Exchange Management Console Initialization Failed Logon failure Error

I ran into this issue a week or two ago when launching he Exchange Management Console (ESM) for Exchange 2010. As a work-around, I would connect directly to an Exchange server and access ESM from there but given how regularly I do administration work in Exchange I got fed up with the constant logging in and finally fixed the issue.

ESMError
The following error occurred while attempting to connect to the specified Exchange server ‘exchangeserver.domain.com’
The attempt to connect to http://exchangeserver.domain.com/PowerShell using “Kerberos” authentication failed: Connecting to the remote server failed with the following error message: Logon failure: unknown username or bad password. for more information, see the about_Remote_Troubleshooting Help topic.

I did some googling and found a blog that advised me to remove a specific registry entry.

Specifically, this one:

HKCU\Software\Microsoft\ExchangeServer\v14\AdminTools\NodeStructureS

It worked perfectly, so, many thanks to J.W. Koebel for the info found here:  http://blog.kf7lze.net/2012/09/21/exchange-server-2010-management-console-cant-connect/.

If you’ve stumbled upon my blog and found that the above advice did not resolve your problem, you might want to try some of the things suggested here: http://terenceluk.blogspot.com/2011/08/unable-to-open-exchange-server-2010s.html

Advertisements

Exchange user mailbox permissions issues

An IT infrastructure so organic, sometimes I feel like this guy.
An IT infrastructure so organic, sometimes I feel like this guy.

I work for a company who’s network and server environment represent a fairly common scenario in the corporate IT world. They had moved to Active Directory and Exchange about a decade ago and continued to upgrade and grow based off of a general configuration or structure that had been established when those services (AD, Exchange, etc.) were first set up.

Over time, various administrators made changes to these systems to accommodate new services, programs, and initiatives. These changes, being completely necessary and reasonable caused the IT infrastructure to grow and change in a somewhat organic fashion. When I use the word organic in this case, I mean it in the sense that servers and the network were configured around the changing needs of the company, bit by bit. Consequently, I occasionally run into quirks or issues like the one I’ll be discussing below. I like to think these quirks give the infrastructure character. It keeps me on my toes.

I was changing an Exchange user’s mailbox properties the other day to remove a quota that had been set. When I clicked the OK button to apply the new settings to the mailbox, I received the following error:

ExchangePermissionsErrorThe error message is as follows:

“Error: Active Directory operation failed on emailserver.organization.com. This error is not retriable. Additional information: insufficient access rights to perform the operation. Active directory response: 00002098: SecErr: DSID-03150E8A, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
The user has insufficient access rights. “
 

After some moderate googling, I came across some blog and support forum posts by others who had encountered this error. The general consensus was to check the user’s AD security settings to ensure that the “Exchange Enterprise Servers” group had appropriate permissions. Permissions could be fixed by ensuring that inheritance was applied to the user.

ExchangePermissionsError1

I confirmed that the user object had inheritance enabled but I was still unable to apply the changes to the mailbox. I had gone back to skimming the blogs again when I noticed a suggestion in a post to check the inheritance settings for the OU that the user account was in. It turns out that the OU’s inheritance setting had been disabled.

ExchangePermissionsError2

The story goes as follows:

At some point before we had upgraded to Exchange 2010, we had delegated some permissions for the Help Desk so that they could reset user’s passwords. There were some users, people in Accounting, HR, and Executives who’s passwords we felt the Help Desk should not be able to reset. The delegated permissions had been set on an OU that the user’s department OUs were sub-OUs of. In the above example, the North America OU would be where the delegated permissions for the Help Desk had been set. The sub-OU’s (Executives, Marketing, IT, Etc.) would inherit those permissions unless inheritance was disabled in their security settings.

In the end, I concluded that disabling inheritance to the affected user’s OU, prevented the application of new permissions to that user’s account that would have been set when we updated to Exchange 2010. To resolve the issue, I had to go ahead and re-enable inheritance on the department OU of the user who’s mailbox quota I couldn’t change. This caused the necessary permissions which had changed or been added with the upgrade to Exchange 2010, to be applied to the user’s account.

I still wanted to prevent the Help Desk from being able to reset the user’s passwords, so I disabled inheritance on the OU in question and manually removed the permissions that I didn’t want applied to the users. I think that the delegation of rights to the Help Desk maybe should have been applied differently but that’s the moral of this story: The reality of IT is that very rarely if ever,  is any configuration ideal for all uses and situations. Tread carefully, it’s a jungle out there.

