none
Exchange 2010 Insufficient access rights to perform the operation -

    Question

  • So i had a rough road to hall to get ex 2010 installed on a clean install of W2k8 R2, i keep getting this error

    "Insufficient access rights to perform the operation"

    1st I got the message when i tried to put the product key through emc and ex shell,

    2nd I got the same error trying to move the Mailbox stores to the E: drive (raid 5 local) vs default c: drive location.

    I also can't login to ecp to try and change RBAC permision, i have only used the administrator account to perform the install but did gets errors along the way so i am thinking about an uninstall and wipe the server and start over, nothing is on the server yet, it's a mixed 2003 / 2010 once this server is functioning.

    Have seen the post about not being able to get into the console but i am not having that issue.

    Thanks for the help in advance

    Thursday, January 27, 2011 4:33 PM

Answers

  • This sounds like the infamous AD inheritable permissions issue that was seen a lot on EX2007.

    Go to AD and find the mailbox in question.
    Properties > Security > Advanced.  Check the box and ensure that "allow inheritable
    permissions from parent" is set.  Let AD replicate.  Try to perform a move function again.

    • Proposed as answer by David Bolton Friday, January 28, 2011 9:37 PM
    • Marked as answer by Frank.Wang Wednesday, February 02, 2011 6:48 AM
    Thursday, January 27, 2011 9:04 PM
  • David and everyone else who replied, A big Thanks You

    This morning i came in a did and ExBPA and it led the horse to water, David you where right it was an inheritance issue,

    Access control list (ACL) inheritance is blocked for the Exchange Organization object (CN=TOWN OF FT MYERS BEACH ADMINISTRATION,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=fortmyersbeachfl,DC=gov). This may cause mail flow problems, store mounting issues, and other service outages. Use ADSIEdit to re-enable inheritance on this object.

    Agiain

    Thanks all

    Charlie

    • Marked as answer by Frank.Wang Wednesday, February 02, 2011 6:48 AM
    Friday, January 28, 2011 1:53 PM

All replies

  • Charlie,

    Did you properly prepare the domain/schema before attempting to install EX2010? Did the "setup /ps" and "setup /preparead" run to completion without errors?

    http://technet.microsoft.com/en-us/library/bb125224.aspx

    It sounds as if something did not properly complete in the initial phases of your installation.

    Thursday, January 27, 2011 5:10 PM
  • Yes, I did both /ps and /preparead, I have to admint the install wasn't clean for the 2010, we had a failed install on the mailbox role, went through and cleaned up what i was told, all entrya in ad, and adsiedit, as well as metadata and register.

    Here is a run down of how the reinstall went,

    1. I did all pre install steps again including schema and prepread

    2. Started Install from gui of CA and HUB only

    3. Got permissions error on Language pack,

    4. Went back and cleaned up registery entry that error was reffering to, permission of registery entry where wrong.

    5. Ran install again for just CA, HUB and Management. - installed clean, no errors.

    6. Attempted to open gui or shell with errors that i did not belong to proper management group

    7. Ran you cleanup process for failed RBAC permission, i could now open the EMS and Shell with out issue and see resources

    8. Ran mailbox roll install, issues with Discovery Mailbox, did another setup /preparead

    9. Mailbox roll now install with out issue.

    Now i have permission issue, should i just uninstall ex2010 wipe the server and start over, how do i get AD cleaned up.

    Charlie

    Thursday, January 27, 2011 5:35 PM
  • Can you post the error in the setup log. located under C:\ExchangeSetupLogs

     

    O

    Thursday, January 27, 2011 6:05 PM
  • Here is the error from the produt key - i remove the product key from the text.

