Get-MailboxPermission from the EMS fails ...
It has logon as batch, logon as service, logon locally and is member of remote desktop as well as being Exchange View Only Admin. Like I say, it works fine if I run it in the EMS.
I want it to produce a monthly report using Get-MailboxPermissions of who has access to which mailbox.
Generally, I like running scripts with the least perms needed. That's why I created this dedicated account to use as a service account.
So what built-in service account would you recommend for this?
Thanks.
February 25th, 2012 7:33am
As per my knowledge to run any powershell script you need have an administrator previlages.
Below link might help you to accomplish above task. Have a look
http://www.geeksww.com/tutorials/operating_systems/ms_windows/administration/how_to_set_permissions_to_run_powershell_scripts.php
http://exchangeshare.wordpress.com/2008/12/08/how-to-schedule-powershell-script-for-an-exchange-task/
Regards,
_Prashant_MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com
Free Windows Admin Tool Kit Click here and download it now
February 25th, 2012 7:39am
No, the script runs from the EMS as that user. Its just that the Get-MailboxPermissions cmdlet fails when explicitly invoked from a DOS prompt using powershell.exe and the -command parameter. Why?
February 25th, 2012 7:47am
Have you tried re-assigning that service account to the correct RBAC roles since you mailbox-enabled it?
What you're doing should work. I've got scheduled tasks running like this now.[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
Free Windows Admin Tool Kit Click here and download it now
February 25th, 2012 8:32am
Is your service account mailbox-enabled?[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
February 25th, 2012 9:42am
I don't think you're running into an exchange perm issue; for scheduling tasks, the run as account always needed to be local admin or run as system. Add the account to the local admin to confirm. Once confirmed you can play around with script below
to schedule a task to run in the context of another user.
http://powershell.com/cs/media/p/8026.aspxJames Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
February 25th, 2012 10:08am
Running Powershell.exe launches an new instance of Powershell.
That new instance will not have the Exchange cmdlets in it. It will be a generic Powershell session.[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
February 25th, 2012 10:19am
The
-psconsolefile parameter loads the Exchange cmdlets. Get-Mailbox works fine in the script, just not Get-MailboxPermissions.
Free Windows Admin Tool Kit Click here and download it now
February 25th, 2012 12:57pm
The last thing I want to do is run the script as an admin (but I'll try for testing)!
I put "whoami" in the Powershell script and it gave me the correct user. Get-Mailbox works without problems, it's just the Get-MailboxPermissions that doesn't.
I have other Powershell scripts that run as normal users without problems.
February 25th, 2012 1:01pm
Did some testing, I'm able to reproduce your issue and isolate the cause. I'm able to invoke basic PS Exchange comands via DOS or task scheduler without admin rights. The issue is is particularly running the get-mailboxpermission. Running this cmdlet requires
the user be in the organizational admin group, see KB below. It works when you add to local admin because exchange org admin is in the local admin.
Get-mailboxpermissions
You need to be assigned permissions before you can run this cmdlet. Although all parameters for this cmdlet are listed in this topic, you may not have access to some parameters if they're not included in the permissions assigned to you. To see what permissions
you need, see the "Mailbox permissions and delegation" entry in the Mailbox Permissions topic. If you go under this topic it will show that org mgmt role is required and not view only. View only rights can only see the configuration listed
in second link.
http://technet.microsoft.com/en-us/library/aa998218.aspx
Recipient provisioning perms
Users who are assigned the View-Only Management role group can view the configuration of the features in the following table. For more information, see
View-Only Organization Management.
http://technet.microsoft.com/en-us/library/dd638132.aspx
James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
February 25th, 2012 1:24pm
Strangely it was no longer a member of the View-Only perms group after I mailbox-enabled it. Anyway, I gave it the permissions again, ran it manually from the EMS to make sure that it worked. But still no luck as a scheduled job. Really think I'll just
run it manually.
February 25th, 2012 1:42pm
Well, IMO there's just something strange with this cmdlet.
Firstly, on my Ex 2010 server, I have a user that has ONLY logon as batch, logon as service, logon
locally rights and is an Exchange View Only Admin. Get-MailboxPermisson works perfectly when I run it interactively either via EMS or a DOS prompt on the Ex 2010 server.
Secondly, if you look at the Ex 2007 help at http://technet.microsoft.com/en-us/library/aa998218(v=exchg.80).aspx it says:
"To run the Get-MailboxPermission cmdlet, the account you use must be delegated the following:
Exchange View-Only Administrator role"
So who knows what the real situation is?
Free Windows Admin Tool Kit Click here and download it now
February 25th, 2012 1:45pm
Hmm you're right, i was able to as well with a view only account. Let me do some more testing...James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
February 25th, 2012 1:58pm
Sorry, missed that part.
Normally if you wanted to start powershell, and give it a script file to run on startup, you would use the -file paramter:
c:\windows\system32\windowspowershell\v1.0\powershell.exe -psconsolefile"c:\Program
Files\Microsoft\Exchange Server\bin\exshell.psc1" -file
"c:\scripts\MyScript.ps1"
[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
Free Windows Admin Tool Kit Click here and download it now
February 25th, 2012 2:08pm
Its looks like its the psconsolefile switch is not compatible\sufficient use below.
