none
Active directory response: 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

    Question

  • We are running a coexisting environment (Exchange 2003 & 2010), when I try to move a user mailbox from Exchange 2003 to 2010 I get the following error:

     
    Summary: 1 item(s). 0 succeeded, 1 failed.
    Elapsed time: 00:00:01


    Abc Xyz
    Failed

    Error:
    Active Directory operation failed on Domain.Name.Kw. This error is not retriable. Additional information: Insufficient access rights to perform the operation.
    Active directory response: 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0


    The user has insufficient access rights.

    Exchange Management Shell command attempted:
    'Domain.Name.Kw/VPO/Staff/Users/Abc Xyz' | New-MoveRequest -TargetDatabase 'FOD'


    Although, I'm performing the task by a user that is a member in "Domain Admins" and "Organization Management" groups.


    Any solution will be appreciated.


    Regards
    Thursday, November 12, 2009 3:00 PM

Answers

All replies

  • I had this problem also but I took some guesses and tried with resetting the permissions on the user object in AD which actually did the trick.

    http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/exchange-2007-issues-mailbox-management.html

    The last paragraph in that article sums it up. This is actually very much the same as the OWA logon issues for users who did not have inheritage on their object.

    Vegard
    • Proposed as answer by BigNoter Saturday, November 14, 2009 4:03 AM
    • Marked as answer by HSC-TSA Saturday, November 14, 2009 4:18 AM
    Friday, November 13, 2009 1:35 PM
  • reset the inheritage!

    • Proposed as answer by BigNoter Saturday, November 14, 2009 4:04 AM
    Saturday, November 14, 2009 4:03 AM
  • I had this problem also but I took some guesses and tried with resetting the permissions on the user object in AD which actually did the trick.

    http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/exchange-2007-issues-mailbox-management.html

    The last paragraph in that article sums it up. This is actually very much the same as the OWA logon issues for users who did not have inheritage on their object.

    Vegard

    It did the job!

    The user used to be domain admin.


    Thanx

    Saturday, November 14, 2009 4:19 AM
  • I received this same error but now can't try to move the mailbox again because it says the user is in the queue.   When I try to remove the user from the move-mailbox queue is doesn't let me.
    Saturday, February 27, 2010 5:53 PM
  • ktpelt,

    You need to clear the move requests once you move the mailbox.

    Check http://www.howexchangeworks.com/2010/01/cant-move-mailbox-in-exchange-2010.html
    Rajith Enchiparambil | http://www.howexchangeworks.com |
    Tuesday, March 09, 2010 2:37 PM
  • I have an account that I am trying to move from Exchange 2010 back to exchange 2003 & I get this error:

    FailureCode : -2146233088
    FailureType : UpdateMovedMailboxPermanentException
    FailureSide : Target
    Message     : Error: An error occurred while updating a user object after the move operation. -->
    Directory operation failed on phdc4.peacehealth.org. This error is not retriable. Additional information: Insufficient access rights to perform the operation.  Active directory response: 00002098: SecErr: DSID-03150A45, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 --> The user has insufficient access rights.

    I checked the referenced link above & the inheritance issue does not apply.  Just for grins & giggles, I unchecked it & re-checked it & ran the move again - same error.

    Exch 2010 SP1 Rollup 1.

    Any other ideas?

    Thursday, October 28, 2010 11:33 PM
  • I had the same problem, and even with the checkbox checked it wouldn't work.  The answer was that a key permission was missing, even on the parent OU.  The error about a user not having permission is NOT referring to YOU.  The action is being performed by the Exchange Enterprise Servers group (specifically the Exchange server handling the move request). 

    Make sure the Exchange Enterprise Servers group has the permissions for the following:

       - (Object tab) List Contents [Allow]

       - (Properties tab) Read Display Name [Allow]

       - (Properties tab) Write Display Name [Allow]

       - (Properties tab) Read Exchange Information [Allow]

       - (Properties tab) Write Exchange Information [Allow]

       - (Properties tab) Read Personal Information [Allow]

       - (Properties tab) Write Personal Information [Allow]

       - (Properties tab) Read Public Information [Allow]

       - (Properties tab) Write Public Information [Allow]

    I was missing the Read/Write Exchange Information on a few users (don't know why), but after adding the ACLs back in it worked for everyone.

    Cheers!

    Thursday, January 06, 2011 12:56 AM
  • I had the same problem, and even with the checkbox checked it wouldn't work.  The answer was that a key permission was missing, even on the parent OU.  The error about a user not having permission is NOT referring to YOU.  The action is being performed by the Exchange Enterprise Servers group (specifically the Exchange server handling the move request). 

