Search Engine: Elastic

Article ID: 131104, created on Jul 4, 2017, last review on Jul 4, 2017

  • Applies to:
  • Operations Automation


A new Exchange infrastructure is deployed and new DAG nodes are being registered in OA. On attempt to install the package Exchange2013Mailstore no errors are displayed, no tasks fail, but the package is not installed. In wpe.log on the Windows Provisioning Server the following error is registered:

   ERROR   2017-06-28 16:51:33 (2700/2692): Processing data from remote server 13dag01 failed with the following error message: [AuthZRequestId=ff6ad24e-f441-4579-8224-645be260b27f][FailureCategory=AuthZ-CmdletAccessDeniedException] The user `exchange13.local/Users/pem_admin` isn't assigned to any management roles. For more information, see the about_Remote_Troubleshooting Help topic.

where exchange13.local is a new Active Directory (AD) domain deployed for new Exchange set.


There is an existing Exchange set of an older version in OA, deployed in another AD domain. Since new Exchange set is deployed in a new AD domain exchange13.local, it has it's own pem_admin service account in AD. Usually, when Exchange is deployed in OA, the user pem_admin is automatically added to all necessary AD groups, but in case additional Exchange infrastructure is deployed in a new AD domain, the user pem_admin is not added to the security group Organization Management.

Such behavior was recognized as a software issue POA-111910: pem_admin domain user isn't added into required AD group automatically during Exchange deployment in a new AD


As a workaround, please perform the following steps:

  1. Go to the domain controller of the reported AD domain (in this example - exchange13.local)
  2. Run the snap-in Active Directory Users and Computers
  3. Find the user pem_admin, open it's properties and go to the Member Of tab
  4. Click Add and type the group name Organization Management, click OK
  5. On the properties page click OK to save changes.

In order to clarify the status of the software issue POA-111910, please contact your Technical Account Manager.

5356b422f65bdad1c3e9edca5d74a1ae caea8340e2d186a540518d08602aa065 e12cea1d47a3125d335d68e6d4e15e07

Email subscription for changes to this article
Save as PDF