none
Some controls are not valid, when trying to change Full access permissions

    Question

  • I am having trouble manually setting Full Access permissions to a mailbox that has been moved over from Exchange 2003.  I have setup a test user and this works correctly.  I've tried to disabling the mailbox and then reconnecting, but still doesn't work.  Any ideas on this?

     

    Thanks

    Monday, October 18, 2010 6:49 PM

Answers

  • How are you trying to enable Full Access?  By right-clicking on the recipient in the 2010 EMC and selecting the give Full Access option?  Also check to make sure the inheritance for the user object is set correctly.  You want the inheritance box checked.

    To check whether inheritance is enabled on the user:

    1. Open Active Directory Users and Computers.
    2. On the menu at the top of the console, click View > Advanced Features.
    3. Locate and right-click the mailbox account in the console, and then click Properties.
    4. Click the Security tab.
    5. Click Advanced.
    6. Make sure that the check box for "Include inheritable permissions from this object's parent" is selected.

    Let AD replication take place, then try again.

    Please post the exact error message if you are still having issues.


    Tim Harrington - Catapult Systems - http://HowDoUC.blogspot.com
    • Marked as answer by Frank.Wang Monday, October 25, 2010 1:49 AM
    Tuesday, October 19, 2010 1:36 AM

All replies

  • How are you trying to enable Full Access?  By right-clicking on the recipient in the 2010 EMC and selecting the give Full Access option?  Also check to make sure the inheritance for the user object is set correctly.  You want the inheritance box checked.

    To check whether inheritance is enabled on the user:

    1. Open Active Directory Users and Computers.
    2. On the menu at the top of the console, click View > Advanced Features.
    3. Locate and right-click the mailbox account in the console, and then click Properties.
    4. Click the Security tab.
    5. Click Advanced.
    6. Make sure that the check box for "Include inheritable permissions from this object's parent" is selected.

    Let AD replication take place, then try again.

    Please post the exact error message if you are still having issues.


    Tim Harrington - Catapult Systems - http://HowDoUC.blogspot.com
    • Marked as answer by Frank.Wang Monday, October 25, 2010 1:49 AM
    Tuesday, October 19, 2010 1:36 AM
  • Hi Jdoster,

    Any updates on your issue?


    Frank Wang
    Friday, October 22, 2010 2:39 AM
  • Hi,

    I have this same issue, except in my case it also affects new users that I create on the Exchange 2010 Server, as well as users I move across from Exchange 2003.

    In the 2010 EMC if I right-click a user and choose either Manage Send as/Full access permission, when the resulting dialog appears, if I try to click on a user in the list and select manage, I get an error appear which says "Some controls are not valid - Changes in the user/group list are required to grant or remove permissions". In the list of users, the NT AUTHORITY\SELF user also has a red arrow symbol next to the 'user' icon.

    I have ensured that inheritable permissions are selected as described above.

    I'm a bit stuck with this at present, and would appreciate any help. Thanks.

    Tuesday, November 16, 2010 10:29 AM
  • Hello everyone -

    Exact same issue here.  I've done this successfully for hundreds of users - even users shortly after they were transitioned to 2010.  Today for some reason I'm experiencing the "Some controls are not valid - Changes in the user/group list are required to grant or remove permissions" error.  Hmmm... what changes could those be?

    Monday, October 03, 2011 10:34 PM
  • Hello everyone -

    Exact same issue here.  I've done this successfully for hundreds of users - even users shortly after they were transitioned to 2010.  Today for some reason I'm experiencing the "Some controls are not valid - Changes in the user/group list are required to grant or remove permissions" error.  Hmmm... what changes could those be?


    Incidentally, no problems managing Send As permissions for the same set of users; it's only with Full Access permissions.
    Monday, October 03, 2011 10:41 PM
  • Hi,

    I have this same issue, except in my case it also affects new users that I create on the Exchange 2010 Server, as well as users I move across from Exchange 2003.

    In the 2010 EMC if I right-click a user and choose either Manage Send as/Full access permission, when the resulting dialog appears, if I try to click on a user in the list and select manage, I get an error appear which says "Some controls are not valid - Changes in the user/group list are required to grant or remove permissions". In the list of users, the NT AUTHORITY\SELF user also has a red arrow symbol next to the 'user' icon.

    I have ensured that inheritable permissions are selected as described above.

    I'm a bit stuck with this at present, and would appreciate any help. Thanks.


    In my situation, I also saw the exclamation mark next to a user in the 2010 EMC, but it was not the NT AUTHORITY\self user, it was a migration user leftover from a 2003 migration. Once I removed this user from the manage list, I was able to make changes.
    Tuesday, February 28, 2012 10:09 PM
  • One thing to check is the Exchange Alias attribute of the user object.  E2K10 can't work with spaces in the alias whereas E2K3 has no problem with them. Sometimes the space is obvious and intentional; somtimes there's a 'hidden' space at the end. Either way spaces need to be removed.

    Tuesday, February 28, 2012 11:18 PM