    Make sure the Exchange Enterprise Servers group has the permissions for the following:

       - (Object tab) List Contents [Allow]

       - (Properties tab) Read Display Name [Allow]

       - (Properties tab) Write Display Name [Allow]

       - (Properties tab) Read Exchange Information [Allow]

       - (Properties tab) Write Exchange Information [Allow]

       - (Properties tab) Read Personal Information [Allow]

       - (Properties tab) Write Personal Information [Allow]

       - (Properties tab) Read Public Information [Allow]

       - (Properties tab) Write Public Information [Allow]

    I was missing the Read/Write Exchange Information on a few users (don't know why), but after adding the ACLs back in it worked for everyone.

    Cheers!


    I'm a bit confused on where you are looking gsheart.  I have been struggling with this for days when I try to get my address lists in the "Exchange Management Shell".  I verified I was in the right groups, even took my user out of Organizational Management and put it back in and checked for inherited rights.  So are you looking to make sure the OU has these applied or you looking in the advanced rights of the Exhcange Server group or ????  Thanks
    • Proposed as answer by cdnadmin Wednesday, September 28, 2011 3:45 AM
    Sunday, January 09, 2011 8:59 AM
  • We had the same issue thery were admins and they blocked the security permissions inhiritance
    Monday, July 04, 2011 5:09 PM
  • If you are migrating from Exchange 2003 to Exchange 2010 and get these errors, run Active Directory Users & Computers. 

    From the View menu, choose Advanced Features (to get access to security settings on the user objects).

    Open properties for the user, click the Security Tab and click the Advanced button.  Tick the "Allow inheritable permissions" checkbox.  Make sure the user is not a member of any Admin groups as the flag will get cleared automatically from time to time if they are.

    If you find that the checkbox was already ticked, try adding read/write permissions to the user for the Exchange Enterprise Server or Exchange Servers and Exchange Trusted Subsystem groups, whatever you have got.

     

     


    Sunday, August 14, 2011 4:55 AM
  • This worked for me. The account being moved was a service account, not a regular user mailbox. Great it's still broken next step to try.
    Wednesday, September 28, 2011 3:46 AM
  • Hi All,

     

    I have just added my first 2010 exchange server to our organisation.

     

    Upon trying to enter the product key, i get the following:

     

    Summary: 1 item(s). 0 succeeded, 1 failed.
    Elapsed time: 00:00:02


    39EXCAS01
    Failed

    Error:
    Active Directory operation failed on DC01.myorg.com. This error is not retriable. Additional information: Insufficient access rights to perform the operation.
    Active directory response: 00002098: SecErr: DSID-03150A48, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0


    The user has insufficient access rights.
    Click here for help... http://technet.microsoft.com/en-US/library/ms.exch.err.default(EXCHG.141).aspx?v=14.1.218.11&t=exchgf1&e=ms.exch.err.Ex6AE46B

    Exchange Management Shell command attempted:
    set-exchangeserver -Identity 'CAS01' -ProductKey 'xxxxx-xxxxx-xxxxx-xxxxx-xxxxx'

    Any thoughts?

    Tuesday, January 10, 2012 3:32 PM
  •  "Allow inheritable permissions" box was unchecked for some reason. Checking that box worked for us as well.

     

    Cheers

    Eric

    Sunday, January 15, 2012 9:37 PM
  • I just thought I'd come back to this one as many people have this same problem.  We had this issue for a number of our IT staff and it took a bit before I realized that it was a permissions issue.  After fixing the permissions (turn on inheritance) the moves went fine, but the issue was why was the permissions set to not-inherit.  Secondly, I noticed that the permissions reset BACK to not-inherited, and where wrong again.  What the....?

    After a bit of digging, I realized that all these problematic mailboxes were either Domain Admins or Backup Operators.  If you know anything about AdminSDHolder, then you know exactly what the problem is.

    Active Directory has a built in feature that manages ACLs for protected accounts.  By being a member of a protected group, the AD user object gets it's AdminCount property set to "1".  If they do get changed, they will automatically be reset every hour.  A background process runs every hour (unless the frequency has been changed) to reset the permissions on objects with AdminCount=1 to match that of the AdminSDHolder AD object.  The distinguished name of the AdminSDHolder object is "CN=AdminSDHolder,CN=System,DC=yourdomain,DC=com".

