2 Aug 2010
Exchange Trusted Subsystem
During the past Exchange Server 2007 to Exchange Server 2010 migrations, I came across the following error message, when we selected a Client Access Server in the Exchange Management Console: “An IIS directory entry couldn’t be created. The error message is Access is denied.”
After searching the Internet we found the following two links that provide a solution for the error:
- “Get-OWAVirtualDirectory Returns error 46C81F27”
- “Get-OWAVirtualDirectory returns “An IIS directory entry couldn’t be created. The error message is Access is denied.””
The security group “Exchange Trusted Subsystem” was not a member of the local Administrators group on the servers running Exchange Server 2007.
The Microsoft Exchange Team Blog article “Exchange 2007 Service Pack 2 Prerequisites” notes that this group is created during the Active Directory preparation phase. This group is then added to the local Administrators group of the Exchange server when you install the service pack.
I was aware of the role this security group has if you host the File Share Witness on a file server and not on an Exchange Server. This is described in this blog article written by Tim McMichael. However, I was not aware of the relation between this group and Role Based Access Control (RBAC). The TechNet article “Understanding Split Permissions” contains the following section:
“If RBAC allows an action to proceed, the action is performed in the context of the Exchange Trusted Subsystem and not the user’s context. The Exchange Trusted Subsystem is a highly privileged universal security group (USG) that has read/write access to every Exchange-related object in the Exchange organization. It’s also a member of the Administrators local security group and the Exchange Windows Permissions USG, which enables Exchange to create and manage Active Directory objects.”
You can find additional information about this topic in the article “Exchange 2010 and the Exchange Trusted Subsystem” and especially in this excellent summary “Busting the Exchange Trusted Subsystem Myth” written by Devin Ganger.