Where are my Mailbox Import Export / Support Diagnostics cmdlets?


When you are a member of “Exchange Organization Administrators” or Organization Management role groups, it is perceived that you have all the rights that can be granted in an Exchange Organization and that you should be able to perform all tasks and run every cmdlet out there. That is until you try to run cmdlets specified in the Mailbox Import Export or Support Diagnostics RBAC roles.

When you try to run Import-Mailbox cmdlet as a member of the Organization Administrator role group, you get an error:

[PS] C:\Windows\system32>import-mailbox
The term ‘import-mailbox’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check
The spelling of the name, or if a path was included, verify that the path is correct and try again.
At line 1: char:15
+ import-mailbox <<
   + CategoryInfo : ObjectNotFound: (import-mailbox:string) [], CommandNotFoundException
  + FullyQualifiedErrorId : CommandNotFoundException

To find out who has permissions to run the cmdlet, you then run Get-ManagementRoleAssignment, Which returns only one assignment.

[PS] C:\Windows\system32> Get-ManagementRoleAssignment -role “Mailbox Import Export” | ft Identity
Identity
———-
Mailbox Import Export-Organization Management-Delegating
 
[PS] C:\Windows\system32> Get-ManagementRoleAssignment -role “Support Diagnostics” | ft Identity
Identity
———-
Support Diagnostics-Organization Management-Delegating

If you inspect closely, you will find that the assignment grants Organization management members like you only delegation rights. This allows you as organization administrator to decide who can run Mailbox Import Export cmdlets. The same applies to Support Diagnostics role.

Why are these roles not assigned to anyone by default?

When you assign the role “Mailbox Import Export”, it also grants full access rights to all mailboxes in its scope. Since this can be a security issue, it is not assigned to anyone by default.

The “Support Diagnostics” role grants access to cmdlets and scripts that should only be used under the direction of Microsoft Customer Services and Support.

What can I do to gain access to those cmdlets?

In order to be able to run cmdlets defined in roles “Mailbox Import Export” and “Support Diagnostics”, you need to create new role groups and add the users or groups you want to assign these tasks to, as shown in the following commands:

New-RoleGroup -Name “Exchange Mailbox Import Export” -Roles “Mailbox Import Export” -Members “<domain\groupname>” -DisplayName “”Exchange Mailbox Import Export” -Description “This group will provide access to mailbox import and export cmdlets within entire Exchange Organization.”
 
New-RoleGroup -Name “Exchange Support Diagnostics” -Roles “Support Diagnostics” -Members “<domain\groupname>” -DisplayName “”Exchange Support Diagnostics” -Description “This group will provide access to support diagnostics cmdlets within entire Exchange Organization.”

After running this, you will notice that two new Universal Security Groups— Exchange Mailbox Import Export and Exchange Support Diagnostics are created in the Microsoft Exchange Security Groups OU in the root domain of the forest. You will also notice the users or groups you specified are added as members. The command also creates a Management Role Assignment “Mailbox Import Export- Exchange Mailbox Import Export”. You can verify this by running Get-ManagementRoleAssignment -role “Mailbox Import Export” | ft Identity.

We highly recommend that you restrict the management scope and/or membership to these groups as necessary to comply with your security/administration requirements. The commands above are just examples and should be revised to include appropriate restrictions using scopes as necessary.

To gain better understanding or RBAC, please head over to RBAC and the Triangle of Power and Understanding Role-Based Access Control. Built-n Management Roles and Built-in Role Groups includes details of all default management roles and role groups created by Exchange 2010 setup, including the Mailbox Import Export Role and Support Diagnostics Role discussed in this post.

Bhargav Shukla

Comments (11)
  1. Evan Swans says:

    We have our tool for importing pst into Exchange Server. But we keep on getting the issue where we could never able to connect to Active Directory and it fails at FindAll method. Any help would be appreciated.

    Evan Swans

    http://www.systoolsgroup.com/exchange-export-import-wizard.html

  2. Manuel Cerdas says:

    I’m really missing ExMerge right now!

  3. thomascriver7 says:

    hey how can i see my profile?

  4. Dan Israel says:

    Just a rather obvious note…  The examples above have an extra quote before the Members switch.  Should be:

    New-RoleGroup -Name "Exchange Mailbox Import Export" -Roles "Mailbox Import Export" -Members "<domaingroupname>" -DisplayName "Exchange Mailbox Import Export" -Description "This group will provide access to mailbox import and export cmdlets within entire Exchange Organization."

  5. Dan Israel says:

    Also, you will need to close and reopen the Exchange Management Shell for the new security rights to take effect.

  6. PleaseAddGuiFunctionsBack says:

    While it is great to be able to script stuff, I am BAFFLED why the exchange team has strayed SOOO far from what made Microsoft profitable, the GUI! Heck, last I recall we ran an OS called "Windows", not "CMD" or "Powershell".

    Please get with the program and support us exchange admins that cut our teeth on Exchange 4.0 BETA and all the succeeding versions, and put stuff like this BACK INTO THE GUI as well as being scriptable!

  7. Tom Phillips says:

    When  I run the get-managementroleassignment -role "mailbox import export" command there is nothing returned which means my Org Mgmt is not assigned.  When I try to do anything with it I get and error and I am in the Org Mgmt:

    You don’t have access to create, change, or remove the "Mailbox Import Export-tphilli management role assignment. You m

    ust be assigned a delegating role assignment to the management role or its parent in the hierarchy without a scope rest

    riction.

       + CategoryInfo          : InvalidOperation: (Mailbox Import Export-tphilli:ADObjectId) [New-ManagementRoleAssignme

      nt], InvalidOperationException

       + FullyQualifiedErrorId : 78609DD3,Microsoft.Exchange.Management.RbacTasks.NewManagementRoleAssignment

  8. David Smith says:

    I agree with   PleaseAddGuiFunctionsBack. I managed Novell servers until Microsoft took over their market and since I have been told to just let the CLI go and learn the GUI. I have and now I feel like I’m being pushed back in the other direction again.

  9. Jonathan Martinez says:

    if you receive something like "The parent object for Exchange Mailbox import export could not be found" then you need to specify your domain controller with the -domaincontroler switch. I experienced this issue with a cross forest resource exchange configuration. I was required to specific my primary dc

  10. Timmy says:

    I completely agree with PleaseAddGuiFunctionsBack!!  If I wanted to run a network with CLI I’d be running Linux!  While its nice to have choice in management, forcing us to use CLI is BS.  Also, my experience with Exchange 2010 just reinforces the notion to never use a Microsoft product before SP1.  I have spend countless hours working through bugs in DAG implementation (transaction log truncation) and RBAC that doesn’t work (like scoped OU’s with distribution group management).

    Come on Microsoft, get your shit together!!!

Comments are closed.