none
Exchange 2010 Mailbox creation Insufficient access rights

    Question

  • HI All,

    Currently I transitioned my Ex2K3 to Ex2010 in my Live Org. I have created 1 Win2K8 Dc, 1 server for Cas n Hub roles & 1 server for MBX role.
    When I try to create new mailboxes on Ex2010 MBX, its giving Insufficient user access rights error. Access is denied
    Even when i try to move mailboxes from Ex2k3 to Ex2010 server, giving the same error.


    Please can anyone help us to resolve.


    Regards
    Anand S
    Monday, March 08, 2010 1:55 PM

Answers

  • To resolve this go to the user properties in AD- click Security tab-Click advanced and select "Include inheritable permissions from this object's parent"- click apply and Ok.
    Once done try to move the user from one Mailbox databse to other or in your case create the Mailbox it will succeed.
    It worked for me.
    Hari Bylapudi
    Thursday, March 11, 2010 7:30 AM
  • Please run the cmdlt below:

    Get-Mailbox -database "database"| Add-MailboxPermission -User Admin -AccessRights FullAccess -InheritanceType All

    Regards,
    Xiu
    Thursday, March 11, 2010 7:15 AM

All replies

  • first thing to do is to make sure the user you are using is an exchange administrator and is a local admin on the exchange server

    Full time IT consultant since 1998 mainly on Exchange\ISA\AD MCSE NT4.0,2000/2003, CCNA MCITP: Enterprise Messaging Administrator 2007/2010 MCT since 2001
    Monday, March 08, 2010 2:03 PM
  • HI,

    Its an Domain administrator account it got Schema/Exchange administrator full access rights & its part of local administrator too. Still having the same issue.


    Regards
    Anand S

    Monday, March 08, 2010 2:09 PM
  • I just got here because of just the same issue. Similarly, the admin user (me) can create accounts for all other accounts but those which have once been in the Domain Administrator group. They have since been removed from that group.

    If this a confirmed bug?
    Monday, March 08, 2010 2:36 PM
  • Check the AdminCount property on the users that used to be in the Domain Administrators group.  You may need to manually reset it back to 0.  Adding them to a protected group increments that property, but removing them doesn't decrement it.  If it's anyting but 0, AdminSDHolder will still process their permissions as if the were still a member of that group.

    Monday, March 08, 2010 2:45 PM
  • I reset it back to 0 but I'm still getting the message Active Directory operation failed on dc1.corp.local. This error is not retriable. Additional information: Insufficient access rights to perform the operation.
    Monday, March 08, 2010 3:27 PM
  • Check and see if their inheritance is still disabled in AD.  If their AdminCount was still set, then AdminSDHolder will have disabled inheritance on those users in AD, and any permissions you were supposed to get that they inherited from OU membership will not be applied.
    • Proposed as answer by functor_ Monday, March 08, 2010 4:45 PM
    Monday, March 08, 2010 3:34 PM
  • How do I enable inheritance for these users?
    Monday, March 08, 2010 4:00 PM
  • ADUC.  On the user object, go to Security | Advanced, and check the Include Inheritable Permsission box at at the bottom of the pane.
    • Proposed as answer by functor_ Monday, March 08, 2010 4:45 PM
    Monday, March 08, 2010 4:08 PM
  • Works, problem solved. Thanks for your answers!
    Monday, March 08, 2010 4:45 PM
  • If it quits working tomorrow, there may be another group membership involved.  If you add a group to a protected group, it gets the same treatment as a user object (AdminCount gets incremented) and then all the members of that group get it applied to them, and AdminSDHolder will keep setting them back until you go back and fix that group, too.
    Monday, March 08, 2010 4:53 PM
  • I'm not sure if this will help any of you at this point, but I had all kinds of Insufficient Rights errors last week, and the fix ended up being that the Mailbox server was not in the Exchange Trusted Subsystem security group.
    Monday, March 08, 2010 6:02 PM
  • Still having the same issue.


