I am trying to add one single mailbox on exchange 2013 via powershell and getting and 'access denied' error.
PS C:\Software> Enable-Mailbox -Identity AreallyTest
Enable-Mailbox : Unable to generate the e-mail address. Unable to load address module 'X:\Exchange\Mailbox\address\SMTP\AMD64\inproxy.dll' for address type
'SMTP'. Additional message: 'Access is denied'.
At line:1 char:1
+ Enable-Mailbox -Identity AreallyTest
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Enable-Mailbox], RusException
+ FullyQualifiedErrorId : [Server=EXCH01,RequestId=cfea9121-4f0a-41f4-84e9 -2489f3228410,TimeStamp=10/13/2014 8:06:33 AM] [FailureCategory=Cmdlet-Rus Exception] 593F2A65,Microsoft.Exchange.Management.RecipientTasks.EnableMaiLbox
The user does exist.
How I get around this?
Windows domain naming is where you are in error.
Add the NetBios domain as a prefix like this:
Enable-Mailbox -Identity domain\AreallyTest
you have to run the command in an elevated console (run as admin)
Related
Environment:
PowerShell 5.1
Windows 2016 Standard
Windows 10 Pro
Just asking here if syntax is fundamentally correct...
$hostSession = New-PSSession -ComputerName $hostName -Credential $cred
$versionFolder = "c:\temp"
$sspLatestVer = Invoke-Command -Session $hostSession -ScriptBlock { param($path) (Get-ChildItem $path | Sort-Object LastWriteTime -Descending | Select-Object -First 1).Name } -ArgumentList $versionFolder
Update:
The following works on one machine but not on another:
$versionFolder = "\\COMPUTER01\c$\temp"
$sspLatestVer = (Get-ChildItem $versionFolder | Sort-Object LastWriteTime -Descending | Select-Object -First 1).Name
Error Message for machine that doesn't work
Get-ChildItem : Cannot find path '\\COMPUTER01\c$\temp' because it does not exist.
At C:\temp\candidate2.ps1:24 char:18
+ $sspLatestVer = (Get-ChildItem $versionFolder | Sort-Object LastWrite ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (\\COMPUTER01\c$\temp:String) [Get-ChildItem], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand
OP Error Message:
New-PSSession : [COMPUTER01] Connecting to remote server COMPUTER01 failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x80090311 occurred while using
Kerberos authentication: We can't sign you in with this credential because your domain isn't available. Make sure your device is connected to your organization's network and try again. If you previously signed in on
this device with another credential, you can sign in with that credential.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
At C:\Users\RSTEST\Documents\candidate2.ps1:17 char:16
+ ... hostSession = New-PSSession -ComputerName $hostName -Credential $cred
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : AuthenticationFailed,PSSessionOpenFailed
Invoke-Command : Cannot validate argument on parameter 'Session'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again.
At C:\Users\RSTEST\Documents\candidate2.ps1:19 char:41
+ $sspLatestVer = Invoke-Command -Session $hostSession -ScriptBlock { p ...
+ ~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Invoke-Command], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.InvokeCommandCommand
Remove-PSSession : Cannot validate argument on parameter 'Name'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again.
At C:\Users\RSTEST\Documents\candidate2.ps1:20 char:24
+ Remove-PSSession -Name $hostSession
+ ~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Remove-PSSession], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.RemovePSSessionCommand
Two issues here:
First, see WinRM cannot process the request. Error 0x80090311
If the remote system is in the same domain, and you are already logged in with a domain account that is an administrator on that system, then there would be no need to specify a credential for New-PSSession
If the systems are in different forests that have a trust with each other, note that there is a need to use the fully qualified domain name (FQDN) of the remote host for Kerberos authentication to function correctly.
Second, regarding:
$versionFolder = "\\COMPUTER01\c$\temp"
Note that remote sessions normally do not have access to network shares, even when presumably running under the credentials of an administrative user.
