www.gsx.com | log in | register

Last update: . Author: Cyril LEROY .

Out Of User's Write Scope Error When Scanning Exchange Hub and Transport Role

Due to specific Role Based Access Control (RBAC) restrictions, scanning Exchange Hub role (2010) or Transport service (2013) may fail and the status will then be reporting "Down".

This article describes how to solve the issue by updating the RBAC configuration to allow scans for the user configured in GSX Monitor.

GSX Monitor 10.x and above | Exchange 2010/2013


  • The operation on the object "SERVER FQDN" failed because it is out of the current user's write scope. 

How to Solve the Issue

  1. Open an Exchange PowerShell prompt with an Exchange administrator account from one of your Exchange servers in the organization.
  2. Create a "View-Only Transport Queues" Management Role with access to all Transport related commands:
    New-ManagementRole -name “View-Only Transport Queues” -Parent “Transport Queues”
  3. Remove access to commands with write permissions on Transport queues for the created Role:
    Get-ManagementRoleEntry “View-Only Transport Queues\*” | Where { $_.Name -NotLike “Get*” } | Remove-ManagementRoleEntry 
  4. Associate the user configured in GSX Monitor to new Role:
    New-ManagementRoleAssignment -Name “View-Only Transport Queues – (exchangeviewer)” -role “View-Only Transport Queues” -User “AD Account” where "AD Account" is the user configured in GSX Monitor.
  5. Exchange Hub and Transport Roles will now scan successfully.

Microsoft Related articles

Was this article helpful?

0 out of 0 found this helpful

Not finding what you are looking for?

Have more questions? Submit a request