    Regards
    Anand S
    Tuesday, March 09, 2010 4:53 AM
  • Please run the cmdlt below:

    Get-Mailbox -database "database"| Add-MailboxPermission -User Admin -AccessRights FullAccess -InheritanceType All

    Regards,
    Xiu
    Thursday, March 11, 2010 7:15 AM
  • To resolve this go to the user properties in AD- click Security tab-Click advanced and select "Include inheritable permissions from this object's parent"- click apply and Ok.
    Once done try to move the user from one Mailbox databse to other or in your case create the Mailbox it will succeed.
    It worked for me.
    Hari Bylapudi
    Thursday, March 11, 2010 7:30 AM
  • Hi Hari,

    I was faced this issue due to not changed this permissions settings b4r migrating AD2k3 to to 2k8. Once we migrate AD 2k3 to ad2k8, after changing this settings also doesn't work. we have to change this permission settings b4r migrate to ad2k8.

    My problem got resolved by changing this settings. I am doing in Virtualization & need to do this in Live environment on coming saturday.


    Thanks 4r this help


    Regards
    Anand S
    Thursday, March 11, 2010 12:10 PM
  • Hi Xiu,

    Thanks 4r reply.

    I was faced this issue due to not changed this permissions settings b4r migrating AD2k3 to to 2k8. Once we migrate AD 2k3 to ad2k8, after changing this settings also doesn't work. we have to change this permission settings b4r migrate to ad2k8.

    I problem got resolved by changing this settings. I am doing in Virtualization & need to do this in Live environment on coming saturday.

    Thanks 4r this help


    Need ur help, is there any patch for POP account to work in Ex2010 environment for mailboxes which r moved from Ex2k3 to Ex2010 & mailboxes which r created on Ex2010, I am updated update rollups 1 & 2 but still I am facing this issue but some of the issues resolved after this update rollups.
    Any help really appreciated.


    Regards
    Anand S

    Thursday, March 11, 2010 12:14 PM
  • I've been having similar problems to create new mailboxes or move the mailbox database location right after finishing installation. After reading Paul's comment I checked the exchange group memberships and indeed the setup did not add the computer object to the Trusted Subsystems group. After adding the object to the group and rebooting the server I was able to move the database location and create mailboxes.
    Thursday, March 11, 2010 12:16 PM
  • Hi
    I'm having the same problem.  I have 4 domains.  My exchange is on one of them.  It worked very well on exchange 2007.  If i move a user from the same domain as exchange then it works but from any of the other domains i get that error.

    Thursday, March 11, 2010 3:12 PM
  • Hi Anand,

    Are you plan to move mailbox for pop3 account?

    Then you have to note that NTLM isn't supported for POP3 or IMAP4 client connectivity.POP3 and IMAP4 setting alternatives to NTLM are:
    • Kerberos (GSSAPI)
    • Plain Text Authentication with SSL
    Discontinued Features and De-Emphasized Functionality
    http://technet.microsoft.com/en-us/library/aa998911.aspx

    Besides, what is the issue now? Do you have any error when pop3 account connect to the exchange server?

    Regards,
    Xiu

    Friday, March 12, 2010 1:59 AM
  • Hello Xiu,

    In My Ex2K3 Org. we have some mailboxes which r on POP on desktops & some POP on Laptops, when I tried to access POP mailboxes which r newly created on Ex2010, it gives error of receiving reported error & email server rejected ur login. The server responded: ERR command is not valid in this state. When I click on send/receive its giving Enter Network Password window.

    Even Same error 4r POP mailboxes which r moved from Ex2k3 to Ex2010 server But Ex. account works fine.


    What settings need to give when I configure POP account for Ex2010 mailbox.
    I am giving casnhub server details (casnhub r on 1 server in my scenario)

    Do I need to do configure POP/IMAP settings in Ex2010 server rather than default config.
    if s please let me know.

    Next issue is when i sent mail from Ex2010 server to Ex2k3 mailboxes mails r not sedning/receiving. Giving this error Delivery delayed to these recipients or groups below,
     giving destination user id.


    Starting my migration 4rm tommorrow, will start this weekend only AD migration from 2K3 to 2k8

    Any help really appreciated
    Thanks in advance


    Regards
    Anand S


    Friday, March 12, 2010 7:09 AM
  • Hi,

    Please try to use Get-CASmailbox <user> |fl to check if you have enable pop3 on the certain user and then post here.

    Please try to use Get-POPsettings |fl and then post here.