This is known as the "second hop problem". There have been various posts about it:
https://learn.microsoft.com/en-us/powershell/scripting/learn/remoting/ps-remoting-second-hop?view=powershell-5.1
https://devblogs.microsoft.com/scripting/enable-powershell-second-hop-functionality-with-credssp/
This may work from COMPUTER01 itself, since it could be aliased to local drive access.
I am trying to apply permission policy to a user via powershell but it is not working
PS C:\Users\PO30261> Grant-CsTeamsAppPermissionPolicy -PolicyName "HR App Policy" -Identity d72f6b50-ac75-470a-80b8-919ab8b3232e
Get-CsOnlineSession : Connecting to remote server api.interfaces.records.teams.microsoft.com failed with the following error message : The WinRM client cannot process the request. Basic
authentication is currently disabled in the client configuration. Change the client configuration and try the request again. For more information, see the about_Remote_Troubleshooting Help
topic.
At C:\Program Files\WindowsPowerShell\Modules\MicrosoftTeams\2.3.1\net472\SfBORemotePowershellModule.psm1:63 char:22
$remoteSession = & (Get-CsOnlineSessionCommand)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
CategoryInfo : NotSpecified: (:) [Get-CsOnlineSession], PSRemotingTransportException
FullyQualifiedErrorId : PSRemotingTransportException,Microsoft.Teams.ConfigApi.Cmdlets.GetCsOnlineSession
Invoke-Command : Cannot validate argument on parameter 'Session'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again.
At C:\Program Files\WindowsPowerShell\Modules\MicrosoftTeams\2.3.1\net472\SfBORemotePowershellModule.psm1:19581 char:38
... -Session (Get-PSImplicitRemotingSession -CommandName 'Grant-CsTeam ...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
CategoryInfo : InvalidData: (:) [Invoke-Command], ParentContainsErrorRecordException
FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.InvokeCommandCommand
Error shows that issue is not related to apply policy. Issue is with connecting to server "Basic authentication is currently disabled in the client configuration" so update module and try again. Update-Module MicrosoftTeams
Seems like a problem with powerShell version. Look at this discussion where community are following this issue, including me:
https://techcommunity.microsoft.com/t5/teams-developer/authenticating-with-an-access-token-connect-microsoftteams/m-p/2233794
So I've been using Powershell for a while with our Microsoft 365 environment with no major issues.
I'm specifically using the SkypeOnlineConnector to manage our Teams Direct Routing environment.
Today, suddenly out of no where, I've been encountering the following error when running the Grant-CsOnlineVoiceRoutingPolicy and Grant-CsTenantDialPlan commands:
PS C:\Users\shvlzz> Grant-CsOnlineVoiceRoutingPolicy -Identity $upn -PolicyName $null
Unable to get Lros Token.
+ CategoryInfo : NotSpecified: (CN=495c9e16-e17...au1001,DC=local:OCSADUserOrAppContact) [Grant-CsOnlineVoiceRoutingPolicy], LrosClie
ntErrorException
+ FullyQualifiedErrorId : GrantPolicy,Microsoft.Rtc.Management.Xds.GrantOnlineVoiceRoutingPolicyCmdlet
+ PSComputerName : adminau1.online.lync.com
PS C:\Users\shvlzz> Grant-CsTenantDialPlan -identity $upn -PolicyName $null
Unable to get Lros Token.
+ CategoryInfo : NotSpecified: (CN=495c9e16-e17...au1001,DC=local:OCSADUserOrAppContact) [Grant-CsOnlineVoiceRoutingPolicy], LrosClie
ntErrorException
+ FullyQualifiedErrorId : GrantPolicy,Microsoft.Rtc.Management.Xds.GrantOnlineVoiceRoutingPolicyCmdlet
+ PSComputerName : adminau1.online.lync.com
I've tried with a real PolicyName and it also fails with same error:
PS C:\Users\shvlzz> Grant-CsOnlineVoiceRoutingPolicy -Identity $upn -PolicyName "NZ-Unrestricted"
Unable to get Lros Token.
