Updated: Exchange Connector permissions changed in Configuration Manager Current Branch (1511 and higher)


Exchange Connector Current Branch

Note! Updated with additional permissions (Get-Mailbox) 04/28/2016

During a Configuration Manager Current Branch (1511) implementation I bumped into an issue configuring the Exchange Connector. After configuring the Exchange Connector, devices which are connected by Exchange were not successfully discovered and therefore not appearing in the admin console.

Exchange Connector log

In the Exchange Connector log file (EasDisc.log) I found the following error, which lead us to the root cause:

ERROR: [MANAGED] Invoking cmdlet Get-User failed. Exception: System.Management.Automation.RemoteException: The term ‘Get-User’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.~~   at System.Management.Automation.PowerShell.CoreInvokeRemoteHelper[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)~~   at System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)~~   at System.Management.Automation.PowerShell.CoreInvoke[TOutput](IEnumerable input, PSDataCollection`1 output, PSInvocationSettings settings)~~   at Microsoft.ConfigurationManager.ExchangeConnector.Connector.Invoke(PSCommand cmd)                SMS_EXCHANGE_CONNECTOR 

ERROR: [MANAGED] Exception: The term ‘Get-User’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.    SMS_EXCHANGE_CONNECTOR 

ERROR: Failed to check status of discovery thread of managed COM. error = Unknown error 0x80131501                SMS_EXCHANGE_CONNECTOR

Permissions changed

The error indicates the service account used for the Exchange Connector has no permissions to execute Get-User Exchange Server cmdlet. But hey…the Get-User cmdlet wasn’t required before!? That’s correct, Microsoft confirmed there was a change in Configuration Manager Current Branch (1511 and higher) binaries which added the Get-User cmdlet to the discovery flow of the Exchange Connector.

The service account can be the computer account of the site server or a Windows user account. Then, configure this account to run the following Exchange Server cmdlets:

  • Clear-ActiveSyncDevice

  • Get-ActiveSyncDevice

  • Get-ActiveSyncDeviceAccessRule

  • Get-ActiveSyncDeviceStatistics

  • Get-ActiveSyncMailboxPolicy

  • Get-ActiveSyncOrganizationSettings

  • Get-ExchangeServer

  • Get-Mailbox

  • Get-Recipient

  • Get-User

  • Set-ADServerSettings

  • Set-ActiveSyncDeviceAccessRule

  • Set-ActiveSyncMailboxPolicy

  • Set-CASMailbox

  • New-ActiveSyncDeviceAccessRule

  • New-ActiveSyncMailboxPolicy

  • Remove-ActiveSyncDevice

Microsoft Intune Exchange Connector 

At time of writing this change applies currently only to Configuration Manager Current Branch and not to the Microsoft Intune Exchange Connector. Take into account when you’re upgrading you current Configuration Manager 2012 R2 set up or installing Current Branch Exchange Connector, you’ve to change the permissions of the used service account.

On the Microsoft Office 365 TechCenter two PowerShell scripts by Stephan Schwarz are available which can be used to configure the required permissions easily.

Configure Exchange cmdlet permissions for ConfigMgr 2012 Exchange Connector

Configure Exchange cmdlet permissions for Microsoft Intune Exchange Connector

Sources

https://technet.microsoft.com/en-us/library/mt627895.aspx

Advertisements

3 thoughts on “Updated: Exchange Connector permissions changed in Configuration Manager Current Branch (1511 and higher)

  1. Michael

    I’ve configured ConfigMgr Current Branch 1602 recently with Exchange Connector and used this script to setup account right for Exchange Connector. In the log file i’ve discovered entry complaining about Get-Mailbox cmdlet. After modifying the script to also include Get-Mailbox everything whet smooth.
    surprisingly enough there is no statement on TechNet that Get-Mailbox is also required :(

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s