    Please try to use Get-routinggroupconnector |fl to check the connector between exchange 2003 and exchange 2007.

    Upgrade from Exchange 2003 Transport
    http://technet.microsoft.com/en-us/library/dd638103.aspx

    Besides, I recommend you to run ExBPA and then check if any error would be logged there.

    Also please try to use Messsage tracking on exchange 2003 and exchange 2010 to check which event and where the email stuck at.

    Regards,
    Xiu

    Monday, March 15, 2010 6:13 AM
  • Hi Xiu,

    As per ur request pasted below details,

    [PS] C:\Windows\system32>Get-Casmailbox manav@in.v2solutions.com |fl


    RunspaceId                         : 6771b0aa-2593-4c2e-b30b-dfe16f587c24
    EmailAddresses                     : {SMTP:manav@in.v2solutions.com, X400:C=US;
                                         A= ;P=First Organizati;O=Exchange;S=manav;
                                         }
    LegacyExchangeDN                   : /o=First Organization/ou=Exchange Administ
                                         rative Group (FYDIBOHF23SPDLT)/cn=Recipien
                                         ts/cn=manav
    LinkedMasterAccount                :
    PrimarySmtpAddress                 : manav@in.v2solutions.com
    SamAccountName                     : manav
    ServerLegacyDN                     : /o=First Organization/ou=Exchange Administ
                                         rative Group (FYDIBOHF23SPDLT)/cn=Configur
                                         ation/cn=Servers/cn=MBX
    ServerName                         : mbx
    DisplayName                        : manav
    ActiveSyncAllowedDeviceIDs         : {}
    ActiveSyncBlockedDeviceIDs         : {}
    ActiveSyncMailboxPolicy            : Default
    ActiveSyncMailboxPolicyIsDefaulted : True
    ActiveSyncDebugLogging             : False
    ActiveSyncEnabled                  : True
    HasActiveSyncDevicePartnership     : False
    OwaMailboxPolicy                   :
    OWAEnabled                         : True
    ECPEnabled                         : True
    EmwsEnabled                        : False
    PopEnabled                         : True
    PopUseProtocolDefaults             : True
    PopMessagesRetrievalMimeFormat     : BestBodyFormat
    PopEnableExactRFC822Size           : False
    PopProtocolLoggingEnabled          : False
    ImapEnabled                        : True
    ImapUseProtocolDefaults            : True
    ImapMessagesRetrievalMimeFormat    : BestBodyFormat
    ImapEnableExactRFC822Size          : False
    ImapProtocolLoggingEnabled         : False
    MAPIEnabled                        : True
    MAPIBlockOutlookNonCachedMode      : False
    MAPIBlockOutlookVersions           :
    MAPIBlockOutlookRpcHttp            : False
    IsValid                            : True
    ExchangeVersion                    : 0.10 (14.0.100.0)
    Name                               : manav
    DistinguishedName                  : CN=manav,CN=Users,DC=in,DC=v2solutions,DC=
                                         com
    Identity                           : in.v2solutions.com/Users/manav
    Guid                               : 6494c4c4-7a88-4ad4-9e88-0971753ddeb4
    ObjectCategory                     : in.v2solutions.com/Configuration/Schema/Pe
                                         rson
    ObjectClass                        : {top, person, organizationalPerson, user}
    WhenChanged                        : 3/18/2010 2:42:21 PM
    WhenCreated                        : 3/18/2010 2:23:50 PM
    WhenChangedUTC                     : 3/18/2010 9:12:21 AM
    WhenCreatedUTC                     : 3/18/2010 8:53:50 AM
    OrganizationId                     :
    OriginatingServer                  : v2mailserver.in.v2solutions.com

     

