Hi all, I updated my Exchange 2010 architecture a few weeks ago to allow Kerberos client authentication (per this article: http://blogs.technet.com/b/exchange/archive/2011/04/15/recommendation-enabling-kerberos-authentication-for-mapi-clients.aspx). Following that and the TechNet articles linked therein, I was able to get it set up successfully; however, I am having problems with the scheduled task to run the RollAlternateserviceAccountPassword.ps1. The ASA is a computer account named "excasarray01". First looking at the logs it said it stated that the account I have configured to run the script "isn't assigned to any management roles" (which further on in the logs stated it needed to be assigned the "Organization Configuration" role), so I created a new Role Group, assigned Organization Management to it, then added the account I want to run the script with to the group. If I try to run it now I get a different set of errors; it seems like the EMS portion is loading: ========== Starting at 07/10/2012 17:16:10 ========== Welcome to the Exchange Management Shell! Full list of cmdlets: Get-Command Only Exchange cmdlets: Get-ExCommand Cmdlets that match a specific string: Help *<string>* Get general help: Help Get help for a cmdlet: Help <cmdlet name> or <cmdlet name> -? Show quick reference guide: QuickRef Exchange team blog: Get-ExBlog Show full output for a command: <command> | Format-List Tip of the day #57: Want to know what permissions an Active Directory user account has on a specific mailbox? Use: Get-Mailbox <Mailbox to Check> | Get-MailboxPermission -User <Active Directory User> VERBOSE: Connecting to winexhubcas01.domain.local VERBOSE: Connected to winexhubcas01.domain.local. RecordErrors : The term 'Get-ClientAccessArray' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At C:\Program Files\Microsoft\Exchange Server\V14\Scripts\RollAlternateServiceAccountPassword.ps1:736 char:17 + RecordErrors <<<< ` + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,RecordErrors RecordErrors : The term 'Get-ExchangeServer' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At C:\Program Files\Microsoft\Exchange Server\V14\Scripts\RollAlternateServiceAccountPassword.ps1:769 char:15 + RecordErrors <<<< { CheckServerVersions $script:servers } + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,RecordErrors RecordErrors : Couldn't figure out valid servers from the specified destination scope. Check your parameters and try again. At C:\Program Files\Microsoft\Exchange Server\V14\Scripts\RollAlternateServiceAccountPassword.ps1:992 char:13 + RecordErrors <<<< -ExceptionsOnly { $script:success = Body } + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,RecordErrors Retrieving the current Alternate Service Account configuration from servers in scope The term 'Get-ClientAccessArray' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At C:\Program Files\Microsoft\Exchange Server\V14\Scripts\RollAlternateServiceAccountPassword.ps1:1000 char:39 + $script:arrays = Get-ClientAccessArray <<<< + CategoryInfo : ObjectNotFound: (Get-ClientAccessArray:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException RecordErrors : The term 'Get-ExchangeServer' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At C:\Program Files\Microsoft\Exchange Server\V14\Scripts\RollAlternateServiceAccountPassword.ps1:362 char:15 + RecordErrors <<<< ` + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,RecordErrors Alternate Service Account properties: Per-server Alternate Service Account configuration as of the time of script completion: ========== Finished at 07/10/2012 17:16:23 ========== THE SCRIPT HAS FAILED ----- Can anyone explain what the problem is? Thanks in advance!

