Access Denied to ECP

I am able to access ECP, but some of my users cannot. They get the error "Sorry! Access denied
You don't have permission to open this page. If you're a new user or were recently assigned credentials, please wait 15 minutes and try again."

Application log shows "RBAC authorization returns Access Denied for user MYDOMAIN.local/Users/USER. Reason: No role assignments associated with the specified user were found on Domain Controller DC.MYDOMAIN.local".

So I ran "Get-Mailbox USER | ft Name,RoleAssignmentPolicy" and confirmed the users ARE in the Default Role Assignment Policy, just like mine is.

I ran "Set-Mailbox USER -ApplyMandatoryProperties" and it tells me the command completed successfully, but no settings have been modified.

This also shows in the application log "

Current user: 'MYDOMAIN\USER'
Request for URL 'https://mail.mydomain.com/ecp/default.aspx' failed with the following error:
Microsoft.Exchange.Configuration.Authorization.CmdletAccessDeniedException: The user "MYDOMAIN.local/Users/USER" isn't assigned to any management roles.
   at Microsoft.Exchange.Configuration.Authorization.ExchangeRunspaceConfiguration.LoadRoleCmdletInfo(ADRawEntry user, ADRawEntry userToVerifyInScope, ADSystemConfigurationSession session, String organizationName, IList`1 roleTypeFilter, List`1 sortedRoleEntryFilter, List`1 implicitRoleIds, RoleFilteringMode roleFilteringMode, SerializedAccessToken securityAccessToken, Dictionary`2& userAllScopes, List`1& userAllRoleEntries, ReadOnlyCollection`1& userAllRoleTypes, ReadOnlyCollection`1& userAllRoleAssignments)
   at Microsoft.Exchange.Configuration.Authorization.ExchangeRunspaceConfiguration.LoadRoleCmdletInfo(String organizationName, IList`1 roleTypeFilter, List`1 sortedRoleEntryFilter, IList`1 logonUserRequiredRoleTypes, List`1 implicitRoleIds)
   at Microsoft.Exchange.Configuration.Authorization.ExchangeRunspaceConfiguration..ctor(IIdentity logonIdentity, IIdentity impersonatedIdentity, ExchangeRunspaceConfigurationSettings settings, IList`1 roleTypeFilter, List`1 sortedRoleEntryFilter, IList`1 logonUserRequiredRoleTypes, Boolean callerCheckedAccess)
   at Microsoft.Exchange.Management.ControlPanel.RbacContext.<.ctor>b__5()
   at Microsoft.Exchange.Data.Storage.LazilyInitialized`1.get_Value()
   at Microsoft.Exchange.Data.Storage.LazilyInitialized`1.op_Implicit(LazilyInitialized`1 delayInitialized)
   at Microsoft.Exchange.Management.ControlPanel.RbacSession..ctor(RbacContext context, SessionPerformanceCounters sessionPerfCounters, EsoSessionPerformanceCounters esoSessionPerfCounters)
   at Microsoft.Exchange.Management.ControlPanel.StandardSession..ctor(RbacContext context)
   at Microsoft.Exchange.Management.ControlPanel.StandardSession.Factory.CreateNewSession()
   at Microsoft.Exchange.Management.ControlPanel.RbacSession.Factory.CreateSession()
   at Microsoft.Exchange.Management.ControlPanel.RbacContext.CreateSession()
   at Microsoft.Exchange.Management.ControlPanel.RbacSettings.CreateSession()
   at Microsoft.Exchange.Management.ControlPanel.AuthenticationSettings..ctor(HttpContext context)
   at Microsoft.Exchange.Management.ControlPanel.RbacModule.Application_PostAuthenticateRequest(Object sender, EventArgs e)
   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)"

Anyone know what to do to get these users access to ECP? Thanks in advance.