I am trying to use the code below to view the retention tags applied to folders in a given user's mailbox:
http://blogs.msdn.com/b/akashb/archive/2013/06/14/generating-a-report-which-folders-have-a-personal-tag-applied-to-it-using-ews-managed-api-from-powershell-exchange-2010.aspx
My environment:
2 x Exchange 2010 SP3 RU8v2 servers with CA, MB and HT roles. They are in a DAG.
1 x KEMP VLM-200 load balancer.
I downloaded and installed the EWS managed API:
http://www.microsoft.com/en-us/download/confirmation.aspx?id=35371
And I have seen what seems like every imaginable error message:
- The response received from the service didn't contain valid XML.
--> So I changed DNS so the URI in the script would connect directly to one of the two Exchange servers - and not the KEMP. Other solutions did not seem to work. This is a test env so I can "mess" with DNS.
- The request failed. The remote server returned an error: (403) Forbidden.
--> I think I solved this by adding https to the URI (the s in https was missing).
- The request failed. The remote server returned an error: (401) Unauthorized.
--> Not sure what I did here anymore (this has been taking me literally hours). But this error was replaced with the following:
- The account does not have permission to impersonate the requested user.
--> I was able to apparently solve this by granting a brand new user (not member of any admin groups with Deny permissions) the permissions described in this article:
https://msdn.microsoft.com/en-us/library/bb204095%28v=exchg.80%29.aspx
Even though that is for Exchange 2007 and I have 2010.
That seemed to work because that error messages no longer appears but... now this one appears again:
- The request failed. The remote server returned an error: (401) Unauthorized.
I've tried after granted the new user full permissions to the mailbox in question and without those permissions.
----------------------------------------------
----------------------------------------------
So in the end, I'm going in circles and I don't know how to make this work.
How can I see WHY the user is not authorized?
Does the user have to be a member of specific groups? I intentionally did NOT add them to any admin type groups because of what was stated in the MSDN article on impersonation (some admin groups have DENY permissions on user mailboxes).