    [PS] C:\Windows\system32>Get-POPsettings |fl


    RunspaceId                        : 6771b0aa-2593-4c2e-b30b-dfe16f587c24
    Name                              : 1
    ProtocolName                      : POP3
    MaxCommandSize                    : 512
    MessageRetrievalSortOrder         : Ascending
    UnencryptedOrTLSBindings          : {:::110, 0.0.0.0:110}
    SSLBindings                       : {:::995, 0.0.0.0:995}
    InternalConnectionSettings        : {casnhub.in.v2solutions.com:995:SSL, casnhu
                                        b.in.v2solutions.com:110:TLS}
    ExternalConnectionSettings        : {}
    X509CertificateName               : casnhub
    Banner                            : The Microsoft Exchange POP3 service is read
                                        y.
    LoginType                         : SecureLogin
    AuthenticatedConnectionTimeout    : 00:30:00
    PreAuthenticatedConnectionTimeout : 00:01:00
    MaxConnections                    : 2000
    MaxConnectionFromSingleIP         : 2000
    MaxConnectionsPerUser             : 16
    MessageRetrievalMimeFormat        : BestBodyFormat
    ProxyTargetPort                   : 110
    CalendarItemRetrievalOption       : iCalendar
    OwaServerUrl                      :
    EnableExactRFC822Size             : False
    LiveIdBasicAuthReplacement        : False
    ProtocolLogEnabled                : False
    EnforceCertificateErrors          : False
    Server                            : CASNHUB
    AdminDisplayName                  :
    ExchangeVersion                   : 0.10 (14.0.100.0)
    DistinguishedName                 : CN=1,CN=POP3,CN=Protocols,CN=CASNHUB,CN=Ser
                                        vers,CN=Exchange Administrative Group (FYDI
                                        BOHF23SPDLT),CN=Administrative Groups,CN=Fi
                                        rst Organization,CN=Microsoft Exchange,CN=S
                                        ervices,CN=Configuration,DC=in,DC=v2solutio
                                        ns,DC=com
    Identity                          : CASNHUB\1
    Guid                              : a72147a4-6d15-49f6-8438-f21c42239d87
    ObjectCategory                    : in.v2solutions.com/Configuration/Schema/ms-
                                        Exch-Protocol-Cfg-POP-Server
    ObjectClass                       : {top, protocolCfg, protocolCfgPOP, protocol
                                        CfgPOPServer}
    WhenChanged                       : 3/18/2010 1:22:25 PM
    WhenCreated                       : 3/18/2010 1:22:25 PM
    WhenChangedUTC                    : 3/18/2010 7:52:25 AM
    WhenCreatedUTC                    : 3/18/2010 7:52:25 AM
    OrganizationId                    :
    OriginatingServer                 : v2mailserver.in.v2solutions.com
    IsValid                           : True

     

    [PS] C:\Windows\system32>Get-routinggroupconnector |fl


    RunspaceId                   : 6771b0aa-2593-4c2e-b30b-dfe16f587c24
    TargetRoutingGroup           : First Routing Group
    Cost                         : 1
    TargetTransportServers       : {V2MAILSERVER}
    ExchangeLegacyDN             : /o=First Organization/ou=Exchange Administrative
                                    Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Con
                                   nections/cn=CASNHUB-V2MAILSERVER
    PublicFolderReferralsEnabled : True
    SourceRoutingGroup           : Exchange Routing Group (DWBGZMFD01QNBJR)
    SourceTransportServers       : {CASNHUB}
    HomeMTA                      : Microsoft MTA
    HomeMtaServerId              : CASNHUB
    MaxMessageSize               : unlimited
    AdminDisplayName             :
    ExchangeVersion              : 0.1 (8.0.535.0)
    Name                         : CASNHUB-V2MAILSERVER
    DistinguishedName            : CN=CASNHUB-V2MAILSERVER,CN=Connections,CN=Exchan
                                   ge Routing Group (DWBGZMFD01QNBJR),CN=Routing Gr
                                   oups,CN=Exchange Administrative Group (FYDIBOHF2
                                   3SPDLT),CN=Administrative Groups,CN=First Organi
                                   zation,CN=Microsoft Exchange,CN=Services,CN=Conf
                                   iguration,DC=in,DC=v2solutions,DC=com
    Identity                     : CASNHUB-V2MAILSERVER
    Guid                         : f551e361-af2b-4afa-9869-6973e1dc0902
    ObjectCategory               : in.v2solutions.com/Configuration/Schema/ms-Exch-
                                   Routing-Group-Connector
    ObjectClass                  : {top, msExchConnector, msExchRoutingGroupConnect
                                   or}
    WhenChanged                  : 3/18/2010 1:20:41 PM
    WhenCreated                  : 3/18/2010 1:20:41 PM
    WhenChangedUTC               : 3/18/2010 7:50:41 AM
    WhenCreatedUTC               : 3/18/2010 7:50:41 AM
    OrganizationId               :
    OriginatingServer            : v2mailserver.in.v2solutions.com
    IsValid                      : True

