When using Active Roles Microsoft Exchange 2013 and later versions, the minimum specified permissions defined in the Active Roles documentation will not grant enough rights to perform Exchange tasks.
This is due to a new layer of security which has been implemented by Microsoft.
The issue has been identified as a product defect, TF00366489.
The documentation will be updated in a future release of the product.
Complete both steps:
1) Add Recipient Management role to the Active Roles Service account (or Domain Override Account). In the 2013 Exchange Management Shell:
Add-RoleGroupMember "Recipient Management" -Member <ARS account>
2) Add permissions manually using ADSI Edit.
List contents and Read all properties permissions must be explicitly granted from the Root down to the Exchange container inside the Configuration container.
* Domain Override Account
* Service Account (if no Domain Override Account specified)
This object and all descendant objects
Read all properties
Quest Software does not provide support for problems that arise from improper modification of objects using ADSI Edit.
The following statement about ADSI Edit was taken directly from Microsoft:
Warning: If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange.
Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.