Powershell – New-MailboxExportRequest error- isn’t within your current write scopes

exchangepowershell

I'm running a command to export the mailbox of a particular user based on some conditions.

Account I'm logged in with is already have role Mailbox Import Export

Command-

New-MailboxExportRequest 
-Mailbox NSS
-ContentFilter {(Sender -eq '@dd.com')} 
-FilePath \\E1\Export\NSS.pst

I successfully exported mailbox for a number of users but when I try to export it for this particular user, I get following error-

'domain.local/domain/Users/SUsers/N SS' isn't within your current
write scopes. Can't perform save operation.
+ CategoryInfo : InvalidArgument: (NSS:MailboxOrMailUserIdParameter) [New-MailboxExportRequest], AD
ScopeException
+ FullyQualifiedErrorId : [Server=E2,RequestId=c68c16fd-523d-4989-b846-a5072a5ebae6,TimeStamp=11/30/2018
10:32:5 7 PM] [FailureCategory=Cmdlet-ADScopeException]
E193E48B,Microsoft.Exchange.Management.RecipientTasks.NewMailboxEx
portRequest
+ PSComputerName : e2.domain.local

Best Answer

The error indicates that the user that you are trying to use your export command from (your own admin account) does not have sufficient rights to do the operation, likely due to a Role-Based access Control Filter (RBAC).

You should be able to see which RBAC groups that has access to the object with the following command:

Get-ManagementRoleAssignment -WritableRecipient NNS -GetEffectiveUsers

Does your admin account show up on that list?

If you need an RBAC group with access rights to all types of mailboxes and exchange type groups you should be able give an RBAC group access with this:

Set-ManagementScope “ENTER THE RBAC GROUP” -RecipientRestrictionFilter {(RecipientType -eq ‘usermailbox’) -or (recipientType -eq ‘user’) -or (recipientType -eq ‘mailuser’) -or (recipienttype -eq ‘mailcontact’) -or (recipienttype -eq ‘mailuniversaldistributiongroup’) -or (recipienttype -eq ‘mailuniversalsecuritygroup’)}

If you are not the only administrator of this Exchange envoirment you might what to check with your co-admins if there is a reason that the access rights is set up that way or if we are talking about a mistake,

Related Solutions

Powershell – getting an Access Denied on importing a PST file in Exchange 2010 SP1

Mailbox Import and Export process is handled by Exchange MRS component. If you check the Microsoft Exchange Mailbox Replication service properties, you will see the service is running under “Local System account”. That means the file share location you specified in the New-MailboxExportRequest or New-MailboxImportRequest doesn’t have permissions to Exchange Trusted Subsystem.

The solutions as you guessed enable Read/Write permissions to Exchange Trusted Subsystem for the network location (NTFS and Share permissions). Try again.

Powershell – Can’t give ‘send-as’ permissions in Exchange 2010

I've finally fixed this.

Interestingly Send-As is an AD permission - not an exchange permission as you might have expected.

Anyway, these are the steps:

Make the target mailbox "shareable" using this command in Powershell on your Exchange Server:

Set-Mailbox user1 -type:shared

If you get this error (same as in my first post): AD Failure

You will need to find that user in AD and go to the properties >> Security >> Advanced:

AD Properties

You need to ENABLE the option to "Include inheritable permissions from this object's parent":

enter image description here

Once that is done you should be able to complete the folder share script.

Then actually grant the rights using this command:

Add-ADPermission user1 -User Ourdomain\User2 -ExtendedRights "Send As"

Hope that helps others who have the same problem.

Kieran

Best Answer

Related Solutions

Powershell – getting an Access Denied on importing a PST file in Exchange 2010 SP1

Powershell – Can’t give ‘send-as’ permissions in Exchange 2010

Related Topic