W3WP.EXE RBAC errors
We have a DAG with two database servers and on both servers we often see the following event occurring. EventID: 17 Source:MSExchange Configuration Cmdlet - Management Shell (Process w3wp.exe, PID 6656) "RBAC authorization returns Access Denied for user . Reason: No role assignments associated with the specified user were found on Domain Controller dppwadds02.atlantis.local" We sees this error only on the database servers.
May 25th, 2010 12:51pm
The affected users have probably lost the association with a assignment policy. This can happen when an account is disabled and later reenabled. You can apply the default assignment policy like this: Get-Mailbox alias | Set-Mailbox –RoleAssignmentPolicy “Default Role Assignment Policy” or any policy if you have others.
May 25th, 2010 2:57pm
Sorry Andy, but i am convinced that W3WP.exe (IIS worker process) is getting the access denied.
May 25th, 2010 4:42pm
Does all your users have assigned policies to their mailboxes?
May 25th, 2010 9:46pm
No, they haven't. The Exchange 2010 environment has been set up in preperation for migration from Exchange 2003 to Exchange 2010. No mailboxes have been migrated yet. Two CAS/HUB's defined as CAS array, and two mailbox servers part of a DAG. The DAG will be extended with a third server later on.
May 25th, 2010 11:12pm
So when you do see those errors? Have you matched them up to specific things you are doing? If you are accessing things with an account that isnt mail-enabled or hasnt been moved to 2010 yet, that would explain it.
May 26th, 2010 1:11am
Hi, Please try to run ExBPA to have a health scan and then post the error information here. Besides, please try to move user to Exchange 2010 and then check the issue again. Xiu
May 26th, 2010 6:25am
Andy, how would you explain that? I see this events occurring at random, and yes it could be caused by a service account which are not mail enabled. But is still makes me wonder why these events are logged. Not all service accounts need to use Exchange. the Only service account which might be used is the back-up service account, but as Exchange 2010 only allows back-ups to be taken by its own VSS snap-in, a service account is not required to have any exchange permissions.
May 26th, 2010 3:34pm
We are seeing this error as well. Any progress? Xiu, what user would be moved? w3wp.exe???
July 16th, 2010 7:09pm
Hello, we have this issue too, since the upgrade to Exchange 2010 SP1. We use Backup Exec for backing up the Exchange server. There we use a domain admin user "taskjobs". Every time our backup starts there comes up 2 messages "MSExchange RBAC ID 17, Process w3wp.exe, PID 6656) "RBAC authorization returns Access Denied for user ...taskjobs". Reason: No role assignments associated with the specified user were found on Domain Controller dc01.domain.local" Do you have any hint how to resolve this issue? greetings Stefan
October 19th, 2010 2:40am
StefanK007, I had the same problem. I found a Symantec article that solved it for me. The article describes a different scenario, but adding the Backup Account I run the jobs as to the Exchange Organizational Management role eliminated those errors. http://www.symantec.com/business/support/index?page=content&id=TECH126587
December 17th, 2010 8:30am
Hi Pete, thanks for this information. That solved the problem. greetings Stefan
January 18th, 2011 6:59am