New place I work recently upgraded from a 2-server Exchange 2003 (1FE and 1BE) to a 4-server Exchange 2010 (CAS and Mailbox, Mailbox, Hub, Edge) environment. Unfortunately some of the upgrade didn’t go quite as planned and there were quite a few issues remaining.
One such issue was when a user would log into OWA (Outlook Web App – or as I still like to call it Outlook Web Access) and attempt to open up the Out Of Office area, they would receive a permission denied. This means the user cannot view the ECP (exchange control panel) area of OWA.
Problem I found: Users did not have a role policy assigned to them.
Shows the role assignment – should show “Default Role Assignment Policy”
get-mailbox MAILBOXNAME | select-object roleassignmentpolicy
If nothing shows, you must set the default policy:
get-mailbox MAILBOXNAME | set-mailbox -roleassignmentpolicy "Default Role Assignment Policy"
shows the current membership roles – should show MyBaseOptions
get-managementroleassignment -roleassignee MAILBOXNAME | fl role
If nothing shows, you must add the base options:
add-rolegroupmember 'MyBaseOptions' -Member MAILBOXNAME
ALL USERS IN DOMAIN – just remove the mailbox name:
get-mailbox | ft name,roleassignmentpolicy
get-mailbox | set-mailbox -roleassignmenpolicy "Default Role Assignment Policy"