Exchange 2016. Set-MailboxAutoReplyConfiguration. Access to the registry key is denied.

Andrejs Sobolevs 86 Reputation points
2020-12-17T17:08:12.787+00:00

Hi All,

Please assist with setting proper permissions for a Service Account.

I have got a task from business to make scheduled task on Exchange Server 2016. Action - setting Automatic Reply to a mailbox.
Have prepared script for that, but, when I run script under service account in PowerShell (to test it, if there are any errors or not, since Task Scheduler does not shows errors), I am getting such error:

PS C:\Users\aaa> C:_Scripts\AutoReplyState.ps1
WARNING: An unexpected error has occurred and a Watson dump is being generated: Access to the registry key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AssistantsQuarantine\1c33ea3f-ed68-4671-95d5-f29d599e2e51\powershell_ise\PoisonControl\PoisonControlComposite' is denied.

WARNING: Task module "ReportExceptionModule.ReportException" fails with exception "Access to the path 'C:\ExchangeSetupLogs\ExchangeSetupWatson.log' is denied.". This module is skipped. Task execution result should not be affected.

Set-MailboxAutoReplyConfiguration : Access to the registry key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AssistantsQuarantine\1c33ea3f-ed68-4671-95d5-f29d599e2e51\powershell_ise\PoisonControl\PoisonControlComposite' is denied.

At C:_Scripts\AutoReplyState.ps1:18 char:1

  • Set-MailboxAutoReplyConfiguration -identity XXX -AutoReplyState ...
  • ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  • CategoryInfo : NotSpecified: (:) [Set-MailboxAutoReplyConfiguration], UnauthorizedAccessException
  • FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.Exchange.Management.StoreTasks.SetMailboxAutoReplyConfiguration

My script does:
Set-MailboxAutoReplyConfiguration -identity XXX -AutoReplyState Scheduled -StartTime "$month/20/$year 12:00 AM" -EndTime "$month/$LastDayOfMonth/$year 12:00 PM" -InternalMessage $text -ExternalMessage $text;

This is something with missing permissions.

When I run same script under Exchange Admin account, it works fine. Please assist, which permissions should I set to a service account to be able to run successfully PowerShell command:
Set-MailboxAutoReplyConfiguration

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,373 questions
0 comments
Accepted answer
  1. Andy David - MVP 142.5K Reputation points MVP
    2020-12-17T17:49:34.98+00:00

    You can find the role needed:

    https://learn.microsoft.com/en-us/powershell/exchange/find-exchange-cmdlet-permissions?view=exchange-ps 

    $Perms = Get-ManagementRole -Cmdlet Set-MailboxAutoReplyConfiguration

    Name RoleType
    ---- --------
    Mail Recipients MailRecipients
    MyBaseOptions MyBaseOptions
    User Options UserOptions 

    $Perms | foreach {Get-ManagementRoleAssignment -Role $_.Name -Delegating $false | Format-Table -Auto Role,RoleAssigneeType,RoleAssigneeName}

    Role RoleAssigneeType RoleAssigneeName
    ---- ---------------- ----------------
    Mail Recipients RoleGroup Organization Management
    Mail Recipients RoleGroup Recipient Management

    Role RoleAssigneeType RoleAssigneeName
    ---- ---------------- ----------------
    MyBaseOptions RoleAssignmentPolicy Default Role Assignment Policy

    Role RoleAssigneeType RoleAssigneeName
    ---- ---------------- ----------------
    User Options RoleGroup Organization Management
    User Options RoleGroup Help Desk

    The easiest thing is to add that service account to the User Options Role Group or the Mail Recipients Role Group

    Otherwise create a new custom role for just that command (Set-MailboxAutoReplyConfiguration), removing the others and assign it to the Service Account

    https://practical365.com/exchange-server/exchange-server-role-based-access-control-in-action/#:~:text=The%20more%20sensible%20approach%20is,create%20a%20new%20role%20group.

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andrejs Sobolevs 86 Reputation points
    2020-12-21T13:53:25.7+00:00

    Hi,

    I have got this result: 

    [PS] C:\WINDOWS\system32>$Perms = Get-ManagementRole -Cmdlet Set-MailboxAutoReplyConfiguration  
[PS] C:\WINDOWS\system32>$perms  
  
Name            RoleType  
----            --------  
User Options    UserOptions  
MyBaseOptions   MyBaseOptions  
Mail Recipients MailRecipients  
  
  
[PS] C:\WINDOWS\system32>$Perms | foreach {Get-ManagementRoleAssignment -Role $_.Name -Delegating $false | Format-Table  
-Auto Role,RoleAssigneeType,RoleAssigneeName}  
  
Role         RoleAssigneeType RoleAssigneeName  
----         ---------------- ----------------  
User Options        RoleGroup Help Desk  
User Options        RoleGroup Organization Management  
  
  
Role              RoleAssigneeType RoleAssigneeName  
----              ---------------- ----------------  
MyBaseOptions RoleAssignmentPolicy Default Role Assignment Policy  
  
  
Role            RoleAssigneeType RoleAssigneeName  
----            ---------------- ----------------  
Mail Recipients        RoleGroup Organization Management  
Mail Recipients        RoleGroup Recipient Management  
Mail Recipients        RoleGroup BackupExecRoles

    What I did next - opened ECP and added my SVC account into 2 RoleGroups:

    1. Help Desk;
    2. Recipient Management.

    From Exchange management shell run command: 

    [PS] C:\WINDOWS\system32>Get-ManagementRoleAssignment -RoleAssignee "svc" -Delegating $false | Format-Table -Auto Role,RoleAssigneeName,RoleAssigneeType  
  
Role                        RoleAssigneeName     RoleAssigneeType  
----                        ----------------     ----------------  
Mail Enabled Public Folders Recipient Management        RoleGroup  
Move Mailboxes              Recipient Management        RoleGroup  
Mail Recipient Creation     Recipient Management        RoleGroup  
Recipient Policies          Recipient Management        RoleGroup  
Migration                   Recipient Management        RoleGroup  
Message Tracking            Recipient Management        RoleGroup  
Mail Recipients             Recipient Management        RoleGroup  
Distribution Groups         Recipient Management        RoleGroup  
Team Mailboxes              Recipient Management        RoleGroup  
View-Only Recipients        Help Desk                   RoleGroup  
User Options                Help Desk                   RoleGroup

    And still I am unable to execute script with that SVC account and getting same: 

    PS C:\_Scripts> .\AutoReplyState.ps1  
Set-MailboxAutoReplyConfiguration : Cannot open mailbox /o=COMPANYNAME/ou=Exchange Administrative Group  
(FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=YYY/cn=Microsoft System Attendant.  
At C:\_Scripts\AutoReplyState.ps1:26 char:1  
+ Set-MailboxAutoReplyConfiguration -identity XXX -AutoReplyState  ...  
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
    + CategoryInfo          : NotSpecified: (:) [Set-MailboxAutoReplyConfiguration], ConnectionFailedTransientExceptio  
   n  
    + FullyQualifiedErrorId : [Server=YYY,RequestId=b2c7102f-e7e9-41b5-8094-764aeab6d446,TimeStamp=12/21/2020 1:36:  
   48 PM] [FailureCategory=Cmdlet-ConnectionFailedTransientException] 3FCFF55A,Microsoft.Exchange.Management.StoreTas  
  ks.SetMailboxAutoReplyConfiguration

    49896-svc.png

    Please kindly assist, what I did wrong?
    Should I assign a mailbox to SVC account to accomplish the task?