Troubleshoot permissions in SAM

You may encounter permissions issues with the following account and service types. These accounts include third-party applications and services, which may require administration credentials to review and solve.

Non-Domain Accounts
Adding Local Administrative privileges to Active Directory Account
Exchange Access
Mailbox Exchange Access

Mailboxes with an empty primary SMTP address can be polled; however, their Sent and Received statistics are not available.

To learn more about permissions, see:

Non-Domain Account

Local accounts (Non-Domain) cannot access Exchange Management interfaces and therefore are not supported by AppInsight for Exchange. Please select an Active Directory account or create a new one to use with AppInsight for Exchange.

Add Local Administrative privileges to Active Directory Account

Log in to the server and open the Computer Management console.
On a Windows Server 2012 machine, add this privilege using the Active Directory console.
Navigate to the Administrators group.
Add the type in the Active Directory user name of the account you want to grant administrative privileges. Ensure the location is set to either the domain where the account is located or Entire Directory.
Save your changes.

Alternatively, add an Active Directory group to the local administrators group and add the Active Directory user accounts to that group.

To verify the account and local group membership has been configured properly, run the following code in a PowerShell session:

$Recurse = $true
$GroupName = 'Administrators'
Add-Type -AssemblyName System.DirectoryServices.AccountManagement
$ct = [System.DirectoryServices.AccountManagement.ContextType]::Machine
$group = [System.DirectoryServices.AccountManagement.GroupPrincipal]::FindByIdentity($ct,$GroupName)
$LocalAdmin = $group.GetMembers($Recurse) | select @{N='Domain'; E={$_.Context.Name}}, samaccountName, @{N='ObjectType'; E={$_.StructuralObjectClass}} -Unique
$LocalAdmin = $LocalAdmin | Where-Object {$_.ObjectType -eq "user"}

Exchange Access

You can gran Least Privilege access to the Exchange Organization using Active Directory Users and Computers (ADUC).

From the Start Menu, open ADUC and navigate to the Microsoft Exchange Security Groups OU.
Double click on the View-Only Organization Management group. After the window opens, click the Members tab, then click Add.
Type the user name of the account you want to grant access to the Exchange organization, then click OK.
Click Apply and OK, then close the ADUC window.

Access can also be granted using the Exchange Management Shell with the following command. Replace the word "user" with the correct user name of the service account.

Add-RoleGroupMember -Identity "View-Only Organization Management" -Member "USER"

To verify the management role is properly assigned, use the following commands:

Get-RoleGroupMember -Identity "View-Only Organization Management" | Where-Object {$_.SamAccountName -eq "USER"}
Get-RoleGroupMember -Identity "Organization Management" | Where-Object {$_.SamAccountName -eq "USER"}

Get-ManagementRoleAssignment -RoleAssignee “USER” | Where-Object {$_.RoleAssigneeName -eq "View-Only Organization Management" -or $_.RoleAssigneeName -eq "Organization Management"}

Mailbox Search Access

Mailbox Search access is required to determine attachment counts and sizes. You can grant the access using the Exchange Management Shell (EMS).

From the Start Menu, open the EMS.
Type: New-ManagementRoleAssignment -Role "Mailbox Search" -User "USER" and press Enter.

To verify the management role has been properly assigned, use the following command:

Get-ManagementRoleAssignment -RoleAssignee “USER” -Role "Mailbox Search" | Where-Object {$_.RoleAssignmentDelegationType -eq "Regular"}

Exchange Management Roles can be assigned to role assignees using either regular or delegating role assignments: