Can’t run Tracking Log Explorer : Access Denied


 

Issue: User is a standard user (not a domain admin) and his RBAC permissions allow him to do message tracking but he is not not an Organization Admin.

  • Running with Exchange PowerShell (get-messagetrackinglog): works
  • Running with ECP: works
  • Running with Tracking Log Explorer : Broken

“Failed to connect to the Microsoft Exchange Transport Log Search service on computer “Exchange_Servername”. Verify that a valid computer name was used and the Microsoft Exchange Transport Log Search service is started on the target computer.” The error message is: Access is denied.”

image

Reason: EXTra.exe is what is used to run Tracking Log Explorer and it doesn’t use remote PowerShell therefore your permissions are based on  your AD login permissions not RBAC.

Solutions:

    1. Add the users to the “Exchange View-Only Administrators” (2007) or “Public Folder Management” (2010 Green Field) AD Group to be able to use the GUI.
    2. Use Exchange PowerShell or ECP to pull the tracking logs.

Thanks to Andrew and Ron for Figuring this out!

Note: Walkthrough on setting up ECP\ EMS Message tracking access

Advertisements