Hi there, I'm trying to create a 'least privileged' permissions-set for view only administrators, but am running into issues with viewing the IIS folders on remote servers.I have set read access on IIS metabase (R,U,E perms set using metaacl.vbs), which enables me to view the IIS metabase when running the Exchange console on the local server. However when viewed from a remote server, I cannot enumerate the OWAfolders using either the console or the shell. It stops with: Get-OwaVirtualDirectory : Unable to create IIS (Internet Information Service) directory entry. Error Message is: Access is denied.. HResult = -2147024891 At line:1 char:24 Regmon and filemon sessions do not show any Access denied errors, so it seems to be either a policy setting or application specific permissioning. It could be that the OS build I'm using has some custom policies, but the security guys here could not confirm that. Anyone else have an idea? Cheers, Mark

Found it...... DCOM permissions where incorrectly set...... Because of the debuglogging I did not see the flood of DCOM errors the first couple of times I checked the eventlog Cheers, Mark

Could you offer a reference for correcting this issue? thanks.

There is no documentation available for this, but this is what I did: View only admins have 'read all properties','read permissions','list contents' on CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<domain>,DC=<root> through membership of UG in the rootdomain. To allow the appropiate local permissions, permit: -read access to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\ winreg, - NTFS Read+list contents on Exchange server files - allow access to IIS metabase by running:%windir%\Microsoft.NET\Framework\v2.0.50727>aspnet_regiis -ga <account> or cscript Metaacl.vbs "IIS://Localhost/W3SVC" - membership of 'Distributed COM Users' and 'Remote desktop users'on local machine. Cheers, Mark

Thanks Mark, I have the same problem but unsure about your steps: View only admins have 'read all properties','read permissions','list contents' on CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<domain>,DC=<root> through membership of UG in the rootdomain. Ok, no problem ADSI on DC and I see Exchange View Only Admins has read all properties, read permissions and list contents To allow the appropiate local permissions, permit: -read access to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\ winreg, Found the regkey, but not sure what the appropriate local permissions are? Who should be there? - NTFS Read+list contents on Exchange server files For which account? - allow access to IIS metabase by running:%windir%\Microsoft.NET\Framework\v2.0.50727>aspnet_regiis -ga <account> or cscript Metaacl.vbs "IIS://Localhost/W3SVC" Metaacl.vbs isnt found on my roles, so for the aspnet_regiis which account should I be running? - membership of 'Distributed COM Users' and 'Remote desktop users'on local machine. Again, which account should be members of this?

Well, the account/group you want to allow access to the owa folders and other server info.

I think I maybe having a different problem then. I am logged into my 2nd CAS server as domain administrator. I ran through your tips adding domain administrator. Running get-OwaVirtualDirectory on CAS2 fails with access denied. Get-OwaVirtualDirectory: Unable to create IIS (internet Information Service) directory entry. Error message is: Access is denied. HREsult=-2147024891 at line:1 char:23 +Get-OwaVirtualDirectory

Okay, here how I was able to solve it...lots of google searches Click start/run and type dcomcnfg To open the DCOM configuration. Expand Component Services & Computers. Right click "My Computer" and select properties. Go to the [Default Properties] Tab and ensure "Enable Distributed COM on this computer" is enabled. Then make sure "Default Authentication Level" is set to Connect And "Default Impersonation Level" is set to Identify. I applied those settings, rebooted and it works now.

Well my tips were meant to allow an user access to an Exchange server and allowing him/her to use the management tools. However, adding a user to the DCOM group should have solved your issue. Cheers, Mark

No worries thanks Mark My EMC would not work and would give the error stated in this message. I tried going through your suggestions, adding the domain admin, as that was the account I was trying from, and it didnt work for me. I found another solution that did solve it for me, and thought it was useful to post in case others had similar problems. I am guessing its a similar permissions problem, just rearing itself in different ways. Your may seems to solve it for certain cases, and I found another problem that requires a different method to solve. Just posting it so others can try as well...