I am trying to use the code below to view the retention tags applied to folders in a given user's mailbox:

http://blogs.msdn.com/b/akashb/archive/2013/06/14/generating-a-report-which-folders-have-a-personal-tag-applied-to-it-using-ews-managed-api-from-powershell-exchange-2010.aspx

My environment:

2 x Exchange 2010 SP3 RU8v2 servers with CA, MB and HT roles. They are in a DAG.

1 x KEMP VLM-200 load balancer.

I downloaded and installed the EWS managed API:

http://www.microsoft.com/en-us/download/confirmation.aspx?id=35371

And I have seen what seems like every imaginable error message:

- The response received from the service didn't contain valid XML.

--> So I changed DNS so the URI in the script would connect directly to one of the two Exchange servers - and not the KEMP. Other solutions did not seem to work. This is a test env so I can "mess" with DNS.

- The request failed. The remote server returned an error: (403) Forbidden.

--> I think I solved this by adding https to the URI (the s in https was missing).

- The request failed. The remote server returned an error: (401) Unauthorized.

--> Not sure what I did here anymore (this has been taking me literally hours). But this error was replaced with the following:

- The account does not have permission to impersonate the requested user.

--> I was able to apparently solve this by granting a brand new user (not member of any admin groups with Deny permissions) the permissions described in this article:

https://msdn.microsoft.com/en-us/library/bb204095%28v=exchg.80%29.aspx

Even though that is for Exchange 2007 and I have 2010.

That seemed to work because that error messages no longer appears but... now this one appears again:

- The request failed. The remote server returned an error: (401) Unauthorized.

I've tried after granted the new user full permissions to the mailbox in question and without those permissions.

----------------------------------------------

----------------------------------------------

So in the end, I'm going in circles and I don't know how to make this work.

How can I see WHY the user is not authorized?

Does the user have to be a member of specific groups? I intentionally did NOT add them to any admin type groups because of what was stated in the MSDN article on impersonation (some admin groups have DENY permissions on user mailboxes).

These are the only lines of the code I have edited:

# Set the Credentials
$service.Credentials = new-object Microsoft.Exchange.WebServices.Data.WebCredentials("newuser1","Passwordabc123","mydomain.lan")

# Change the URL to point to your cas server
$service.Url= new-object Uri(https://mail.mydomain.net/EWS/Exchange.asmx)

I have also tried:

$service.Credentials = new-object Microsoft.Exchange.WebServices.Data.WebCredentials(newuser1@mydomain.lan,"Passwordabc123")

Yes, I have mydomain.lan (original domain name) and mydomain.net (for email).

For better or worse, newuser1 is only a member of domain users (but currently has full access permissions to target mailbox).

Here's the 2010 version of the permissions article: https://msdn.microsoft.com/en-us/library/bb204095(v=exchg.140).aspx. You need to create the management role and assign it to your service account.

• Edited by Jason Johnston [MSFT]Microsoft employee, Moderator 16 hours 4 minutes ago Fixing link

Here's the 2010 version of the permissions article: https://msdn.microsoft.com/en-us/library/bb204095(v=exchg.140).aspx. You need to create the management role and assign it to your service account.

• Edited by Jason Johnston [MSFT]Microsoft employee, Moderator Tuesday, February 17, 2015 7:44 PM Fixing link

Thanks, but when I attempt to open the page, this messages is displayed:

Server Error in '/' Application.

Gah. Silly editor included the ending '.'. I've edited the previous answer to fix the link.

Thanks. I'll take a look at that this week-end. Will let you know how it works.

New-ManagementRoleAssignment -Name View_Retention_Tag -Role:ApplicationImpersonation -User:abc

I entered that command, granting the Application Impersonation role to user "abc".

And I'm still getting the same "(401) Unauthorized " error.

So what do I need to do to make this work?

Shouldn't "abc" now be able to access user's mailboxes to list the retention tag assignements per folder, using the script referenced in my first

Just a note, I've tried with user "abc" having Full Permissions to the target mailbox... and without.

Not sure what to do next?