none
What personal retention tag is applied to folders RRS feed

  • Question

  • I am trying to use the code below to view the retention tags applied to folders in a given user's mailbox:

    http://blogs.msdn.com/b/akashb/archive/2013/06/14/generating-a-report-which-folders-have-a-personal-tag-applied-to-it-using-ews-managed-api-from-powershell-exchange-2010.aspx

    My environment:

    2 x Exchange 2010 SP3 RU8v2 servers with CA, MB and HT roles. They are in a DAG.

    1 x KEMP VLM-200 load balancer.

    I downloaded and installed the EWS managed API:

    http://www.microsoft.com/en-us/download/confirmation.aspx?id=35371

    And I have seen what seems like every imaginable error message:

    - The response received from the service didn't contain valid XML.

    --> So I changed DNS so the URI in the script would connect directly to one of the two Exchange servers - and not the KEMP. Other solutions did not seem to work. This is a test env so I can "mess" with DNS.

    - The request failed. The remote server returned an error: (403) Forbidden.

    --> I think I solved this by adding https to the URI (the s in https was missing).

    - The request failed. The remote server returned an error: (401) Unauthorized.

    --> Not sure what I did here anymore (this has been taking me literally hours). But this error was replaced with the following:

    - The account does not have permission to impersonate the requested user.

    --> I was able to apparently solve this by granting a brand new user (not member of any admin groups with Deny permissions) the permissions described in this article:

    https://msdn.microsoft.com/en-us/library/bb204095%28v=exchg.80%29.aspx

    Even though that is for Exchange 2007 and I have 2010.

    That seemed to work because that error messages no longer appears but... now this one appears again:

    - The request failed. The remote server returned an error: (401) Unauthorized.

    I've tried after granted the new user full permissions to the mailbox in question and without those permissions.

    ----------------------------------------------

    ----------------------------------------------

    So in the end, I'm going in circles and I don't know how to make this work.

    How can I see WHY the user is not authorized?

    Does the user have to be a member of specific groups? I intentionally did NOT add them to any admin type groups because of what was stated in the MSDN article on impersonation (some admin groups have DENY permissions on user mailboxes).


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.


    Monday, February 16, 2015 4:10 AM

Answers

  • Yes, that should work and you should not have to add any sort of permissions. Some things to try would be:

    1. Try a new service account. The changing of default permissions back and forth may have left something undesirable behind blocking access. Only add the impersonation role via the Powershell command.
    2. Download EWSEditor
    Monday, February 23, 2015 3:36 PM
    Moderator

All replies

  • These are the only lines of the code I have edited:

    # Set the Credentials
    $service.Credentials = new-object Microsoft.Exchange.WebServices.Data.WebCredentials("newuser1","Passwordabc123","mydomain.lan")

    # Change the URL to point to your cas server
    $service.Url= new-object Uri(https://mail.mydomain.net/EWS/Exchange.asmx)

    I have also tried:

    $service.Credentials = new-object Microsoft.Exchange.WebServices.Data.WebCredentials(newuser1@mydomain.lan,"Passwordabc123")

    Yes, I have mydomain.lan (original domain name) and mydomain.net (for email).

    For better or worse, newuser1 is only a member of domain users (but currently has full access permissions to target mailbox).


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

    Monday, February 16, 2015 4:35 AM
  • Here's the 2010 version of the permissions article: https://msdn.microsoft.com/en-us/library/bb204095(v=exchg.140).aspx. You need to create the management role and assign it to your service account.


    Monday, February 16, 2015 3:19 PM
    Moderator
  • Thanks, but when I attempt to open the page, this messages is displayed:

    Server Error in '/' Application.

    Runtime Error

                 Description: An exception occurred while processing your request. Additionally, another exception occurred while executing the custom error page for the first exception. The request has been terminated.            

    ----

    -----

    Tried both at home and at work, two different browsers, two different days.

    ???


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

    Tuesday, February 17, 2015 7:09 PM
  • Gah. Silly editor included the ending '.'. I've edited the previous answer to fix the link.
    Tuesday, February 17, 2015 7:44 PM
    Moderator
  • Thanks. I'll take a look at that this week-end. Will let you know how it works.

    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

    Thursday, February 19, 2015 2:13 AM
  • New-ManagementRoleAssignment -Name View_Retention_Tag -Role:ApplicationImpersonation -User:abc

    I entered that command, granting the Application Impersonation role to user "abc".

    And I'm still getting the same "(401) Unauthorized " error.

    So what do I need to do to make this work?

    Shouldn't "abc" now be able to access user's mailboxes to list the retention tag assignements per folder, using the script referenced in my first post?


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.


    Monday, February 23, 2015 2:43 AM
  • Just a note, I've tried with user "abc" having Full Permissions to the target mailbox... and without.

    Not sure what to do next?


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

    Monday, February 23, 2015 2:51 AM
  • Yes, that should work and you should not have to add any sort of permissions. Some things to try would be:

    1. Try a new service account. The changing of default permissions back and forth may have left something undesirable behind blocking access. Only add the impersonation role via the Powershell command.
    2. Download EWSEditor
    Monday, February 23, 2015 3:36 PM
    Moderator
  • OK, I tried with a new account (removed the previous role assignment, so this is all brand new).

    Same error. I just don't understand.

    I will try the EWS Editor.


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

    Monday, March 2, 2015 1:07 AM
  • OK, I entered the appropriate information as shown above and I opted to show the MsgFolderRoot.

    There were no error messages.

    I am able to browse in what are apparently the folders of the target mailbox.

    I can click on any folder in left pane (and view properties in right pane) except for the "Spooler Queue" and "System" folders. The "search folder" is not initialized for the first and there is an "Access Denied" for the System Folder.

    All the other folders are fine. Yes, I tried each one.

    ???


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

    Monday, March 2, 2015 1:45 AM
  • OK, I was able to make the script run. I had to adjust the credentials so the format matched what I had in the EWS Editor:

    ("newuser1","Passwordabc123","mydomain")

    Thank you for your assistance, Jason.


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.


    Monday, March 2, 2015 2:12 AM