Exchange 2019 onprem: rights problems with Get-ExchangeDiagnosticInfo

TRÖSTER Joachim 6 Reputation points
2023-06-02T09:07:55.2966667+00:00
According to MS we need to use Get-ExchangeDiagnosticInfo to check Back Pressure. I want to automate that with a script running in task scheduler.
Understanding back pressure | Microsoft Learn

The user must have one of these roles:

Get-ManagementRole -Cmdlet Get-ExchangeDiagnosticInfo
Name                    RoleType
----                    --------
Support Diagnostics     SupportDiagnostics
View-Only Configuration ViewOnlyConfiguration
O365SupportViewConfig   O365SupportViewConfig

The User is in "View-Only Configuration" and for testing i made a new admin roll copying "View-Only Organization Management" and add "Support Diagnostics" to this new admin role.

When I use a user in "Organization Management" to check for back pressure, all is fine. But a user only in the roles I mentioned gets an error:

[xml]$bp=Get-ExchangeDiagnosticInfo -Server testserver -Process EdgeTransport -Component ResourceThrottling; $bp.Diagnostics.Components.ResourceThrottling.ResourceTracker.ResourceMeter 

The output is empty.
I checked the details:

PS C:\it\scripts\Exchange> $bp
Diagnostics
-----------
Diagnostics

So, we have some values. Lets go deeper:

PS C:\it\scripts\Exchange> $bp.Diagnostics | ft -wrap

error                            action                     message
-----                            ------                     -------
ProcessAccessManager RPC Error 5 Query registered processes Error 0x5 (Access is denied) from RunProcessCommand
                                                            EEInfo: ComputerName:
                                                            EEInfo: ProcessID: 14004
                                                            EEInfo: Generation Time: 6/2/2023 8:03:12 AM
                                                            EEInfo: Generating component: 2
                                                            EEInfo: Status: 0x00000005
                                                            EEInfo: Detection location: 1750
                                                            EEInfo: Flags: 0
                                                            EEInfo: NumberOfParameters: 1
                                                            EEInfo: prm[0]: Long: 5 (0x00000005)


I run the command on a member server with installed Exchange Shell, not directly on an Exchange server. That worked so far without any problems. The RPC error seems to point to a problem with this method, but an admin user can run the command the same way with no errors and output (example below). So what rights is my user missing to run it?

Resource            : PrivateBytes
CurrentResourceUse  : Low
PreviousResourceUse : Low
PressureTransitions : [PressureTransitions: MediumToHigh=75 HighToMedium=73 LowToMedium=72 MediumToLow=71]
Pressure            : 0

Resource            : SystemMemory
CurrentResourceUse  : Low
PreviousResourceUse : Low
PressureTransitions : [PressureTransitions: MediumToHigh=94 HighToMedium=89 LowToMedium=88 MediumToLow=84]
Pressure            : 42

Resource            : UsedVersionBuckets[C:\Program Files\Microsoft\Exchange
                      Server\V15\TransportRoles\data\Queue\mail.que]
CurrentResourceUse  : Low
PreviousResourceUse : Low
PressureTransitions : [PressureTransitions: MediumToHigh=1500 HighToMedium=1000 LowToMedium=999 MediumToLow=800]
Pressure            : 1

Resource            : JetSessions[C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\data\Queue\mail.que]
CurrentResourceUse  : Low
PreviousResourceUse : Low
PressureTransitions : [PressureTransitions: MediumToHigh=1500 HighToMedium=1400 LowToMedium=1000 MediumToLow=900]
Pressure            : 9

Resource            : CheckpointDepth[C:\Program Files\Microsoft\Exchange
                      Server\V15\TransportRoles\data\Queue\mail.que]
CurrentResourceUse  : Low
PreviousResourceUse : Low
PressureTransitions : [PressureTransitions: MediumToHigh=300 HighToMedium=280 LowToMedium=250 MediumToLow=230]
Pressure            : 0

Resource            : DatabaseUsedSpace[C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\data\Queue]
CurrentResourceUse  : Low
PreviousResourceUse : Low
PressureTransitions : [PressureTransitions: MediumToHigh=99 HighToMedium=97 LowToMedium=96 MediumToLow=94]
Pressure            : 55

Resource            : UsedDiskSpace[C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\data\Queue]
CurrentResourceUse  : Low
PreviousResourceUse : Low
PressureTransitions : [PressureTransitions: MediumToHigh=99 HighToMedium=94 LowToMedium=90 MediumToLow=88]
Pressure            : 56

Resource            : UsedDiskSpace[C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\data]
CurrentResourceUse  : Low
PreviousResourceUse : Low
PressureTransitions : [PressureTransitions: MediumToHigh=99 HighToMedium=94 LowToMedium=90 MediumToLow=88]
Pressure            : 56



Exchange Server
Exchange Server
A family of Microsoft client/server messaging and collaboration software.
1,180 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,481 questions
0 comments No comments
{count} votes

5 answers

Sort by: Most helpful
  1. Dezhi Li-MSFT 780 Reputation points
    2023-06-05T09:25:07.32+00:00

    Hi @TRÖSTER Joachim

    You can try to add your user to the local administrator group, and then open EMS as an administrator to run Get-ExchangeDiagnosticInfo.

    下载

    Best Regards,

    Dezhi


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". 
    Note: Please follow the steps in our documentation](https://aka.ms/msftqanotifications)"https://aka.ms/msftqanotifications)") to enable e-mail notifications if you want to receive the related email notification for this thread.   


  2. TRÖSTER Joachim 6 Reputation points
    2023-06-15T07:45:47.2333333+00:00

    Sadly adding the user to the local administrator group of the exchange server did not solve the problem. Same error as described above.

    0 comments No comments

  3. TRÖSTER Joachim 6 Reputation points
    2023-06-15T07:55:59.8633333+00:00

    I made another test and run the script directly on the exchange servers (without local admin rights).

    That worked. So the new question is: which rights does a user need to to execute "[xml]$bp=Get-ExchangeDiagnosticInfo -Server testserver -Process EdgeTransport -Component ResourceThrottling; $bp.Diagnostics.Components.ResourceThrottling.ResourceTracker.ResourceMeter" from a remote Exchange management shell.

    I don't have problems to execute other commands with this user, eg get mailbox infos. Only this one command gives me troubles.

    0 comments No comments

  4. TRÖSTER Joachim 6 Reputation points
    2023-06-20T07:42:23.65+00:00

    IT sadly got worse. After the tasked script ran for a few days on the exchange server directly, it has now the same error

    error action message


    ProcessAccessManager RPC Error 5 Query registered processes Error 0x5 (Access is denied) from RunProcessCommand ...

    Running the command as domain admin still works fine.
    Now I have no idea anymore.

    0 comments No comments

  5. TRÖSTER Joachim 6 Reputation points
    2023-06-20T09:51:34.87+00:00

    I give up now. It only works when the user is member of the admin role "organization management". I tried to add make a new admin role and assigned all kind of rule combinations, it does simply not work.

    Since a task user will never be assigned full rights in our exchange server, we simply cant monitor back pressure this way. Why Microsoft does not honor the assigned roles it explains to be needed for this command i really don't understand. It's the first time this happened and I use tasks and scripting a lot with exchange. Feels like a bug.

    0 comments No comments