- When you try to start the Exchange Management Shell (EMS), you receive an error message that resembles the following: VERBOSE: Connecting to Cas1.Fabrikam.com.
New-PSSession : [cas1.fabrikam.com] Connecting to remote server cas1.fabrikam.com failed with the following error
message : [Server=CAS1,RequestId=1694d4e1-3f45-4ff3-bfca-7ded20aaa838,TimeStamp=10/4/2013 2:15:34 PM] Access is
For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ New-PSSession -ConnectionURI "$connectionUri" -ConfigurationName Microsoft.Excha ...
+ CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin
+ FullyQualifiedErrorId : -2144108477,PSSessionOpenFailed
- When you try to log on to Exchange Admin Center (EAC) or Exchange Control Panel (ECP), you receive an error message that resembles the following:
Additionally, the following event is logged in the Application log:Log Name: Application
Source: MSExchange Control Panel
Event ID: 4
Task Category: General
Current user: 'FAB\CAS1$'
Request for URL 'https://mbx1.fabrikam.com:444/ecp/default.aspx(https://cas1.fabrikam.com/ecp/)' failed with the following error:
Microsoft.Exchange.Configuration.Authorization.CmdletAccessDeniedException: The user "Fabrikam.com/Computers/CAS1" isn't assigned to any management roles.
- When users try to log on to Outlook Web App (OWA) or Outlook on the Web, they receive an error message that resembles the following:
Note Typically, this issue occurs if a computer object is added to a group that is denied the ms-Exch-EPI-Token-Serialization user right. By default, the following groups are denied the ms-Exch-EPI-Token-Serialization user right:
- Domain Admins
- Schema Admins
- Enterprise Admins
- Organization Management
Note To resolve this issue, you may have to restart the computer that has the Exchange Server role assigned.
In this example, the computer that is running Exchange Server 2013 has the following default group memberships:
In the following example, the computer was added to the "Exchange Trusted Subsystem" group. The "Exchange Trusted Subsystem" group was then added to the "Domain Admins" group:
To view all the users and groups that are denied permissions on the Exchange computer object, run the following cmdlet: