POLL: POWERSHELL VS. GUI - DO YOU WANT TO BE A DEVOP OR AN ADMIN?

Troubleshooting Exchange eDiscovery: Errors due to lack of Full Access permission

In my last article, I discussed what to do when you receive errors about exceeding the maximum number of corrupted or bad items. In this article, I want to share how to work through error messages moving messages from or to mailboxes where you do not have the Full Access permission.

In my experience, gathering eDiscovery is not something I do every day. I’m guessing that for most of you, this is also true. The first time I had to do this I was still trying to figure out the correct syntax on the Get-Mailbox, Restore-Mailbox, and Export-Mailbox cmdlets to yield the results that I wanted. That process was quickly hamstrung when I had to troubleshoot confusing error messages regarding the target folder. So what I’ve hoped to do with the eDiscovery series, as well as these troubleshooting articles, is remove some of the frustration by sharing what I’ve learned.

Exchange 2010

Before moving on, in Part 5 of the eDiscovery in Exchange series, I briefly discussed the new search features in Exchange 2010. It’s unlikely you will have a problem with the Full Access permission because the new search feature and pre-defined roles take care of permissions issues. Simply delegating the Discovery Management administrator role to a user gives them the access they need to perform the search. That is done using the Role Based Access Control (RBAC) tool in EMC.

Exchange 2007

One scenario I ran into when attempting to perform eDiscovery was what seemed like an error telling me there was a problem with the target mailboxes. What I eventually discovered was that, even though the message may say the words “target mailbox” or “target destination”, the problem results because of permissions problems on the source mailboxes.

When attempting to run the Export-Mailbox and do not have Full Access permission, you will see the following errors repeated for each mailbox:

Error at top of results list for Export-Mailbox

Error at end of results list for Export-Mailbox

This error indicates a problem with the source mailbox.

“Error occurred in the step: Moving messages. Failed to copy messages to the destination mailbox store with error:

MAPI or an unspecified service provider.

ID no: 00000000-0000-00000000, error code: -1056749164″

If you are using the Get-Mailbox cmdlet to get a group of mailboxes, you will see these errors once for every source mailbox for which the user account does not have proper access.

The solution for this is to simply give the account you’re using the Full Access permission to the mailboxes that you’ll be searching. This can be done per mailbox, organization unit, database, or any other group you get using EMS.

Let’s say you needed to add the Full Access permission to all the mailboxes in a single database. You would use the Get-Mailbox cmdlet piped to the Add-ADPermission cmdlet similar to the example below.

Get-Mailbox -Database “Ex2007MB\First Storage Group\Mailbox Database” | Add-AdPermission -User “YOURDOMAIN\Administrator” -AccessRights GenericAll

The Add-MailboxPermission cmdlet can also be used.

Get-Mailbox -Database “Ex2007MB\First Storage Group\Mailbox Database” | Add-MailboxPermission -User “YOURDOMAIN\Administrator” -AccessRights fullaccess

If you have a small number of mailboxes to manage, Exchange Management Console can also be used by right-clicking a mailbox and selecting Manage Full Access Permission.

Full Access Permission

Once you have successfully added the Full Access permission, the Export-Mailbox cmdlet will display a status message indicating the mailbox has been exported.

Successful Export