Here's the situation:
I've got a DC (called DomainSrv), an Exchange 2010 server (called MailSrv) and a management workstation (called Mgmt). Mgmt is running Windows 7 (64bit), DomainSrv and MailSrv both run Windows Server 2008 R2, both servers are virtual .
I log on to Mgmt with a domain admin account, open a command prompt as administrator and start Powershell.
In powershell I create a session to MailSrv ($MailServerSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUrihttp://MailSrv.Mydomain.Test) which I import (Import-PSSession $MailServerSession)
When I try to use Add-ADPermission I get an access denied error (SecErr: DSIS-031521D0, problem 4003). I realized that my domain admin account did not have remote desktop rights to MailSrv (being virtual this implies no interactive logon to the mail server for Domain Admins), when removing that limitation the Add-ADPermission command works correctly.
Can anyone explain this? (the aim is to reset the "no-interactive logon for domain admins" policy while keeping the possibility to use Add-ADPermission from my management workstation (Mgmt))
Kris.