Issue: User is a standard user (not a domain admin) and his RBAC permissions allow him to do message tracking but he is not not an Organization Admin.
- Running with Exchange PowerShell (get-messagetrackinglog): works
- Running with ECP: works
- Running with Tracking Log Explorer : Broken
“Failed to connect to the Microsoft Exchange Transport Log Search service on computer “Exchange_Servername”. Verify that a valid computer name was used and the Microsoft Exchange Transport Log Search service is started on the target computer.” The error message is: Access is denied.”
Reason: EXTra.exe is what is used to run Tracking Log Explorer and it doesn’t use remote PowerShell therefore your permissions are based on your AD login permissions not RBAC.
Solutions:
- Add the users to the “Exchange View-Only Administrators” (2007) or “Public Folder Management” (2010 Green Field) AD Group to be able to use the GUI.
- Use Exchange PowerShell or ECP to pull the tracking logs.
Thanks to Andrew and Ron for Figuring this out!
Note: Walkthrough on setting up ECP\ EMS Message tracking access
Hmm, this seems really similar to a Lync issue I have seen
its the same issue 🙂
Jedi, let me tell you that the scope of these cmdlets was KILLING ME until I found your article. What was particularly troubling is the the console was showing all objects, but my cmdlets were not. Once I found your post, bingo. Thanks a ton.
Jedi,
This worked in my environment too…However i am still unable to figure it out which management role entry from ‘Public folder’ or Mail Enabled public folders did the trick.
Would you mind to share your thoughts on that.
Thanks you very much…
Thans
Well the issue is that it is using AD permissions not RBAC.
Or are you just wanting to know which role entry does this in RBAC in general?
Thanks immensely! Much appreciated