Hi Paul, About the error message: The term "cmdlet" is not recognized as the name of a cmdlet,funtion,script file,or operable progrm... It seems you still have no right to run the script/cmdlet. Please check whether you can run the above cmdlets in EMS first. "it stated that the account I have configured to run the script "isn't assigned to any management roles" (which further on in the logs stated it needed to be assigned the "Organization Configuration" role), so I created a new Role Group, assigned Organization Management to it, then added the account I want to run the script with to the group. " Did you create the new Role Group which is assigned Organization Configuration role? If yes, since Get-ClientAccessArray is not a RoleEntry of the Role, you cannot run the script. Please add your account to Organization Management Role group(ADUC->domain.com->Microsoft Exchange Security Groups) to test if possible. By the way, from Technet: You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Client Access Security" entry in the Client Access Permissions topic. Using the RollAlternateserviceAccountPassword.ps1 Script in the Shell http://technet.microsoft.com/en-us/library/ff808311.aspx Client Access Permissions http://technet.microsoft.com/en-us/library/dd638131.aspxFrank Wang TechNet Community Support

Hi Frank, Thank you for your reply. I created a new Role group (Kerberos ASA Updates) and added the "Organization Configuration" role to it ("Organization Management" should have been "Organization Configuration" in my original post; I will update it after this reply). That was the only role that the original log had mentioned, hence my post. I hadn't even tried to run those cmdlets as the specific user as I thought running the EMS and connecting to the CAS was a good enough test. I see now that it is not, since I cannot run those get- cmdlets. As for those links, I did find the "Using the RollAlternateserviceAccountPassword.ps1 Script in the Shell" but it didn't really spell-out which all roles were necessary (which is kind of annoying, and the reason for this post). Looking at the other link I was able to gather some info as to what other roles the account running the script should be a member of and tested it. As it turns out, the account running the task needs to be a role group assigned the Exchange Servers, Organization Client Access, and Organization Configuration roles. That said, here are the results of my running it now (do you see anything out-of-place?): ========== Starting at 07/11/2012 19:02:32 ========== Welcome to the Exchange Management Shell! Full list of cmdlets: Get-Command Only Exchange cmdlets: Get-ExCommand Cmdlets that match a specific string: Help *<string>* Get general help: Help Get help for a cmdlet: Help <cmdlet name> or <cmdlet name> -? Show quick reference guide: QuickRef Exchange team blog: Get-ExBlog Show full output for a command: <command> | Format-List Tip of the day #96: Use these commands to get a snapshot of the move throughput for completed moves. $stats = Get-MoveRequest -MoveStatus Completed | Get-MoveRequestStatistics $stats | sort totalmailboxsize | ft Alias,{$_.totalmailboxsize.ToMB()},totalinprogressduration -auto VERBOSE: Connecting to winexhubcas01.domain.local VERBOSE: Connected to winexhubcas01.domain.local. Destination servers that will be updated: Name ---- WINEXHUBCAS01 WINEXHUBCAS02 Credentials that will be pushed to every server in the specified scope (recent first): UserName Password -------- -------- domain\excasarray01$ System.Security.SecureString Prior to pushing new credentials, all existing credentials that are invalid or no longer work will be removed from the destination servers. Pushing credentials to server WINEXHUBCAS01 Pushing credentials to server WINEXHUBCAS02 Setting a new password on Alternate Serice Account in Active Directory Preparing to update Active Directory with a new password for domain\excasarray01$ ... Resetting a password in the Active Directory for domain\excasarray01$ ... New password was successfully set to Active Directory. Retrieving the current Alternate Service Account configuration from servers in scope Alternate Service Account properties: StructuralObjectClass QualifiedUserName Last Pwd Update SPNs --------------------- ----------------- --------------- ---- computer domain\excasarray01$ 7/11/2012 7:05:50 PM exchangeRFR/excasarray01 exchangeMDB/excasarray01 http/autodiscover http/excasarray01 exchangeAB/excasarray01 exchangeAB/excasarray01.domain.local exchangeRFR/excasarray01.domain.local exchangeMDB/excasarray01.domain.local http/autodiscover.domain.local http/excasarray01.domain.local Per-server Alternate Service Account configuration as of the time of script completion: Array: excasarray01.domain.local Identity AlternateServiceAccountConfiguration -------- ------------------------------------ WINEXHUBCAS01 Latest: 7/11/2012 7:05:49 PM, domain\excasarray01$ Previous: 7/11/2012 11:22:14 AM, domain\excasarray01$ WINEXHUBCAS02 Latest: 7/11/2012 7:05:49 PM, domain\excasarray01$ Previous: 7/11/2012 11:22:13 AM, domain\excasarray01$ ========== Finished at 07/11/2012 19:05:50 ========== THE SCRIPT HAS SUCCEEDED ------ So I guess I'm all set. Thanks again, Frank!