Further reading:
Technet 

Adventures with Distribution Groups in Exchange 2010

Because no one should have to suffer alone.
Distribution Groups: Because no one should have to suffer alone.

I was involved in the process of migrating a company from Exchange 2007 to 2010. So far, it’s been smooth sailing with the exception of a small hiccup here and there. One of these hiccups, has to do with the new implementation of the RBAC security model in Exhcange 2010 and how that affects managers of distribution groups.

The distribution group manager just clicks the Modify Members button for instant user management joy.
The distribution group manager just clicks the Modify Members button for instant user management joy.

An organization may have hundreds of distribution groups set up in Exchange for various projects, management groups, initiatives, you name it. In a dynamic environment such as this, people are being added to and removed from distribution groups all the time. This is why Exchange admins appoint managers for distribution groups.


A distribution group manager is a regular user with the exception that they can add or remove people from the group that they manage. The manager usually makes changes to the group using the address book in Outlook. In previous versions of Exchange, when an administrator would appoint a user as a manager of a distribution group, all the administrator would have to do is open the Exchange Management Console, add the user as the manager, open Active Directory Users and Computers, open the distribution group properties and give the manager rights to modify the group.


I suppose that like most admins who had upgraded from earlier versions of Exchange, I was surprised when managers of various distribution groups started complaining that they were getting an error when they tried to add or remove people. Distribution group managers who were able to modify the group before the upgrade to Exchange 2010, were getting errors stating something to the effect of:

OutlookDLError
Changes to the distribution list membership cannot be saved. You do not have sufficient permission to perform this operation on the object.



Turns out there may be a couple of different things going on here. First, the default permissions for Exchange don’t allow users to manage groups and must be changed. The Default Role Assignment Policy for users needs to be changed if you want your managers to be able to administer their distribution groups. To do this, log into your OWA server’s Exchange Control Panel and take the following steps:

ExchangeECPPolicyChange

  1. Click on Roles and Auditing
  2. Click on User Roles
  3. Click on Default Role Assignment Policy
  4. Click on Details
  5. Put a check in the box next to MyDistributionGroups
  6. Marvel at how easy that was. A little too easy…

There is one caveat: enabling this setting allows users to create, delete, and modify distribution groups resulting in… DISTRIBUTION GROUP ANARCHY! RUN FOR YOUR LIVES!!!

WeirdAnarchy
This is what distribution group anarchy looks like: users all hopped up on venti lattes and unlimited distribution group management.

I think that for most organizations, this setting isn’t sufficient for their needs. To further button down these access settings, a custom role can be created using The Exchange Management Shell. Luckily for us, the sharp folks over at the Exchange Team Blog created a PowerShell script that restores sanity to your distribution group settings by giving managers back the ability to manage their distribution groups while keeping them from being able to make new groups or delete them.

You can download the PowerShell script here: http://gallery.technet.microsoft.com/scriptcenter/8c22734a-b237-4bba-ada5-74a49321f159
You can read about using the script (which I highly recommend) here: http://blogs.technet.com/b/exchange/archive/2009/11/18/3408844.aspx



Second, you may find that you can use the Exchange Management Console (EMC) to modify distribution group memberships but managers who need to use Outlook to administer their groups can’t. To make editing distribution groups work in Outlook, you may need to change each distribution group to be Mail Universal Distribution Groups as well. You can do this in the EMC by right-clicking on the distribution group in question and selecting the “Convert to Universal Group” option.



Further reading:

Oddness when creating a dynamic distribution list in Exchange 2007 with custom filters

I recently ran into an interesting bug in Exchange 2007. I was creating a dynamic distribution list in the Exchange Management Shell. I set up a custom filter so that if a user’s AD account description had the word “common” in it, that user would be excluded from the distribution list.

Here’s the code for the DL:

New-DynamicDistributionGroup "EveryoneBlah" -OrganizationalUnit "blah.com/DL" -RecipientContainer "blah.com/blah/Lewiston/blah" -IncludedRecipients MailboxUsers

Here’s the code for the filter:

Set-DynamicDistributionGroup EveryoneBlah -RecipientFilter {(((RecipientType -eq 'UserMailbox') -and -not (description -like 'common'))) }

When I tried to test the filter by viewing the filtered list of recipients using the Exchange Management Console or by using the Exchange Management Shell, I would be shown a list of the users that the filter had been applied to BUT that list would not be limited by the RecipientContainer that had been specified.