    Summary: 1 item(s). 0 succeeded, 1 failed.
    Elapsed time: 00:00:01


    FMB-DC1
    Failed

    Error:
    Active Directory operation failed on FMB-DC1.fortmyersbeachfl.gov. This error is not retriable. Additional information: Insufficient access rights to perform the operation.
    Active directory response: 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0


    The user has insufficient access rights.
    Click here for help... http://technet.microsoft.com/en-US/library/ms.exch.err.default(EXCHG.141).aspx?v=14.1.218.11&t=exchgf1&e=ms.exch.err.Ex6AE46B

    Exchange Management Shell command attempted:
    set-exchangeserver -Identity 'FMB-DC1' -ProductKey "xxxx-xxxx-x-x-xxxxx"

    Elapsed Time: 00:00:01

    Here the error i get on moving the mailbox store

    Summary: 1 item(s). 0 succeeded, 1 failed.
    Elapsed time: 00:00:04


    Mailbox Database 0296394825
    Failed

    Error:
    Active Directory operation failed on FMB-DC1.fortmyersbeachfl.gov. This error is not retriable. Additional information: Insufficient access rights to perform the operation.
    Active directory response: 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0


    The user has insufficient access rights.
    Click here for help... http://technet.microsoft.com/en-US/library/ms.exch.err.default(EXCHG.141).aspx?v=14.1.218.11&t=exchgf1&e=ms.exch.err.Ex6AE46B

    Exchange Management Shell command attempted:
    move-DatabasePath -Identity 'Mailbox Database 0296394825' -EdbFilePath 'e:\Program Files\Microsoft\Exchange Server\V14\Mailbox\Mailbox Database 0296394825\Mailbox Database 0296394825.edb' -LogFolderPath 'e:\Program Files\Microsoft\Exchange Server\V14\Mailbox\Mailbox Database 0296394825'

    Elapsed Time: 00:00:04

    Thanks

    Charlie

     

    Thursday, January 27, 2011 6:25 PM
  • Also this is not global, i created a user on this server and he is sending and receive email internally, and he is able to login to OWA.

    Charlie

    Thursday, January 27, 2011 7:39 PM
  • Here is an entry from the event log when i tried to move one of the stores.

    The description for Event ID 6 from source MSExchange CmdletLogs cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

    If the event originated on another computer, the display information had to be saved with the event.

    The following information was included with the event:

    Move-DatabasePath

    {Identity=Mailbox Database 0296394825, EdbFilePath=e:\Program Files\Microsoft\Exchange Server\V14\Mailbox\Mailbox Database 0296394825\Mailbox Database 0296394825.edb, LogFolderPath=e:\Program Files\Microsoft\Exchange Server\V14\Mailbox\Mailbox Database 0296394825}

    fortmyersbeachfl.gov/ITAccounts/Administrator

    S-1-5-21-2463916819-7602978-2543348951-500

    S-1-5-21-2463916819-7602978-2543348951-500

    ServerRemoteHost-EMC

    7520

    33

    00:00:04.3993974

    View Entire Forest: 'True', Configuration Domain Controller: 'FMB-DC1.fortmyersbeachfl.gov', Preferred Global Catalog: 'FMB-DC1.fortmyersbeachfl.gov', Preferred Domain Controllers: '{ FMB-DC1.fortmyersbeachfl.gov }'

    Microsoft.Exchange.Data.Directory.ADOperationException: Active Directory operation failed on FMB-DC1.fortmyersbeachfl.gov. This error is not retriable. Additional information: Insufficient access rights to perform the operation.

    Active directory response: 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

    ---> System.DirectoryServices.Protocols.DirectoryOperationException: The user has insufficient access rights.

    at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)

    at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)

    at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, IAccountingObject budget, Nullable`1 clientSideSearchTimeout)

    at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)

    --- End of inner exception stack trace ---

    at Microsoft.Exchange.Data.Directory.ADSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer)

    at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)

    at Microsoft.Exchange.Data.Directory.ADSession.Save(ADObject instanceToSave, IEnumerable`1 properties)

    at Microsoft.Exchange.Data.Directory.SystemConfiguration.ADSystemConfigurationSession.Microsoft.Exchange.Data.IConfigDataProvider.Save(IConfigurable instance)

    at Microsoft.Exchange.Configuration.Tasks.SetTaskBase`1.InternalProcessRecord()

    at Microsoft.Exchange.Management.SystemConfigurationTasks.MoveStoreFilesTask`2.InternalProcessRecord()

    at Microsoft.Exchange.Management.SystemConfigurationTasks.MoveDatabasePath.InternalProcessRecord()

    at Microsoft.Exchange.Configuration.Tasks.Task.ProcessRecord()

    ServerOperation

    System.DirectoryServices.Protocols.DirectoryOperationException: The user has insufficient access rights.

    at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)

    at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)

    at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, IAccountingObject budget, Nullable`1 clientSideSearchTimeout)

    at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)

    the message resource is present but the message is not found in the string/message table

    Thursday, January 27, 2011 8:06 PM
  • Other things i can do,

    1. Created new mailbox store, but can't move it, just tried for test, it in the right location,

    2. moved test user from existing ex2010 store to new store, and back without issue.

