsoft.Exchange.Management.ControlPanel.StandardSession.Factory.CreateNewSession() at Microsoft.Exchange.Management.ControlPanel.RbacSession.Factory.CreateSession() at Microsoft.Exchange.Management.ControlPanel.RbacContext.CreateSession() at Microsoft.Exchange.Management.ControlPanel.RbacSettings.CreateSession() at Microsoft.Exchange.Management.ControlPanel.AuthenticationSettings..ctor(HttpContext context) at Microsoft.Exchange.Management.ControlPanel.RbacModule.Application_PostAuthenticateRequest(Object sender, EventArgs e) at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) Thanks, Jeff

Make sure you are a member of Recipient Management Group.Gulab | MCITP: Exchange 2010-2007 | Skype: Gulab.Mallah | Blog: www.ExchangeRanger.Blogspot.com

Tried that, as being members of both Organization and Recipient Management Roles it does not work. Recieve the error: Sorry! Access Denied. You don't have permission to open this page. If you're a new user or were recently assigned credentials, please wait 15 minutes and try again. If I am a member of both Organization and Helpdesk Management Roles it works. I would expect that all I would need is the Organization Management Role to manage another user through ECP. Thanks, Jeff

Hi, Please try to create a new user, then add this user to the Organization Management group. Test to see if you can manage mail accounts. If the issue persists, please check if the Recipient Management role group contains the following roles: 1. Log into the ECP by Administrator account. 2. Expand to Roles&Auditing, locate " Organization Management ". 3. On the right panel, see “Assigned Roles" section. It should contain the following roles: Distribution Groups Mail Enabled Public Folders Mail Recipient Creation Mail Recipients Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Thanks Gen Lin-MSFT

Thanks for the suggestion. When I checked the assigned roles for Organization Management all that you mentioned were listed. This was not the case when this issue started. The list of assigned roles has increased by about a third. I do not know what is causing this and it did not start until after applying Exchange SP1. Is there a powershell command that can be used to re-generate the default role assignments for the Organization Management Role? Thanks