+ CategoryInfo : NotSpecified: (CN=495c9e16-e17...au1001,DC=local:OCSADUserOrAppContact) [Grant-CsOnlineVoiceRoutingPolicy], LrosClie
ntErrorException
+ FullyQualifiedErrorId : GrantPolicy,Microsoft.Rtc.Management.Xds.GrantOnlineVoiceRoutingPolicyCmdlet
+ PSComputerName : adminau1.online.lync.com
I've tried terminating and reestablishing the SkypeOnlineConnector session but the issue still occurs.
Get and Set commands are working properly.
I don't know what the error means so I can't properly troubleshoot to fix it.
I have tried Googling "Lros Token" but have come up emtpy. Even Google doesn't seem to know what it is.
Please help!
I'm getting the same error. I've raised a ticket with Microsoft support and waiting to see what they say.
I can confirm I was able to do the same changes via Admin Center and works as expected.
Happens for me also.
We've seen this across 9 Office 365 tenants.
We cannot grant CsClientPolicy, TeamsCallingPolicy, OnlineVoiceroutingPolicy.
E.g. Set-CsUser -EnterpriseVoiceEnabled works fine.
I'm filing a ticket with MS now.
I had my PS script running the other day and created a new list with a single field with no issues. Was able to view the list in the Site Contents lib.
Today, it's not working. I tried running the PS code below and then resorted to running the new-pnplist code at the command line...got the same error which is shown below.
I'm using the Global admin account. Using version 3.13.19 SharePointPNPPowerShellOnline. Executed the commands from Powershell ISE which is what I did the other day when it worked. And, I was able to connect successfully using the Connect-sposervice command.
Error:
new-pnplist -Template GenericList -Title 'TestPNP2'
new-pnplist : The remote server returned an error: (403) Forbidden.
At line:1 char:1
+ new-pnplist -Template GenericList -Title $ListName
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : WriteError: (:) [New-PnPList], WebException
+ FullyQualifiedErrorId : EXCEPTION,SharePointPnP.PowerShell.Commands.Lists.NewList
Code:
$TargetListURL="https://<my sharepoint.com>/sites/CKCDemo"
$ListName="TESTPNP2"
Connect-PnPOnline -url $TargetListURL -CurrentCredentials
New-PnPList -Template GenericList -Title $ListName
Add-PnPField -List $ListName -DisplayName "MyTEST" -InternalName "MyTEST" -Type Text -AddToDefaultView
Get-PnPList`
Make sure you have enough permission to create a list in this site. You could try to go to the site directly, check whether you could create a list through ui.
Note: A global admin will not automatically have access to individual sites unless explicitly granted.
I have two domains in two different Identity Source AMCITest.dell.com and AMCETest.usa.com. "AMCETest.usa.com" is a Tree Domain to the forest "AMCITest.dell.com". I have a user "sam" and a group "SID-GRP" in one domain i.e AMCITest.dell.com, the group is universal and another user "rohan" in AMCETest.usa.com.
I am trying to add ram in SID-GRP. I am unable to add through GUI.
I tried using following command :
$AdminCredential = Get-Credential "AMCETest.usa.com\Administrator"
Add-ADGroupMember -Identity SID-GRP -Members AMCETest.usa.com\rohan -Credential $AdminCredential
but I am unable to and i am getting the following error :
Add-ADGroupMember : Authentication failed on the remote side (the
stream might still be available for additional authentication
attempts). At line:1 char:1
+ Add-ADGroupMember -Identity SID-GRP -Members AMCETest.usa.com\rohan -Cred ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : SecurityError: (SID-GRP:ADGroup) [Add-ADGroupMember], AuthenticationException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.Security.Authentication.AuthenticationExce
ption,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember
If i am wrong in this kindly suggest me the way to add.
Any help is appreciated
Thanks,
Pratik