Enable Exchange Remote Powershell access for non-admin

byt3
byt3 used Ask the Experts™
on
My goal is to set up a limited domain user with access to create RemoteMailbox objects from a remote computer using powershell.

Steps I've taken:
  • I gave a limited domain user the "Recipient Management" role to create RemoteMailbox objects.
  • I added this user to the "Remote Management" local group on the Exchange Server.

The command to create the powershell session (
New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://$ExchangeServerDns/PowerShell/"

Open in new window

) produces an access denied error. How do I resolve this?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
timgreen7077Exchange Engineer
Distinguished Expert 2018

Commented:
Try the following:

$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://Exchangeserver_FQDN/powershell -Credential (Get-Credential)

Import-PSSession $session
Jose Gabriel Ortega CastroTop Rated Freelancer on MS Technologies
Awarded 2018
Distinguished Expert 2018

Commented:
Probably is because you're not using the correct authentication:

Try it like this

Set-ExecutionPolicy RemoteSigned
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://$ExchangeServerDns/PowerShell/ -Authentication Kerberos -Credential $UserCredential
Import-PSSession $Session -DisableNameChecking

Open in new window




Source: https://docs.microsoft.com/en-us/powershell/exchange/exchange-server/connect-to-exchange-servers-using-remote-powershell?view=exchange-ps

Author

Commented:
The remote computer is domain joined, so Kerberos should be fine. I don't need to specify authentication type when using an administrative account. Is that not the case with non-admin users?

I am doing this as part of a script and would prefer not to put credentials in the script if I can avoid it.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Resorted to providing the Credentials to the Cmdlet, but I still get an access denied error.

New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://$ExchangeServerDns/PowerShell/" -Credential $ExOnPremCreds -Authentication Kerberos -ErrorAction Stop;

Open in new window

Commented:
I went the route of connecting to the Exchange server using CredSSP then I ran the RemoteExchange.ps1 script (which requires that I provide credentials though).
$PSExOnPrem = New-PSSession -Computer $ExOnPremServer -Credential $ExOnPremCreds -Authentication CredSSP -ErrorAction Stop;
Invoke-Command -Session $PSExOnPrem -ErrorAction Stop -ScriptBlock {
    $ExVersion = (Get-ChildItem -Path 'HKLM:\SOFTWARE\Microsoft\ExchangeServer' | Sort-Object -Property Name -Descending | Select-Object -First 1).Name -replace '.*(v[0-9]+)$','$1';
    $ExBinPath = (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\ExchangeServer\$ExVersion\Setup").MsiInstallPath + 'Bin';
    . "$ExBinPath\RemoteExchange.ps1";
    Connect-ExchangeServer -Auto;
}

Open in new window

Jose Gabriel Ortega CastroTop Rated Freelancer on MS Technologies
Awarded 2018
Distinguished Expert 2018

Commented:
Well, it's solved! :) glad you could figure it out :)

Commented:
RemoteExchange.ps1 is that file available in all Exchange server or custom file you've created?

Author

Commented:
It is on all computers with the Exchange management tools installed. If you look at the properties of the Exchange Shell shortcut, you will see that the Exchange Shell shortcut calls that script to load Exchange Cmdlets.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial