I have a question. I can't seem to run the cmdlet new-MailboxExportRequest. I get an error that it is not recognized. I did some poking around and found that many fixed it by using a New-ManagementRoleAssignment. My question is why is this necessary for me - if I'm a domain admin, enterprise admin, exchange org admin.. Being as that I'm pretty comfortable in powershell I did some investigating. It seems that out of the box the required role "manage import export-organization management-delegating" is assigned to the "Organization Management" AD group. I'm in that group. I'm also in the group "Exchange Organization Administrators" which is also a member of the "Organization Management" group. So all that being the case I should already have that permission and should be able to export mailboxes. But it fails with the error described above. My question would be why? The only thing I could think of would be an explicit deny (out of the box) someplace. But I can't seem to find it. So some insight here would be most appreciated. I could likely just run the New-ManagementRoleAssignment and assign it to exchange organization admins again - and perhaps that would fix it. But i want to understand why this is necessary when by everything I can seem to see I should already be able to perform this cmdlet. Thanks EDIT Something else interesting. Get-Command doesn't list this as a valid command and help produces this: Get-Help : Cannot find Help for topic "new-mailboxexportrequest". even if it were a permission issue the command should still appear in help or get-command right? Am I missing a PS module or something? Get-Module -listavailable doesn't seem to list any additional exchange modules. All other exchange commands seem to be in there - at a quick glance that is...

Assume you have SP1 or later installed correct?Check out this troubleshooting link http://smtp25.blogspot.com/2011/09/term-is-not-recognized-as-name-of.htmlTroy Werelius www.Lucid8.com Search, Recover, & Extract Mailboxes, Folders, & Email Items from Offline EDB's and Live Exchange Servers with Lucid8's DigiScope

Thanks for the info Troy. I've already read that article and it doesn't address my issue or answer my questions. It's basically the same info that is all over the internet. Run New-ManagementRoleAssignment. My question is why is that necessary since it would appear I should already have permission. Why does the new-mailboxexportrequest not appear in a get-command list. And why does help on new-mailboxexportrequest produce an error. Those should work even if I lacked permission - which I don't.

You are on SP1 or later correct?it comes down to Role Based Access Control (RBAC) that tightly controls what you can and cannot do and in some cases being part of an elevated group like Enterprise Admins etc do involve explicit deny rights. So in short yes its necessary to add that role in order to obtain that capabilityTroy Werelius www.Lucid8.com Search, Recover, & Extract Mailboxes, Folders, & Email Items from Offline EDB's and Live Exchange Servers with Lucid8's DigiScope

The delegating role assignment just gives you the right to assign the role to other people, including yourself. If you want to be able to use the cmdlet, assign the role to yourself or a role group you belong to, then you'll have access to the cmdlet and its help after restarting the shell. Think of it as a 'secure by design' thing. You have the right to assign the permissions to import or export data, but its not 'turned on' by default - you have to manually do it.Mike Pfeiffer | blog: mikepfeiffer.net | twitter: @mike_pfeiffer

Troy: Thanks for the info. On your second point - this is usually accomplished by explicit denies. As an example exchange admins are denied permission to individual mailboxes because their inherited permissions that are necessary to perform admin would grant them mailbox access were it not for the deny. In this case it again appears that I should have permission via necessary group membership - and roles assigned to the groups. What I'm trying to determine is why it doesn't work when exchange says I should already have permission (outlined in opening post) There is a management role named: "mailbox import export-organization management-delegate" That management role is assigned the role of: "mailbox import export" get-ManagementRoleAssignment -identity "Mailbox Import Export-Organization Management-Delegating" | fl shows: RoleAssigneeName : Organization Management Correct me if i'm wrong here, but since I'm a member of that AD group and that AD group has permission to perform that role - it should be working - right?

Like Mike said above while you may have all the rights in the world this is something that must be explicitly grantedTroy Werelius www.Lucid8.com Search, Recover, & Extract Mailboxes, Folders, & Email Items from Offline EDB's and Live Exchange Servers with Lucid8's DigiScope

I get it. So being in a group that has mailbox import export-organization management-delegating just means I have permission to add and remove users/groups from the "mailbox import export role" - not that I actually have that role myself.

I get it. So being in a group that has mailbox import export-organization management-delegating just means I have permission to add and remove users/groups from the "mailbox import export role" - not that I actually have that role myself. Yep, exactly.Mike Pfeiffer | Exchange: MCM/MVP | blog: mikepfeiffer.net | twitter: @mike_pfeiffer