Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Troubleshooting manual/scheduled scan permission issues in ScanMail for Exchange (SMEX)

    • Updated:
    • 1 Aug 2019
    • Product/Version:
    • ScanMail for Exchange 12.0
    • ScanMail for Exchange 12.0
    • ScanMail for Exchange 12.5
    • ScanMail for Exchange 12.5
    • ScanMail for Exchange 14.0
    • ScanMail for Exchange 14.0
    • Platform:
    • Windows 2012 Server Essentials
    • Windows 2012 Standard
Summary

If one or more of the required permissions is missing when you try to run a manual or scheduled scan you can receive the error message:

“Manual Scan was not successful. Check your domain user for proper permissions. This user should be assigned the ‘ApplicationImpersonation’ role in Exchange Server. Then you need to try again.”

scan error

When SMEX has a remote database using Windows authentication, the following permissions are required:

  • Domain User
  • Local Administrator
  • Domain Administrator (temporarily required if using EUQ on Exchange 2013 platform)
  • Exchange Organization Management Group
  • Exchange ApplicationImpersonation role
  • SQL server dbcreator role
Details
Public
 
It is important to first check what account is being used to run the ScanMail Master Service in the ‘Log On’ tab of the "ScanMail for Exchange Master Service".

Verify/Add the ApplicationImpersonation Role

If the ApplicationImpersonation Role is missing, you will see these entries in the Scanmail_Master.log (Debug Mode)

[DEBUG] user UserName doesn't have this role ApplicationImpersonation
[DEBUG] [DEBUG] CheckDomainUserPrivilege Result: Not Pass

If the ApplicationImpersonation Role is present then you should see the following in the ScanMail_Master.log (Debug Mode)

[DEBUG] user UserName have this role ApplicationImpersonation
[DEBUG] [DEBUG] CheckDomainUserPrivilege Result: Pass

  1. Open the Exchange Management Shell. Use the following command to list the groups and accounts that have the Application Impersonation Role:

    Get-ManagementRoleAssignment -Role "ApplicationImpersonation”

  2. You should see the account used to run the ScanMail Master Service. If not, run the following command to add it:

    New-ManagementRoleAssignment -Name:SmexImpersonation -Role:ApplicationImpersonation -User:UserName

  3. After running the command you need to restart the "ScanMail for Exchange Master Service".

You should also confirm if the "Exchange Servers" group has the ApplicationImpersonation privilege:

  1. Run the following cmdlet and check for "Exchange Servers" group in the results:

    Get-ManagementRoleAssignment -Role "ApplicationImpersonation" -GetEffectiveUsers

  2. If there are none, run the following cmdlet to add ApplicationImpersonation to "Exchange Servers":

    New-ManagementRoleAssignment -Role ApplicationImpersonation -SecurityGroup "Exchange Servers" -name "SmexImpersonate1"

Verify/Add the Organization Management Role

  1. Open the Exchange Management Shell and run the following command:

    Get-RoleGroupMember "Organization Management"

  2. You should see the account listed. If not, run the following command to add it:

    Add-RoleGroupMember "Organization Management" -Member UserName

  3. After running the command, you need to restart the "ScanMail for Exchange Master Service".

This may also be done via the Exchange Administration Center:

  1. Navigate to Permissions > Admin Roles.
  2. In the Members section, click Add.
  3. Select the user, click Add, and click OK.
  4. Click Save to save the changes to the role group.
  5. After adding the role you need to restart the "ScanMail for Exchange Master Service".

Verify SQL dbcreator Role

Open SQL Mgmt Studio, connect to the SMEX SQL server --> Security --> logins Verify the account has access to Database and that the dbcreator role is selected.

  1. Open SQL Mgmt Studio
  2. Connect to the SMEX SQL server > Security > logins.
  3. Verify that the account has access to Database and that the dbcreator role is selected.

    SQL dbcreator role

Verify Local Admin Rights on Exchange Server

If you have access to log on to the Exchange server, from a command line run the following:

net localgroup administrators

Verify Domain Admin Rights (if required)

If required, Domain Admin rights can be checked from a Domain Controller cmd prompt using the following command:

net group "Domain Admins"

Check Connection to the Exchange Database:

SMEX needs to get the mailbox database by running the following cmdlet from the Exchange Management Shell:

Get-MailboxDatabase -Server EXServer01

 
If all of the above is in place and you are still unable to connect, please verify that the mailbox database exists on the Exchange Server.
Premium
Internal
Rating:
Category:
Troubleshoot
Solution Id:
1123080
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.