Hi,

i have test of Exchange 2013 SP1 CU7. Seems, that all works good. Users can login over OWA, send emails each other.

In ECP i see all 50 mailboxes. In powershell - only one! Why? how i can fix it?

[PS] C:\>get-mailbox -Identity "*"

Name                      Alias                ServerName       ProhibitSendQuota
----                      -----                ----------       -----------------
User 1                     User 1                 ex1              Unlimited

[PS] C:\>Get-Mailboxdatabase

Name                           Server          Recovery        ReplicationType
----                           ------          --------        ---------------
Mailbox Database 1363112588    EX1             False           None
base1                          EX1             False           None
all                            EX1             False           None

User 1 belong to base1, but into this base there are more mailboxes.

Thank you!

• Edited by Anahaym Tuesday, May 12, 2015 9:50 AM

Please try after running this command

Set-AdServerSettings -ViewEntireForest $true -PreferredGlobalCatalog <gc.domain.com>

Are you getting the same result when running command get-mailbox?

nothing changed
still only one User

• Edited by Anahaym Tuesday, May 12, 2015 1:54 PM

Get-MailboxDatabase | Get-Mailbox

[PS] C:\>Get-MailboxDatabase | Get-Mailbox
Some of the parameters specified with the "Get-Mailbox" cmdlet aren't present in the role definition for the current user. Check the management
roles assigned to you, and try again.
    + CategoryInfo          : PermissionDenied: (:) [Get-Mailbox], CmdletAccessDeniedException
    + FullyQualifiedErrorId : [Server=EX1,RequestId=8f4353bc-70b8-4002-9aae-a6be740e801d,TimeStamp=12.05.2015 14:28:28] [FailureCategory=Cmdlet-Cmdl
   etAccessDeniedException] 98B25FB9,Microsoft.Exchange.Management.RecipientTasks.GetMailbox
    + PSComputerName        : ex1.domain.internal

i compared membership with domain\administrator. what is missing?

[PS] C:\>Get-ADUser -Identity aleks -Properties memberof | Select-Object MemberOf

MemberOf : {
CN=import,OU=Microsoft Exchange Security Groups,DC=domain,DC=internal,
CN=Server Management,OU=Microsoft Exchange Security Groups,DC=domain,DC=internal,
CN=Recipient Management,OU=Microsoft Exchange Security Groups,DC=domain,DC=internal,
CN=Organization Management,OU=Microsoft Exchange Security Groups,DC=domain,DC=internal,
CN=Domain Admins,CN=Users,DC=domain,DC=internal,
CN=Enterprise Admins,CN=Users,DC=domain,DC=internal,
CN=Schema Admins,CN=Users,DC=domain,DC=internal
}

[PS] C:\>Get-ADUser -Identity administrator -Properties memberof | Select-Object MemberOf

MemberOf : {
CN=import,OU=Microsoft Exchange Security Groups,DC=domain,DC=internal,
CN=Server Management,OU=Microsoft Exchange Security Groups,DC=domain,DC=internal,
CN=Recipient Management,OU=Microsoft Exchange Security Groups,DC=domain,DC=internal,
CN=Organization Management,OU=Microsoft Exchange Security Groups,DC=domain,DC=internal,
CN=Group Policy Creator Owners,CN=Users,DC=domain,DC=internal,
CN=Domain Admins,CN=Users,DC=domain,DC=internal,
CN=Enterprise Admins,CN=Users,DC=domain,DC=internal,
CN=Schema Admins,CN=Users,DC=domain,DC=internal,
CN=Administrators,CN=Builtin,DC=domain,DC=internal
}

By Administrator all works.

• Edited by Anahaym Tuesday, May 12, 2015 3:30 PM

Get-Recipient show me all accounts with type UserMailbox.

Have compared attributes, and there are some differences.