    RunspaceId                   : 6771b0aa-2593-4c2e-b30b-dfe16f587c24
    TargetRoutingGroup           : Exchange Routing Group (DWBGZMFD01QNBJR)
    Cost                         : 1
    TargetTransportServers       : {CASNHUB}
    ExchangeLegacyDN             : /o=First Organization/ou=First Administrative Gr
                                   oup/cn=Configuration/cn=Connections/cn=V2MAILSER
                                   VER-CASNHUB
    PublicFolderReferralsEnabled : True
    SourceRoutingGroup           : First Routing Group
    SourceTransportServers       : {V2MAILSERVER}
    HomeMTA                      : Microsoft MTA
    HomeMtaServerId              : V2MAILSERVER
    MaxMessageSize               : unlimited
    AdminDisplayName             :
    ExchangeVersion              : 0.1 (8.0.535.0)
    Name                         : V2MAILSERVER-CASNHUB
    DistinguishedName            : CN=V2MAILSERVER-CASNHUB,CN=Connections,CN=First
                                   Routing Group,CN=Routing Groups,CN=First Adminis
                                   trative Group,CN=Administrative Groups,CN=First
                                   Organization,CN=Microsoft Exchange,CN=Services,C
                                   N=Configuration,DC=in,DC=v2solutions,DC=com
    Identity                     : V2MAILSERVER-CASNHUB
    Guid                         : 468c415d-ec0c-44eb-9096-aa957fc174bf
    ObjectCategory               : in.v2solutions.com/Configuration/Schema/ms-Exch-
                                   Routing-Group-Connector
    ObjectClass                  : {top, msExchConnector, msExchRoutingGroupConnect
                                   or}
    WhenChanged                  : 3/18/2010 1:20:41 PM
    WhenCreated                  : 3/18/2010 1:20:41 PM
    WhenChangedUTC               : 3/18/2010 7:50:41 AM
    WhenCreatedUTC               : 3/18/2010 7:50:41 AM
    OrganizationId               :
    OriginatingServer            : v2mailserver.in.v2solutions.com
    IsValid                      : True

     

    After I tracked the mesages, Mails are lying in the Queue only.
    Already I run ExBPA & resolved the errors except 1 error of "Application public folder hierarchy present"
    But i left it as it is.

    There no logs r generated on casnhub server related to pop3 errors.


    Any help really appreciated.
    Thanks in advance.

    Regards
    Anand S

    Thursday, March 18, 2010 1:01 PM
  • Thanks Hari thanks for posting this, This has really helped me to move the mailboxes from exchange 2003 to exchange 2010.

    In general I have around 500 users and doing this manually for each users is not possible, is there any way to get this done for all the users with different organizational unit.

    I know it too late posting here, but hoping that you may got the solution and reading the comments.

    Wednesday, March 02, 2011 8:01 PM
  • This can also happen if you installed Exchange 2010 using the split permissions model as describe here: http://technet.microsoft.com/en-us/library/dd638106.aspx 

    From that article:

    Exchange administrators won't be able to use the following cmdlets:

    • New-Mailbox
    • New-MailContact
    • New-MailUser
    • New-RemoteMailbox
    • Remove-Mailbox
    • Remove-MailContact
    • Remove-MailUser
    • Remove-RemoteMailbox
    • Proposed as answer by Pcarp Wednesday, March 16, 2011 8:01 PM
    • Unproposed as answer by Pcarp Wednesday, March 16, 2011 8:01 PM
    Wednesday, March 09, 2011 3:51 PM
  • Hi

    I had this problem and found that inheritance was blocked in ADUC at higher level OU.  Removing this block solved the problem.

    I found the block by running the permissions scan in the BPA.

    Phillip

    Wednesday, March 16, 2011 8:03 PM
  • Thanks Hari!  That worked for me!

     

    Monday, December 12, 2011 9:37 PM