If one or more of the required permissions is missing when you try to run a manual or scheduled scan you can receive the error message:
“Manual Scan was not successful. Check your domain user for proper permissions. This user should be assigned the ‘ApplicationImpersonation’ role in Exchange Server. Then you need to try again.”
When SMEX has a remote database using Windows authentication, the following permissions are required:
- Domain User
- Local Administrator
- Domain Administrator (temporarily required if using EUQ on Exchange 2013 platform)
- Exchange Organization Management Group
- Exchange ApplicationImpersonation role
- SQL server dbcreator role
Verify/Add the ApplicationImpersonation Role
If the ApplicationImpersonation Role is missing, you will see these entries in the Scanmail_Master.log (Debug Mode)
[DEBUG] user UserName doesn't have this role ApplicationImpersonation
[DEBUG] [DEBUG] CheckDomainUserPrivilege Result: Not Pass
If the ApplicationImpersonation Role is present then you should see the following in the ScanMail_Master.log (Debug Mode)
[DEBUG] user UserName have this role ApplicationImpersonation
[DEBUG] [DEBUG] CheckDomainUserPrivilege Result: Pass
- Open the Exchange Management Shell. Use the following command to list the groups and accounts that have the Application Impersonation Role:
Get-ManagementRoleAssignment -Role "ApplicationImpersonation”
- You should see the account used to run the ScanMail Master Service. If not, run the following command to add it:
New-ManagementRoleAssignment -Name:SmexImpersonation -Role:ApplicationImpersonation -User:UserName
- After running the command you need to restart the "ScanMail for Exchange Master Service".
You should also confirm if the "Exchange Servers" group has the ApplicationImpersonation privilege:
- Run the following cmdlet and check for "Exchange Servers" group in the results:
Get-ManagementRoleAssignment -Role "ApplicationImpersonation" -GetEffectiveUsers
- If there are none, run the following cmdlet to add ApplicationImpersonation to "Exchange Servers":
New-ManagementRoleAssignment -Role ApplicationImpersonation -SecurityGroup "Exchange Servers" -name "SmexImpersonate1"
Verify/Add the Organization Management Role
- Open the Exchange Management Shell and run the following command:
Get-RoleGroupMember "Organization Management"
- You should see the account listed. If not, run the following command to add it:
Add-RoleGroupMember "Organization Management" -Member UserName
- After running the command, you need to restart the "ScanMail for Exchange Master Service".
This may also be done via the Exchange Administration Center:
- Navigate to Permissions > Admin Roles.
- In the Members section, click Add.
- Select the user, click Add, and click OK.
- Click Save to save the changes to the role group.
- After adding the role you need to restart the "ScanMail for Exchange Master Service".
Verify SQL dbcreator Role
Open SQL Mgmt Studio, connect to the SMEX SQL server --> Security --> logins Verify the account has access to Database and that the dbcreator role is selected.
- Open SQL Mgmt Studio
- Connect to the SMEX SQL server > Security > logins.
- Verify that the account has access to Database and that the dbcreator role is selected.
Verify Local Admin Rights on Exchange Server
If you have access to log on to the Exchange server, from a command line run the following:
net localgroup administrators
Verify Domain Admin Rights (if required)
If required, Domain Admin rights can be checked from a Domain Controller cmd prompt using the following command:
net group "Domain Admins"
Check Connection to the Exchange Database:
SMEX needs to get the mailbox database by running the following cmdlet from the Exchange Management Shell:
Get-MailboxDatabase -Server EXServer01