While using Microsoft Outlook 2010, you may encounter the following error when accessing the Voice Mail options menu to modify your personal settings in the Exchange Control Panel (ECP):

ECP_Access_Denied

Additionally, the following two errors may appear in the Application Log of the Exchange 2010 Client Access Server located in the same Active Directory Site as the Unified Messaging server:

 
Log Name:       Application
Source:         MSExchange Configuration Cmdlet – Management Shell
Event ID:       17
Task Category:  RBAC
Level:          Error
Computer:       Ex2010CAS01.contoso.com
Description:
(Process w3wp.exe, PID 7080) “RBAC authorization returns Access Denied for user daveh@contoso.com.  Reason:  No role assignments associated with the specified user were found on Domain Controller CharlotteDC01.contoso.com.”


Log Name:       Application
Source:         MSExchange Control Panel
Event ID:       4
Task Category:  General
Level:          Error
Computer:       Ex2010CAS01.contoso.com
Description: 
Request for URL ‘https://mail.contoso.com/ecp/default.aspx?p=customize/voicemail.aspx&exsvurl=1’ failed with the following error:  Microsoft.Exchange.Configuration.Authorization.CmdletAccessDeniedException: The user “Contoso\daveh” isn’t assigned to any management roles.

 

These errors will be generated whenever an Active Directory user account has lost its association to an RBAC Role Assignment Policy.  In a default configuration, each Exchange 2010 mailbox user who is enabled for Unified Messaging will be automatically assigned to the ‘Default Role Assignment Policy’.  The RBAC Roles associated with this management policy are as follows:


MyBaseOptions
MyContactInformation
MyVoiceMail
MyTextMessaging
MyDistributionGroupMembership

 

To verify whether a given Active Directory user account is correctly associated with the ‘Default Role Assignment Policy’, use the Exchange Management Shell to enter the following command:


Get-Mailbox {username} | ft name,roleassignmentpolicy

missingroleassignment

 

If you find that the affected Active Directory user account is not correctly associated with the ‘Default Role Assignment Policy’, you may be able to resolve this issue by running the following command in the Exchange Management Shell:


Get-Mailbox {username} | Set-Mailbox –RoleAssignmentPolicy “Default Role Assignment Policy”

reassignpolicy

 

Upon re-associating the affected user to the Default Role Assignment Policy for RBAC, subsequent connection attempts to the Exchange Control Panel using Internet Explorer should be successful.

 

Hope this helps!


-- Dave