I am trying to use the code below to view the retention tags applied to folders in a given user's mailbox:
http://blogs.msdn.com/b/akashb/archive/2013/06/14/generating-a-report-which-folders-have-a-personal-tag-applied-to-it-using-ews-managed-api-from-powershell-exchange-2010.aspx
My environment:
2 x Exchange 2010 SP3 RU8v2 servers with CA, MB and HT roles. They are in a DAG.
1 x KEMP VLM-200 load balancer.
I downloaded and installed the EWS managed API:
http://www.microsoft.com/en-us/download/confirmation.aspx?id=35371
And I have seen what seems like every imaginable error message:
- The response received from the service didn't contain valid XML.
--> So I changed DNS so the URI in the script would connect directly to one of the two Exchange servers - and not the KEMP. Other solutions did not seem to work. This is a test env so I can "mess" with DNS.
- The request failed. The remote server returned an error: (403) Forbidden.
--> I think I solved this by adding https to the URI (the s in https was missing).
- The request failed. The remote server returned an error: (401) Unauthorized.
--> Not sure what I did here anymore (this has been taking me literally hours). But this error was replaced with the following:
- The account does not have permission to impersonate the requested user.
--> I was able to apparently solve this by granting a brand new user (not member of any admin groups with Deny permissions) the permissions described in this article:
https://msdn.microsoft.com/en-us/library/bb204095%28v=exchg.80%29.aspx
Even though that is for Exchange 2007 and I have 2010.
That seemed to work because that error messages no longer appears but... now this one appears again:
- The request failed. The remote server returned an error: (401) Unauthorized.
I've tried after granted the new user full permissions to the mailbox in question and without those permissions.
----------------------------------------------
----------------------------------------------
So in the end, I'm going in circles and I don't know how to make this work.
How can I see WHY the user is not authorized?
Does the user have to be a member of specific groups? I intentionally did NOT add them to any admin type groups because of what was stated in the MSDN article on impersonation (some admin groups have DENY permissions on user mailboxes).
Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.