So I did some searching and asking around and was pointed to this guy’s blog. He found out that this is actually a bug in Exchange 2007! The dynamic distribution group and the filter work just fine. It’s Exchange 2007’s functionality to SHOW the correct list of users that the DL is applied to that’s wonky.

Further Reading:

http://www.zerohoursleep.com/2010/03/bug-revealed-in-dynamic-distribution-groups-on-exchange-2007/

Looking for an AD account that is associated with an email address?

From time to time I find myself looking for an account that is associated with a specific email address. If the email address in question is an alias, a simple search in Exchange won’t turn up any results. Running a query in Active Directory Users and Computers can locate the information easily.

To run this query, take the following steps:

  1. Open the Active Directory Users and Computers mmc.
  2. Right-click on the domain and select the “Find” option.
  3. Select the “Custom Search” option from the “Find:” drop down menu.
  4. Click on the “Advanced” tab.
  5. In the field under “Enter LDAP query:” type the following: “(proxyAddresses=smtp:example@example.com)”.
  6. Hit the “Find Now” button and prepare for win.
I really have to find better examples to support my instructions.

Further Reading:

Exchange 2007 SP3 Rollup 3 – Unforseen Consequences

Did not see that coming.

If you have installed Rollup 3 on your Exchange 2007 SP3 email server then you might experience the following: When Mac users who send emails with .tiff or .pdf attachments to Windows users, the Windows users won’t be able to view the attachments! Sometimes Windows users who receive the attachment laden email, won’t even see the telltale paperclip symbol on these emails. It is only when the email is viewed from OWA or another Mac client that it’s attachments are made apparent.

Even though the rollup was released in April, Microsoft still hasn’t released a publicly available patch for it. At this time, you’ve got three things that you can do to try and resolve this issue:

  1. Uninstall Rollup3
  2. Call 1-800-microsoft and talk Microsoft support into giving you the hotfix
  3. Entering the following command in power shell on your Exchange server has reportedly helped some people: set-OrganizationConfig -ShowInlineAttachments:$true

Further Reading:

Outlook 2011 and the really low email attachment size limit

No. Not really.

Anyone with an Exchange 2007 email account who recently upgraded from Office 2008 to 2011 on the Mac might find themselves unable to send emails with attachments that are over 10MB in size.  While Entourage used WebDAV, Outlook 2011 uses Exchange Web Services (EWS) for email access. The default size limit for sending emails using EWS is 10MB. To fix this, you’ll need to edit a few files named “web.config” on the Exchange server, run a few commands and then reboot the sucker just because its a good time.

Here’s what you do:

  1. On your Exchange server go to “C:\Program Files\Microsoft\Exchange Server\ClientAccess\exchweb\ews”
  2. Make a copy the “web.config” file – just in case you break something.
  3. Open up the “web.config” file in notepad or Notepad++ (if you’re badass)
  4. Find the line with the following “httpRuntime maxRequestLength=”13280″”
  5. Change the 13280 value to whatever you want. Note that this value is in KB.
  6. Save and close the file
  7. Next, you’ll want to repeat steps 1-6 with the “web.config” files in the “\ClientAccess\owa” and “\ClientAccess\sync” folders.
  8. Open up the command prompt and enter “CD %windir%\system32\inetsrv”
  9. Enter the following commands:

    “appcmd set config “Default Web Site/ews” -section:requestFiltering -requestLimits.maxAllowedContentLength:#########”


    “appcmd set config “Default Web Site/owa” -section:requestFiltering -requestLimits.maxAllowedContentLength:#########”


    “appcmd set config “Default Web Site/Microsoft-Server-Activesync” -section:requestFiltering -requestLimits.maxAllowedContentLength:#########”

    Note: Replace the # with the values you entered in in the web.config files but this time in bytes. If you entered 100000 in the web.config file, enter 100000000 for the value in the command line.
  10. Enter the “iisreset” command
  11. Take a moment to reflect on how awesome you are for winning.
Further reading: