Exchange 2010 RBAC Errors



Update: This turned out to be a Nagios-related powershell script running against Exchange that was being launched by a service running as LocalSystem, which didn’t have permissions to perform various tasks within Exchange. As soon as we stopped running the script the errors went away. Still no idea why the errors were popping up on servers in the Org that weren’t referenced by the task, but that’s Exchange for you.

Right, I’m throwing this out on the tiny off-chance that anyone has come across it and knows of a solution, because so far, Microsoft support haven’t and don’t.

Frequent entries in the Application logs of all Exchange 2010 Servers as follows:

(Process w3wp.exe, PID <PID>) “RBAC authorization returns Access Denied for user <Mailbox Server Computer Account>. Reason: No role assignments associated with the specified user were found on Domain Controller <Domain Controller FQDN>”

Several things.

1) Everything in <> has obviously been changed by me to remove details of my internal infrastructure, the actual errors contain real PID, account and server values. In all cases, the computer account is that of the Mailbox server, even though the error shows up on Mailbox, CAS and UM servers.

2) This is not, I repeat, not the same issue as you’ll find all over Google with a very similar error message that features a user account rather than a computer account. That one is usually caused by people not setting up permissions for their administrators properly in the ECP or broken permissions inheritance on accounts.

3) This error has survived a complete rebuild (OS and Exchange) of the Mailbox server, a re-running of the domain/forest prep tools and a couple of weeks examination by Microsoft Support. We’re currently looking at rebuilding all the other 2010 servers to see if it survives that too.

Any suggestions will be gratefully accepted.

3 Replies to “Exchange 2010 RBAC Errors”

  1. Did you get anywhere with this one? We are seeing the same issue for the most part. Error logs on the CAS server using the machine name of the Database Server. Happening once per hour.

    1. Yes, it turned out to be a powershell script running against Exchange that was being launched by a service running as LocalSystem. As soon as we stopped running the script the errors went away, but we haven’t had time to test yet to see if it would work if the service was running as an account with rights on the Exchange Org.

      Still no idea why it was popping up on all the servers in the Org, but that’s Exchange for you 🙂

  2. I just added my Exchange 2010/SBS 2011 server to the Organization Management group in the Exchange Security Groups container in AD, which resolved the error.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.