Thanks David, for coming back to us.
Yes, in my case everything looked dandy when I installed 2010, no errors. I have tried both with the Administrator (for domain, the install user) and another domain admin user account, both in the Organization Group. No access, same error. I've checked the USG groups in the domain, with AD editor, looks fine to me. It's as the security policies hasn't been applied to the 2010 server, then again this security strategy is new to me. If there is anything you want me to check, please say so.
Here is the full event log for the error:
(Process w3wp.exe, PID 11240) " RBAC authorization returns Access Denied for user <user>@domain.com. Reason: No valid and enabled role assignments for the specified user were found on Domain Controller s11.domain.local."
(repeated three times)
Error message in the EMC:
" The folowing error occured when searching for On-Premises Exchane Server. [s15.domain.local] Processing data from remote server failed with the following error message: The user " domain\administrator" isn't assigned to any management roles. For more.... It was running " Discover-ExchangeServer - USeWIA $true -SupressError $true"
(Btw, note exchange team, it would be great if you could copy/paste the error messages from the EMC UI...)
Use Role-Based Access Control to manage access to your Azure subscription resources
Azure Role-Based Access Control (RBAC) enables fine-grained access management for Azure. Using RBAC, you can grant only the amount of access that users need to perform their jobs. This article helps you get up and running with RBAC in the Azure portal. If you want more details about how RBAC helps you manage access, see What is Role-Based Access Control.
Within each subscription, you can grant up to 2000 role assignments.
You can see who has access to a resource, resource group, or subscription from its main blade in the Azure portal. For example, we want to see who has access to one of our resource groups:
- Select Resource groups in the navigation bar on the left.
- Select the name of the resource group from the Resource groups blade.
- Select Access control (IAM) from the left menu.
The Access control blade lists all users, groups, and applications that have been granted access to the resource group.
Notice that some roles are scoped to This resource while others are Inherited it from another scope. Access is either assigned specifically to the resource group or inherited from an assignment to the parent subscription.
Classic subscription admins and co-admins are considered owners of the subscription in the new RBAC model.
You grant access from within the resource, resource group, or subscription that is the scope of the role assignment.
- Select Add on the Access control blade.
- Select the role that you wish to assign from the Select a role blade.
Select the user, group, or application in your directory that you wish to grant access to. You can search the directory with display names, email addresses, and object identifiers.
- Select OK to create the assignment. The Adding user popup tracks the progress.
After successfully adding a role assignment, it will appear on the Users blade.
- Hover your cursor over the name of the assignment that you want to remove. A check box appears next to the name.
- Use the check boxes to select one or more role assignments.
- Select Remove.
- Select Yes to confirm the removal.
Inherited assignments cannot be removed. If you need to remove an inherited assignment, you need to do it at the scope where the role assignment was created. In the Scope column, next to Inherited there is a link that takes you to the resources where this role was assigned. Go to the resource listed there to remove the role assignment.
Other tools to manage access
You can assign roles and manage access with Azure RBAC commands in tools other than the Azure portal. Follow the links to learn more about the prerequisites and get started with the Azure RBAC commands.