Active Roles Service Account Permission Change Required for Exchange 2013 and later versions (126793)

When using Active Roles Microsoft Exchange 2013 and later versions, the minimum specified permissions defined in the Active Roles documentation will not grant enough rights to perform Exchange tasks. 

This is due to a new layer of security which has been implemented by Microsoft.

The issue has been identified as a product defect, TF00366489.

STATUS

The documentation will be updated in a future release of the product.

WORKAROUND

Complete both steps:

1) Add Recipient Management role to the Active Roles Service account (or Domain Override Account). In the 2013 Exchange Management Shell:

Add-RoleGroupMember "Recipient Management" -Member <ARS account>

2) Add permissions manually using ADSI Edit.

List contents and Read all properties permissions must be explicitly granted from the Root down to the Exchange container inside the Configuration container.

Security Object

 CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=XXXX

Trustee

  * Domain Override Account

  * Service Account (if no Domain Override Account specified)

Permissions

Appy to:

  This object and all descendant objects

Permissions:

  List contents

  Read all properties

Quest Software does not provide support for problems that arise from improper modification of objects using ADSI Edit.

The following statement about ADSI Edit was taken directly from Microsoft:

Warning: If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange.

Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.