User1:

adminCount                            : 1
MemberOf                              : {CN=Domain Admins,CN=Users,DC=domain,DC=org}
msDS-SupportedEncryptionTypes         : 0

showInAddressBook                     : {CN=Mailboxes(VLV),CN=All System Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft
                                        Exchange,CN=Services,CN=Configuration,DC=domain,DC=org, CN=All Mailboxes(VLV),CN=All System Address
                                        Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft
                                        Exchange,CN=Services,CN=Configuration,DC=domain,DC=org, CN=All Recipients(VLV),CN=All System Address
                                        Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft
                                        Exchange,CN=Services,CN=Configuration,DC=domain,DC=org, CN=Default Global Address List,CN=All Global
                                        Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft
                                        Exchange,CN=Services,CN=Configuration,DC=domain,DC=org, CN=All Users,CN=All Address Lists,CN=Address Lists
                                        Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=org}
userAccountControl                    : 66048

User2:

showInAddressBook                     : {CN=All Mailboxes(VLV),CN=All System Address Lists,CN=Address Lists Container,CN=First
                                        Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=org, CN=All
                                        Recipients(VLV),CN=All System Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft
                                        Exchange,CN=Services,CN=Configuration,DC=domain,DC=org}
userAccountControl                    : 512

Test1:

showInAddressBook                     : {CN=Mailboxes(VLV),CN=All System Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft
                                        Exchange,CN=Services,CN=Configuration,DC=domain,DC=org, CN=All Mailboxes(VLV),CN=All System Address
                                        Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft
                                        Exchange,CN=Services,CN=Configuration,DC=domain,DC=org, CN=All Recipients(VLV),CN=All System Address
                                        Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft
                                        Exchange,CN=Services,CN=Configuration,DC=domain,DC=org, CN=Default Global Address List,CN=All Global
                                        Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft
                                        Exchange,CN=Services,CN=Configuration,DC=domain,DC=org, CN=All Users,CN=All Address Lists,CN=Address Lists
                                        Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=org}

userAccountControl                    : 512

i can see only the User1. Built-in Administrator can see all.

Hi Anahaym,

This has by now become interesting. What I can see, is either something is broken or RBAC, exclusive scopes , incorrect user credential causing the issue.

Give these a try and post the results.

Check if below are returning the excepted results for the session:

$env:username

[Environment]::UserName

[Environment]::UserDomainName

[Environment]::MachineName

Open PowerShell 'Run As Administrator' using aleks account:

$UserCredential = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://FQDNofCASServer.com/PowerShell/ -Authentication Kerberos -Credential $UserCredential

Import-PSSession $Session

Get-Mailbox

Run these below commands as the Administrator:

Get-ManagementRoleAssignment "Organization Management" | Format-List

Get-ManagementRoleAssignment -RoleAssigneeType "Organization Management"

 

Get-ManagementRole Cmdlet  Get-Mailbox

Get-ManagementRoleEntry *\Get-Mailbox"

Get-ManagementRoleAssignment -RoleAssigneeType aleks 

Get-RoleGroupMember -Identity "Organization Management"

Get-ManagementRoleAssignment -GetEffectiveUsers | Where { $_.EffectiveUserName -Eq "Ross Smith" }

Get-ManagementRoleAssignment -WritableRecipient User2 -GetEffectiveUsers | where {$_.EffectiveUserName -eq "Aleks"}

 When you create exclusive management scopes, only the role assignees assigned exclusive scopes that contain objects to be modified can access those objects. Only those administrators assigned a role with the exclusive scope can access these exclusive, or protected, objects.

Get-ManagementScope -Exclusive $true

References:

Exchange RBAC Tips N Tricks - PowerShell

http://blogs.technet.com/b/rmilne/archive/2014/02/18/exchange-rbac-tips-n-tricks-_2d00_-powershell.aspx

Get-ManagementRoleAssignment

https://technet.microsoft.com/en-in/library/dd351024(v=exchg.150).aspx

Create a regular or exclusive scope

https://technet.microsoft.com/en-in/library/dd351083(v=exchg.150

Open PowerShell 'Run As Administrator' using aleks account:

$UserCredential = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://FQDNofCASServer.com/PowerShell/ -Authentication Kerberos -Credential $UserCredential

Import-PSSession $Session

Get-Mailbox

it works. it means that PoS for Exchange doesn't work correct? Why?

Open PowerShell 'Run As Administrator' using aleks account:

$UserCredential = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://FQDNofCASServer.com/PowerShell/ -Authentication Kerberos -Credential $UserCredential

Import-PSSession $Session

Get-Mailbox

it works. it means that PoS for Exchange doesn't work correct? Why?

Ugh. just thought of something.  Do you have UAC enabled on your Exchange Servers?  If yes, then right click the EMS and run as administrator and see what happens

Ugh. just thought of something.  Do you have UAC enabled on your Exchange Servers?  If yes, then right click the EMS and run as administrator and see what happens

UAC is by default. EMS always run as Administrator