Users is unable to access OWA options (ECP) in Exchange 2010 and 2013

This is not an especially new issue but there is not much information about it so here goes anyway.

The issue

Some users, but not all, of a customer of mine reported that they could not save their signatures in OWA. After some investigation I found that the users that could save their signature had the an Role Assignment Policy set, “Default Role Assignment Policy”. This was the only policy in use and all users should have that policy.

When I did a quick check online, some had reported that the following event with event ID 4 and the error message "The user "username" isn’t assigned to any management roles."  where logged in the Application Log on the CAS servers. However, my customer had no such events in the Application Logs on their CAS servers.

The users that could not save their signature had an empty Role Assignment Policy attribute set. Exchange needs to have the RoleAssignmentPolicy property (msExchRBACPolicyLink  attribute) to be able to determine which settings the users has the rights to change in ECP. This is based on RBAC and if you want to read up on Role Assignment Policies have a look here.

Lets have a look at this in more detail. I have got two users, Test User1 with no policy set. And Test User2 with the “Default Role Assignment Policy” set. We will start with the first user…

 

A broken Mailbox

Test User1 (no policy set)
Run the following command to view the RoleAssignmentPolicy property.

Get-Mailbox <identity> | Name,RoleAssignmentPolicy

Example:

OWASaveError03

As you can see, the RoleAssignmentPolicy property is empty. In ADSI Edit the attribute you should look for is called msExchRBACPolicyLink as shown below.

OWASaveError01

As you probably have guessed already, the attribute is empty for Test User1. If I go to OWA and try to change some of the options I receive the following error message “Sorry! Access Denied. You don’t have permission to open this page. If you’re a new user or were recently assigned credentials, please wait 15 minutes and try again.”.

In both Exchange 2010 and 2013 the message looks like this.

OWASaveError05

 

A working mailbox

Test User2 (“Default Role Assignment Policy” set)

Again, run the following command to view the RoleAssignmentPolicy property:

Get-Mailbox <identity> | Name,RoleAssignmentPolicy

Example:

OWASaveError04

Much better as you can se, when we use ADSI Edit the msExchRBACPolicyLink contains the Distinguished Name of the “Default Role Assignment Policy”.

OWASaveError02

For Test User2 it works fine to change the settings in ECP.

 

Why did it happen?

I did some more investigating and found that the reason that this issue occurred for some users was that my customer create some mailboxes using AD Toolkit. When AD Toolkit creates the mailboxes the msExchRBACPolicyLink attribute is not set.

This can be achieved in AD Toolkit as well by adding an attribute when creating the mailboxes and specifying the msExchRBACPolicyLink attribute with a correct Role Assignment Policy.

 

Solution

Well the easiest way to solve the issues is to add a Role Assignment Policy for the affected mailboxes. To find all users with an empty msExchRBACPolicyLink attribute you can run the following command.

Get-Mailbox -ResultSize Unlimited | Where { $_.RoleAssignmentPolicy -like $null}

Example:

OWASaveError07


To add a Role Assignment Policy for all the listed users run the following command:

Get-Mailbox -ResultSize Unlimited | Where { $_.RoleAssignmentPolicy -like $null} | Set-Mailbox –RoleAssignmentPolicy “Default Role Assignment Policy”

Example:

OWASaveError08

And that should be it, all users should now be able to change their settings in ECP.

Thanks for reading and do not hesitate to let me me know if you run in to any issues!

Advertisements

8 Responses to Users is unable to access OWA options (ECP) in Exchange 2010 and 2013

  1. Tom Brackett says:

    I am having this issue; all users in the environment have this attribute set. OWA works fine but ECP does not. Also when a user clicks options in OWA they get this error. Any ideas?

    • Martin Sundström says:

      Tom, has this worked Before? Has anyone made any changes or installed any updates? Make sure that the authentication settings on the ECP site is correct.

  2. ptomic says:

    I have a little different problem. “Default Role Assignment Policy” is assigned to all users, but lot of them can’t change their signature. Only users that have domain admin or exchange admin privileges can change signature or access options in OWA.

    • srikanth says:

      hello all,

      i am also facing the same problem. all the users are set with “default role assignment policy” but still same error.

      any ideas or suggestions please?

  3. Hello! Quick question that’s entirely off topic. Do you know how to make your
    site mobile friendly? My site looks weird when viewing from my iphone4.

    I’m trying to find a template or plugin that might be able to resolve this problem.
    If you have any suggestions, please share. Cheers!

  4. August says:

    Thank you, I’ve recently been looking for information about this
    topic for a while and yours is the greatest I’ve came upon till now.
    But, what concerning the bottom line? Are you positive in regards to the source?

  5. Hello there, just became aware of your blog through Google, and found that it’s truly informative.
    I am going to watch out for brussels. I will appreciate if
    you continue this in future. Numerous people will be benefited from your writing.
    Cheers!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: