Enable Exchange Remote Powershell access for non-admin

My goal is to set up a limited domain user with access to create RemoteMailbox objects from a remote computer using powershell.

Steps I've taken:
  • I gave a limited domain user the "Recipient Management" role to create RemoteMailbox objects.
  • I added this user to the "Remote Management" local group on the Exchange Server.

The command to create the powershell session (
New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://$ExchangeServerDns/PowerShell/"

Open in new window

) produces an access denied error. How do I resolve this?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

timgreen7077Exchange EngineerCommented:
Try the following:

$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://Exchangeserver_FQDN/powershell -Credential (Get-Credential)

Import-PSSession $session
Jose Gabriel Ortega CastroEE Solution Guide/Topic Advisor and CEO Faru Bonon ITCommented:
Probably is because you're not using the correct authentication:

Try it like this

Set-ExecutionPolicy RemoteSigned
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://$ExchangeServerDns/PowerShell/ -Authentication Kerberos -Credential $UserCredential
Import-PSSession $Session -DisableNameChecking

Open in new window

Source: https://docs.microsoft.com/en-us/powershell/exchange/exchange-server/connect-to-exchange-servers-using-remote-powershell?view=exchange-ps
byt3Author Commented:
The remote computer is domain joined, so Kerberos should be fine. I don't need to specify authentication type when using an administrative account. Is that not the case with non-admin users?

I am doing this as part of a script and would prefer not to put credentials in the script if I can avoid it.
Price Your IT Services for Profit

Managed service contracts are great - when they're making you money. Yes, you’re getting paid monthly, but is it actually profitable? Learn to calculate your hourly overhead burden so you can master your IT services pricing strategy.

byt3Author Commented:
Resorted to providing the Credentials to the Cmdlet, but I still get an access denied error.

New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://$ExchangeServerDns/PowerShell/" -Credential $ExOnPremCreds -Authentication Kerberos -ErrorAction Stop;

Open in new window

byt3Author Commented:
I went the route of connecting to the Exchange server using CredSSP then I ran the RemoteExchange.ps1 script (which requires that I provide credentials though).
$PSExOnPrem = New-PSSession -Computer $ExOnPremServer -Credential $ExOnPremCreds -Authentication CredSSP -ErrorAction Stop;
Invoke-Command -Session $PSExOnPrem -ErrorAction Stop -ScriptBlock {
    $ExVersion = (Get-ChildItem -Path 'HKLM:\SOFTWARE\Microsoft\ExchangeServer' | Sort-Object -Property Name -Descending | Select-Object -First 1).Name -replace '.*(v[0-9]+)$','$1';
    $ExBinPath = (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\ExchangeServer\$ExVersion\Setup").MsiInstallPath + 'Bin';
    . "$ExBinPath\RemoteExchange.ps1";
    Connect-ExchangeServer -Auto;

Open in new window

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jose Gabriel Ortega CastroEE Solution Guide/Topic Advisor and CEO Faru Bonon ITCommented:
Well, it's solved! :) glad you could figure it out :)
Senior IT System EngineerSenior Systems EngineerCommented:
RemoteExchange.ps1 is that file available in all Exchange server or custom file you've created?
byt3Author Commented:
It is on all computers with the Exchange management tools installed. If you look at the properties of the Exchange Shell shortcut, you will see that the Exchange Shell shortcut calls that script to load Exchange Cmdlets.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.