Verify/Add the ApplicationImpersonation Role

If the ApplicationImpersonation Role is missing, you will see these entries in the Scanmail_Master.log (Debug Mode)

[DEBUG] user UserName doesn't have this role ApplicationImpersonation
[DEBUG] [DEBUG] CheckDomainUserPrivilege Result: Not Pass

If the ApplicationImpersonation Role is present then you should see the following in the ScanMail_Master.log (Debug Mode)

[DEBUG] user UserName have this role ApplicationImpersonation
[DEBUG] [DEBUG] CheckDomainUserPrivilege Result: Pass

Open the Exchange Management Shell. Use the following command to list the groups and accounts that have the Application Impersonation Role:

Get-ManagementRoleAssignment -Role "ApplicationImpersonation”

You should see the account used to run the ScanMail Master Service. If not, run the following command to add it:

New-ManagementRoleAssignment -Name:SmexImpersonation -Role:ApplicationImpersonation -User:UserName

After running the command you need to restart the "ScanMail for Exchange Master Service".

You should also confirm if the "Exchange Servers" group has the ApplicationImpersonation privilege:

Run the following cmdlet and check for "Exchange Servers" group in the results:

Get-ManagementRoleAssignment -Role "ApplicationImpersonation" -GetEffectiveUsers

If there are none, run the following cmdlet to add ApplicationImpersonation to "Exchange Servers":

New-ManagementRoleAssignment -Role ApplicationImpersonation -SecurityGroup "Exchange Servers" -name "SmexImpersonate1"

Verify/Add the Organization Management Role

Open the Exchange Management Shell and run the following command:

Get-RoleGroupMember "Organization Management"

You should see the account listed. If not, run the following command to add it:

Add-RoleGroupMember "Organization Management" -Member UserName

After running the command, you need to restart the "ScanMail for Exchange Master Service".

This may also be done via the Exchange Administration Center:

Navigate to Permissions > Admin Roles.

In the Members section, click Add.

Select the user, click Add, and click OK.

Click Save to save the changes to the role group.

After adding the role you need to restart the "ScanMail for Exchange Master Service".

Verify SQL dbcreator Role

Open SQL Mgmt Studio, connect to the SMEX SQL server --> Security --> logins Verify the account has access to Database and that the dbcreator role is selected.

Open SQL Mgmt Studio

Connect to the SMEX SQL server > Security > logins.

Verify that the account has access to Database and that the dbcreator role is selected.

Troubleshooting manual/scheduled scan permission issues in ScanMail for Exchange (SMEX)

Product / Version includes:

ScanMail for Exchange12.0 , ScanMail for Exchange14.0 , ScanMail for Exchange12.5

Last updated: 2021/08/28

Solution ID: KA-0009598

Category: Troubleshoot

Summary

If one or more of the required permissions is missing when you try to run a manual or scheduled scan you can receive the error message:

“Manual Scan was not successful. Check your domain user for proper permissions. This user should be assigned the ‘ApplicationImpersonation’ role in Exchange Server. Then you need to try again.”

When SMEX has a remote database using Windows authentication, the following permissions are required:

Domain User
Local Administrator
Domain Administrator (temporarily required if using EUQ on Exchange 2013 platform)
Exchange Organization Management Group
Exchange ApplicationImpersonation role
SQL server dbcreator role

It is important to first check what account is being used to run the ScanMail Master Service in the ‘Log On’ tab of the "ScanMail for Exchange Master Service".

Verify/Add the ApplicationImpersonation Role

If the ApplicationImpersonation Role is missing, you will see these entries in the Scanmail_Master.log (Debug Mode)

[DEBUG] user UserName doesn't have this role ApplicationImpersonation
[DEBUG] [DEBUG] CheckDomainUserPrivilege Result: Not Pass

If the ApplicationImpersonation Role is present then you should see the following in the ScanMail_Master.log (Debug Mode)

[DEBUG] user UserName have this role ApplicationImpersonation
[DEBUG] [DEBUG] CheckDomainUserPrivilege Result: Pass

Open the Exchange Management Shell. Use the following command to list the groups and accounts that have the Application Impersonation Role:
Get-ManagementRoleAssignment -Role "ApplicationImpersonation”
You should see the account used to run the ScanMail Master Service. If not, run the following command to add it:
New-ManagementRoleAssignment -Name:SmexImpersonation -Role:ApplicationImpersonation -User:UserName
After running the command you need to restart the "ScanMail for Exchange Master Service".

You should also confirm if the "Exchange Servers" group has the ApplicationImpersonation privilege:

Run the following cmdlet and check for "Exchange Servers" group in the results:
Get-ManagementRoleAssignment -Role "ApplicationImpersonation" -GetEffectiveUsers
If there are none, run the following cmdlet to add ApplicationImpersonation to "Exchange Servers":
New-ManagementRoleAssignment -Role ApplicationImpersonation -SecurityGroup "Exchange Servers" -name "SmexImpersonate1"

Verify/Add the Organization Management Role

Open the Exchange Management Shell and run the following command:
Get-RoleGroupMember "Organization Management"
You should see the account listed. If not, run the following command to add it:
Add-RoleGroupMember "Organization Management" -Member UserName
After running the command, you need to restart the "ScanMail for Exchange Master Service".

This may also be done via the Exchange Administration Center:

Navigate to Permissions > Admin Roles.
In the Members section, click Add.
Select the user, click Add, and click OK.
Click Save to save the changes to the role group.
After adding the role you need to restart the "ScanMail for Exchange Master Service".

Verify SQL dbcreator Role

Open SQL Mgmt Studio, connect to the SMEX SQL server --> Security --> logins Verify the account has access to Database and that the dbcreator role is selected.

Open SQL Mgmt Studio
Connect to the SMEX SQL server > Security > logins.
Verify that the account has access to Database and that the dbcreator role is selected.

Verify Local Admin Rights on Exchange Server

If you have access to log on to the Exchange server, from a command line run the following:

net localgroup administrators

Verify Domain Admin Rights (if required)

If required, Domain Admin rights can be checked from a Domain Controller cmd prompt using the following command:

net group "Domain Admins"

Check Connection to the Exchange Database:

SMEX needs to get the mailbox database by running the following cmdlet from the Exchange Management Shell:

Get-MailboxDatabase -Server EXServer01

If all of the above is in place and you are still unable to connect, please verify that the mailbox database exists on the Exchange Server.

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Troubleshooting manual/scheduled scan permission issues in ScanMail for Exchange (SMEX)

Verify/Add the ApplicationImpersonation Role

Verify/Add the Organization Management Role

Verify SQL dbcreator Role

Verify Local Admin Rights on Exchange Server

Verify Domain Admin Rights (if required)

Check Connection to the Exchange Database:

Troubleshooting manual/scheduled scan permission issues in ScanMail for Exchange (SMEX)

Product / Version includes:

Summary

Verify/Add the ApplicationImpersonation Role

Verify/Add the Organization Management Role

Verify SQL dbcreator Role

Verify Local Admin Rights on Exchange Server

Verify Domain Admin Rights (if required)

Check Connection to the Exchange Database: