MSExchange RBAC Error 17

A case I worked on a while back involved an issue where the application log on the Exchange 2010 servers was full of MSExchange RBAC event id 17. This was recorded on all servers, regardless of role.

There are two types of events: one for user accounts and one for machine accounts. The first example below is for the user eileenor and the second is for the machine name ExchangeMailboxA

ID: 17
Level: Error
Source: MSExchange RBAC
Message: (Process w3wp.exe, PID 1234) "RBAC authorization returns Access Denied for contoso.com/Users/ActionAccount. Reason: No role assignments associated with the specified user were found on Domain Controller DC1.contoso.com"

ID: 17
Level: Error
Source: MSExchange RBAC
Message: (Process w3wp.exe, PID 1234) "RBAC authorization returns Access Denied for contoso.com/Servers/Exchange/ExchangeMailboxA. Reason: No role assignments associated with the specified user were found on Domain Controller DC1.contoso.com"

The first one is easy to track down. You just have to figure out what account was trying to do in the Exchange Management Shell and then verify if they have the correct RBAC permissions. More than likely, the account is related to another program that is running an Exchange Management cmdlet or script.

The second one is a little bit trickier to figure out.

Whenever you see the Exchange Server 2010’s machine name in the event. this means that there is some other program or task that is involved. It could be a Scheduled Task running an Exchange 2010 cmdlet or another program, such as monitoring software.

If you are running an Exchange Management cmdlet or script as a scheduled task, make sure they account has valid RBAC permissions to run it. For example, I run CheckDatabaseRedundancy.ps1 as a Scheduled Task on my Mailbox Servers. As you can see in the example below, I run it using the Local System account:

If you are running another program, such as monitoring software, check the documentation and make any configuration changes needed.