Due to specific Role Based Access Control (RBAC) restrictions, scanning Exchange Hub role (2010) or Transport service (2013) may fail and the status will then be reporting "Down".
This article describes how to solve the issue by updating the RBAC configuration to allow scans for the user configured in GSX Monitor.
GSX Monitor 10.x and above | Exchange 2010/2013
Symptoms
- The operation on the object "SERVER FQDN" failed because it is out of the current user's write scope.
How to Solve the Issue
As described in our prerequisites document, the account configured for Exchange scans must be part of View-only Organization Management group and by default, being a member of this security group allows Read-Only operations on transport queues.
Because we are creating a new role dedicated to the user configured in GSX Monitor, this operation does not effect your current RBAC permission model.
- Open an Exchange PowerShell prompt with an Exchange administrator account from one of your Exchange servers in the organization.
- Create a "View-Only Transport Queues" Management Role with access to all Transport related commands:
New-ManagementRole -name “View-Only Transport Queues” -Parent “Transport Queues” - Remove access to commands with write permissions on Transport queues for the created Role:
Get-ManagementRoleEntry “View-Only Transport Queues\*” | Where { $_.Name -NotLike “Get*” } | Remove-ManagementRoleEntry - Associate the user configured in GSX Monitor to new Role:
New-ManagementRoleAssignment -Name “View-Only Transport Queues – (exchangeviewer)” -role “View-Only Transport Queues” -User “AD Account” where "AD Account" is the user configured in GSX Monitor. - Exchange Hub and Transport Roles will now scan successfully.