Forum Discussion

fbrugnara's avatar
fbrugnara
Level 2
3 years ago

EVPM and Remote Powershell

Hi Guys I need some help understandig why EVPM fails on my remote powershell session.

When I launch the command directly on the server. It processes the mailboxes but when I launch it over a remote pssession I get:

Creating privileged MAPI session ...
Error (0x80072020) creating privileged MAPI session against Exchange Server xxx-xxx.xxx.local

This is how I create the session:

$evaultSession = New-PSSession -ConfigurationName Microsoft.PowerShell32 -ComputerName $evaultServer -Credential $evaultCredential
 
This is how I Invoke the command:
Invoke-Command -Session $evaultSession -ScriptBlock{Invoke-Expression -Command $using:evaultMailboxDisableCommand}
This is how I create the command:
$evaultMailboxDisableCommand = '& "C:\Program Files (x86)\Enterprise Vault\EVPM.EXE" -e xxx.xxx.local -m "SMTP:xxx@xxx.local" -f ' + $evaultMailboxDisableINIPath+$evaultMailboxDisableINIFileName
# & "C:\Program Files (x86)\Enterprise Vault\EVPM.EXE" -e xxx.xxx.local -m "SMTP:svc-xxx@xxxlocal" -f C:\Temp\xxx.ini

This my ini:

[Directory]
DirectoryComputerName = xxx.xxx.local
SiteName = xxxx

; Use the Distinguished Name of the mailbox to be zapped. You can get this by running the archiving task in report mode for that mailbox and viewing the resulting report.

[Mailbox]
DistinguishedName=/o=xxx/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=9195b4ff886c4b3186a49adaf522fa53-xxx
DistinguishedName=/o=xxx/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=xxx4c9
DistinguishedName=/o=xxx/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=77fb0facca1941f99c0b93b9dfe8fbb0-xxx
DistinguishedName=/o=xxx/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=xxx


[Folder]
Name = MailboxRoot
Enabled = False

 

Any help is appreciated.

  • Hi,

    I am unable to test at the moment, but I believe this is due to incorrect credentials. Even while using the $evaultCredential, I believe that an EVPM action still has to be executed while logged on as VSA. This has to do with a check on 'logged on user' as far as I know.

    If you create the ps command locally, and run it as VSA, it works. 

    Can you perhaps call the PS1 from the remote server, while logged on as VSA, and see if that works?

     

    • fbrugnara's avatar
      fbrugnara
      Level 2

      Hi,

      thanks for the reply! 

      Sorry for the ignorance but what is VSA ? I create the session as the service account under which enterprise was installed, which has the highest privileges possible on that server / enterprise vault. If I run the command on the evault server locally as that user it runs as expected. It only prints that error if I create a remote ps session as that user.

      BR

      Florian

      • GertjanA's avatar
        GertjanA
        Moderator

        Ah, sorry Vault Service Account (= VSA). 

        Because the command runs locally correct, the syntax is correct. The issue you have is with permissions. I am not 100% sure, but I believe what happens is the following: you login on server A using your admin account. You run the powershell against the remote server B (with VSA credentials in it). COmmand fails. I believe it fails because on Server B, the command is run as YOU, not VSA.

        I am no powershell expert, but I would try next: Set the EVPM command in a PS1 file, and check locally if that works. then below, you will have to check how to use the -credentials on these commands to be able to have them work as VSA

        From remote machine, try running the command with:

        Invoke-Command -ComputerName EVSERVERNAME -ScriptBlock{ & "D:\Temp\Test.ps1"}

        if setting the EVPM command in PS1 does not work, enter it in a CMD, then try

        Enter-PSSession -ComputerName EVSERVERNAME
        & "D:\Temp\Test.cmd"
        Exit-PSSession