    What's really stupid is; if you remove a user object from a protected group, their AdminCount property does NOT get changed back.  You, as an AD admin, will have to modify it manually and turn inheritance back on.

    If you have an really old AD (ours has gone through many upgrades since NT 3.51), the permissions on AdminSDHolder, may not match your current requirements (i.e. Exchange 2010 permissions).

    If you want to see who has AdminCount turned on runs this query from the command line

    dsquery * domainroot -filter "(&(objectCategory=User)(adminCount=1))" -limit 0
    

    Hope this is usefull.  Good luck.

    Friday, January 27, 2012 10:39 PM
  • I had this problem also but I took some guesses and tried with resetting the permissions on the user object in AD which actually did the trick.

    http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/exchange-2007-issues-mailbox-management.html

    The last paragraph in that article sums it up. This is actually very much the same as the OWA logon issues for users who did not have inheritage on their object.

    Vegard

    I had the same issues! I have not migrated from any previous exchange so this was a clean install, follwed Vangards link and it worked fine.

    Mike

    Wednesday, February 08, 2012 6:51 AM
  • OMG, I owe you a dozen beer! This was exactly the solution that my domain had, as well. A new install and for no reason I could determine, it lost all the rights you mentioned about. I'm thinking the last Updates broke it, and restoring was looking more and more likely. 

    Thanks, much, Ezdee36!

    • Proposed as answer by cb1974 Friday, November 30, 2012 10:56 PM
    Saturday, June 02, 2012 5:10 AM
  • Active Directory operation failed on {FQDN of domain controller}. This error is not retriable. Additional information: Insufficient access rights to perform the operation.”

    The key part of this error is the phrase “Insufficient access rights to perform the operation”. This can occur in the situation where the user trying to access OWA is currently a domain administrator via membership of a group such as Domain Admins, or was one at some point in the past.  If that isn’t the case, it’s worth reading on anyway as there’s something to check on the account. Taking an example case presented here, User3 was once a member of the Domain Admins group although that user has since been removed from this group. Then, Exchange 2007 was installed and User3’s mailbox moved across from Exchange 2003. Why should the fact that User3 was once a member of Domain Admins cause an OWA login issue? Let’s check the permissions on this account in Active Directory Users and Computers. Here’s what to do:

    1. Run the Active Directory Users and Computers snap-in and locate the user account.
    2. Bring up the properties of the user account and go to the Security tab. If you don’t see the Security tab, choose View / Advanced Features.
    3. On the Security tab, click the Advanced button.
    4. You should now see a screen similar to the one shown in Figure 5. Notice the fact that the check box Allow inheritable permissions… is not selected. This is the problem. If you re-select this check-box and close the property pages of the user account, you should now find that OWA works for this user. This assumes that all necessary Active Directory replication has completed, of course.

    http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/exchange-2007-issues-mailbox-management.html

    --

    Alexandre Smialoski

    Monday, August 27, 2012 6:05 PM
  • Long story short:

    1. make sure the account is enabled in ADUC

    2. Ensure the Exchange trusted subsystem (root domain mainly) has full access to that account in EMC and ADUC (BOTH- VERY IMP)

    3. Inheritance is not blocked on the account

    It should work...

    Ratish Nair

    MVP Exchange

    MSExchangeGuru.com


    Friday, March 15, 2013 8:21 PM
  • Thanks a lot Vegard, this did the trick, after a while of letting the AD replicate, on one of my user's mailbox, I could not move from EX07 to EX10.

    Rosario

    Tuesday, March 26, 2013 9:48 AM
  • This worked for me as well...

    Active Directory Users and Computers

    Open user in question and go to security tab and click advanced (make sure you have advance options enabled)

    Check the box to Include inheritable permission...

    Wait a minute for the change to replicate and try moving the user's mailbox.

    Monday, June 10, 2013 2:12 AM
  • Thank you redmerlin1801

     Your solution worked perfectly.          

    Wednesday, September 11, 2013 3:39 PM
  • FYI.. in case anyone else runs into this.. The same error is raised when a mailbox reattach (connect-mailbox) command is issued. In our case, we found the OU had the inheritance turned off prior to Exchange 2010 being installed, and so the OU the user is in did not have proper permissions.

    Although the long-term solution is to re-enable inheritance, we need to research why it was disabled, and get approval, so in the meantime we found in our case that we were able to complete the connect by moving the user to a different OU, then do the connect, and then move the user back. 

    Thanks for this article.. 

    -Steve

    Tuesday, December 31, 2013 6:25 PM