    Charlie

    • Edited by Charlie W99 Thursday, January 27, 2011 9:30 PM
    Thursday, January 27, 2011 8:21 PM
  • This sounds like the infamous AD inheritable permissions issue that was seen a lot on EX2007.

    Go to AD and find the mailbox in question.
    Properties > Security > Advanced.  Check the box and ensure that "allow inheritable
    permissions from parent" is set.  Let AD replicate.  Try to perform a move function again.

    • Proposed as answer by David Bolton Friday, January 28, 2011 9:37 PM
    • Marked as answer by Frank.Wang Wednesday, February 02, 2011 6:48 AM
    Thursday, January 27, 2011 9:04 PM
  • Charlie,

    Two things I see from these log files that may be at issue. I see that the Administrator account used is named just that, but is under the IT Accounts OU. Is this the original built-in administrator account (from users container) or is this a copy?

    I see that you have both your database and log files on the same volume. While that will work for small installations of Exchange, larger deployments will suffer GREATLY if that remains. Do you have another volume to place your log files onto instead of the E: drive ?

    Let us know...

    Thursday, January 27, 2011 9:13 PM
  • Dave

    Thanks for the help, i am try to do excatly what you said move the db to another volume, this is when i get the error, i havent had an issue a test user i created move it around different stores, the error is very selective. the Admin account is the orginal built not a rename or copy. I am also getting the same error when i try an apply the activation key to the server.

     

    Thanks

    Charlie

    Thursday, January 27, 2011 10:06 PM
  • Okay, so in looking over the log files again... is "FMB-DC1.fortmyersbeachfl.gov" the exchange server?

    Is this also a domain controller? How many users do you plan on having on this system?

    The move-databasepath...can you clarify? I see you are specifying 'e:\Program Files\Microsoft\Exchange Server\V14\Mailbox\Mailbox Database 0296394825\Mailbox Database 0296394825.edb'...is this the new target?

    If so, I have seen failures if the folders for the target do not exist. So if E: drive is empty, create the Program Files folder, and continue creating folders down to Mailbox, then try to run the move-databasepath cmdlet again. Additionally, if the mailbox is in the middle of either replication or backup procedures, you will not be able to complete the move.

     

    Thursday, January 27, 2011 11:23 PM
  • David

    FMB-DC1 is a DC and we will probably have 35 to 40 users as for the folder it does exist and i was able to create a new database in this same directory except for the database folder of course, i can delete or move any databases also not sure if you say but i also get the exact same error when I try and apply the Product Key.

    Charlie

    Friday, January 28, 2011 1:25 PM
  • David and everyone else who replied, A big Thanks You

    This morning i came in a did and ExBPA and it led the horse to water, David you where right it was an inheritance issue,

    Access control list (ACL) inheritance is blocked for the Exchange Organization object (CN=TOWN OF FT MYERS BEACH ADMINISTRATION,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=fortmyersbeachfl,DC=gov). This may cause mail flow problems, store mounting issues, and other service outages. Use ADSIEdit to re-enable inheritance on this object.

    Agiain

    Thanks all

    Charlie

    • Marked as answer by Frank.Wang Wednesday, February 02, 2011 6:48 AM
    Friday, January 28, 2011 1:53 PM
  • Glad you got it to work!
    Friday, January 28, 2011 9:37 PM
  • Thanks David thanks for posting this, This has really helped me to move the mailboxes from exchange 2003 to exchange 2010.

    In general I have around 500 users and doing this manually for each users is not possible, is there any way to get this done for all the users with different organizational unit.

    I know it too late posting here, but hoping that you may got the solution and reading the comments.

    Wednesday, March 02, 2011 8:00 PM