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command ". 'C:\Program Files\Microsoft\Exchange Server\V14\bin\RemoteExchange.ps1'; Connect-ExchangeServer -auto; c:\admin\scripts\get-mailbox1.ps1"
James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
February 25th, 2012 3:14pm
Wow! Great, thanks very much!!
Do you think the "Connect-ExchangeServer -auto" is needed? I'm running it on the Exchange server
itself.
And could I pass the "c:\admin\scripts\get-mailbox1.ps1" using the -file parameter?
Thanks again.
Free Windows Admin Tool Kit Click here and download it now
February 25th, 2012 3:41pm
Sure! I'm not sure exactly the cause I would do some more testing but need to do some "real" work now. Post if you find the answer.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
February 25th, 2012 3:47pm
Will do. Get back to the important stuff. Much appreciated.
Free Windows Admin Tool Kit Click here and download it now
February 25th, 2012 3:52pm
Hi
If you want to run a script on a scheduled basis using the Windows Task Scheduler service, you can call the Shell and include the script that you want to run as a parameter. If you want to use Exchange cmdlets with your script, you must direct Windows PowerShell to connect to a server running Exchange and load the Exchange cmdlets you have access to. The shortcut you use to open the Shell does this automatically. To do this when you want to run a script that contains Exchange cmdlets, you must direct Windows PowerShell to run the scripts that make this connection. This syntax is required to open Windows PowerShell, connect to an Exchange server, and run your script from the Cmd.exe command.
This example runs the script RetrieveMailboxes.ps1 from C:\My Scripts
PowerShell.exe -command ". 'D:\Program Files\Microsoft\Exchange Server\V14\bin\RemoteExchange.ps1'; Connect-ExchangeServer -auto; C:\My Scripts\RetrieveMailboxes.ps1"
For additional options to use when you call the Shell from the Cmd.exe environment, type
PowerShell.exe /?
You can read this link
http://technet.microsoft.com/en-us/library/bb123798.aspx
Terence Yu
TechNet Community Support
February 25th, 2012 10:02pm
It is now... but unfortunately made no difference. Thanks anyway. I think I'll just logon and run the script manually once a month.
Maybe I'll use Powershell to send me a scheduled reminder. Hope the Send-MailMessage cmdlet doesn't have problems too. ;)
Free Windows Admin Tool Kit Click here and download it now
February 26th, 2012 4:35am
Nothing new there.
February 26th, 2012 4:48am
Doesn't make any difference.
Btw it works if I run as administrator. But I won't be doing that.
Free Windows Admin Tool Kit Click here and download it now
February 26th, 2012 4:50am
It's definitely permission related, since it works as Administrator. Have you checked the user rights on the box to see if that user has Logon as Batch right?
Can I ask why you want to do this? It seems to me to be a very odd thing to be trying to do. Normally you set up a scheduled task to run under some kind of service account with a non-expiring password. Using a user account, administrator or otherwise
is generally considered bad practice.
I've set up scheduled tasks on servers for users to run, but I don't use their credentials on the task. I set up the task to run with a service account (with admin privileges if necessary if the task requires it), and then set the permissons on the
task itself so that they have permission to start it.
Then they can run the task whenever they want, and can do something that normally requires admin permissions (restart a service, etc), without making them an admin.
[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
February 26th, 2012 6:36am
Hello,
I have a user with Exchange View-Only permissions and local logon rights on my Exchange 2010 server.
If I run Get-Mailbox | Get-MailboxPermission from the EMS in a script called MyScript.ps1, it completes without error.
However, if I open a DOS command prompt on the same server as the same user and run :
c:\windows\system32\windowspowershell\v1.0\powershell.exe -psconsolefile"c:\Program
Files\Microsoft\Exchange Server\bin\exshell.psc1" -command "MyScript.ps1"
then it fails with an exception saying "Failed to commit the change on object 3abc xxxx because access is denied".
Any ideas why please?
The reason is that I want to schedule the script. The user has Exchange View-Only rights which are needed for Get-MailboxPermission.
Thanks,
- Alan.
Free Windows Admin Tool Kit Click here and download it now
February 26th, 2012 7:12am
Hi Alan,
When you run exchange cmdlets, in exchange 2010 you should use the remote powershell for the permissions to work. That is where the RBAC model comes in to play. If you use a local shell on the exchange server, the permission applied to the user might not
work as you expected. Get-mailbox may work as you read that information from the AD.
Local Shell:
c:\windows\system32\windowspowershell\v1.0\powershell.exe -psconsolefile "c:\Program Files\Microsoft\Exchange Server\bin\exshell.psc1"
Remote Shell:
PowerShell.exe -command ". 'C:\Program Files\Microsoft\Exchange Server\V14\bin\RemoteExchange.ps1'; Connect-ExchangeServer -auto
For the user whos trying to running the batch job, Please try the below steps and let me know it goes:
Assign "Allow locally log on locally" and "log on as a batch job" permissions to the exchange server.
Add the user to the "View-Only Organization Management" Exchange security group.
Make sure the user can execute the cmdlets in the script on the EMS manually.
Schedule the script using Task Scheduler. (EG: PowerShell.exe -command ". 'C:\Program Files\Microsoft\Exchange Server\V14\bin\RemoteExchange.ps1'; Connect-ExchangeServer -auto; c:\tmp\myscript.ps1 > C:\tmp\out.txt"
Thank you
Santhosh
March 11th, 2012 1:27am