locked
INSUFF_ACCESS_RIGHTS RRS feed

  • Question

  •  

    Summary: 1 item(s). 0 succeeded, 1 failed.

    Elapsed time: 00:00:09

     

    Hi, I have exchange 2010 and migrated from 2003. Everything worked fine till now. I asked to add send as permission to a public folder. I used the 'Managed As Permissions' but this caused the below error. I tried to change the user name using the EMS to the full AD name but that as well got me the same error. I used the Administrator account and created another user and copied the Administrator account details called onladmin and the result is the same

    ONLINE\john

    Failed

     

    Error:

    Active Directory operation failed on ONLSRV12.online.com. This error is not retriable. Additional information: Access is denied.

    Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

    Any Help

    Thanks

    Magid

     

    The user has insufficient access rights.

     

    Exchange Management Shell command attempted:

    Add-ADPermission -Identity 'CN=Goods_in_OT,CN=Microsoft Exchange System Objects,DC=online,DC=com' -User 'ONLINE\john' -ExtendedRights 'Send-as'

     

    Elapsed Time: 00:00:09

    Monday, September 13, 2010 9:02 AM

Answers

  • To everyone who stuck like me in this issue I found the solution .

    I worked with a genius  chap from MS (Sudhir Kaushik) who put me to the road to solve this issue.

    And this what we did:

    1. First check the above and follow what Ripu Daman Mina and James Luo (thanks for both of you)
    2. Create a new public folder and see if you can add the Send-As permissions to it or you will have the same error above. If that the case stop here and this will not sort your issue or may be yes (let me know please)
    3. Open ADSIEdit and check that the ownership of the new folder by going to Default naming context -> DC=domainname,DC=co,DC=uk ->CN=Microsoft Exchange System Objects -> right click on the object of the PF you just created and select properties then Advanced, Ownership and note the name of who owned the public folder (in my case the servername$)
    4. Repeat step 2 for the Public Folder object in question and go to the ownership tab in (in my case it said system is the owner) change it to one that worked in step 2 (in my case the servername$)
    5. Save and try again the send as permission again and it should work.

    The only draw back, it needs to be changed manually.

    I hope this will help and please let me know if it works with you.

    • Marked as answer by Magic174 Thursday, September 23, 2010 10:31 AM
    Thursday, September 23, 2010 10:31 AM

All replies

  • Hi,

    Have a look into this article it might help : http://blog.nick.mackechnie.co.nz/post/2009/11/20/Exchange-2010-Active-Sync-Issue.aspx


    Ripu Daman Mina | MCSE 2003 & MCSA Messaging
    • Proposed as answer by _halfmoon Thursday, December 5, 2019 2:57 PM
    Monday, September 13, 2010 9:49 AM
  • Hi, Thanks for your reply.

    I tried this documents and it didn't sort my problem. Any more suggestion

    Monday, September 13, 2010 12:28 PM
  • Hi,

    Here administrator mean member of exchange administration group?.You need to ADD the  Role Group with the help of Get-RoleGroupMember "Public Folder Management", Please verify if the “Public Folder Management” role is associated with the account that you used

    Get-ManagementRoleAssignment -RoleAssignee Account | Ft -Wrap

    Please put the account into “Public Folder Management” role group, and see if the issue still occurs or not


    Ripu Daman Mina | MCSE 2003 & MCSA Messaging
    Monday, September 13, 2010 12:51 PM
  • As you’ve already known, “Add-ADPermission” cmdlet is required for granting the “Send As” permission

    The role that can run the cmdlet is the “Active Directory Permissions” role, so please verify if the administrator has the role (The role will be assigned if administrator is the account that is used to install the exchange)

    Get-managementRoleAssignment -RoleAssignee Administrator -Role “Active Directory Permissions”

    Resources:

    Active Directory Permissions Role


    James Luo
    TechNet Subscriber Support (http://technet.microsoft.com/en-us/subscriptions/ms788697.aspx)
    If you have any feedback on our support, please contact tngfb@microsoft.com
    Wednesday, September 15, 2010 7:58 AM
  • I am sorry for thte late reply, we werer soooo busy

    Here is part of the details as it crash the web page everytime I paste the whole details

    [PS] C:\Windows\system32>Get-ManagementRoleAssignment -RoleAssignee Administrator | Ft -Wrap

    Name                           Role              RoleAssigneeName  RoleAssigneeType  AssignmentMethod  EffectiveUserNam
                                                                                                           e
    ----                           ----              ----------------  ----------------  ----------------  ----------------
    Active Directory Permissions-O Active Directory  Organization Mana RoleGroup         RoleGroup         All Group Member
    rganization Management-Delegat Permissions       gement                                                s
    ing
    Active Directory Permissions-O Active Directory  Organization Mana RoleGroup         RoleGroup         All Group Member
    rganization Management         Permissions       gement                                                s
    Address Lists-Organization Man Address Lists     Organization Mana RoleGroup         RoleGroup         All Group Member
    agement-Delegating                               gement                                                s
    Address Lists-Organization Man Address Lists     Organization Mana RoleGroup         RoleGroup         All Group Member
    agement                                          gement                                                s
    ApplicationImpersonation-Organ ApplicationImpers Organization Mana RoleGroup         RoleGroup         All Group Member
    ization Management-Delegating  onation           gement                                                s
    Audit Logs-Organization Manage Audit Logs        Organization Mana RoleGroup         RoleGroup         All Group Member
    ment-Delegating                                  gement                                                s
    Audit Logs-Organization Manage Audit Logs        Organization Mana RoleGroup         RoleGroup         All Group Member
    ment                                             gement                                                s
    Cmdlet Extension Agents-Organi Cmdlet Extension  Organization Mana RoleGroup         RoleGroup         All Group Member
    zation Management-Delegating   Agents            gement                                                s
    Cmdlet Extension Agents-Organi Cmdlet Extension  Organization Mana RoleGroup         RoleGroup         All Group Member
    zation Management              Agents            gement                                                s
    Database Availability Groups-O Database Availabi Organization Mana RoleGroup         RoleGroup         All Group Member
    rganization Management-Delegat lity Groups       gement                                                s
    ing
    Database Availability Groups-O Database Availabi Organization Mana RoleGroup         RoleGroup         All Group Member
    rganization Management         lity Groups       gement                                                s
    Database Copies-Organization M Database Copies   Organization Mana RoleGroup         RoleGroup         All Group Member
    anagement-Delegating                             gement                                                s
    Database Copies-Organization M Database Copies   Organization Mana RoleGroup         RoleGroup         All Group Member
    anagement                                        gement                                                s
    Databases-Organization Managem Databases         Organization Mana RoleGroup         RoleGroup         All Group Member
    ent-Delegating                                   gement                                                s
    Databases-Organization Managem Databases         Organization Mana RoleGroup         RoleGroup         All Group Member
    ent                                              gement                                                s
    Disaster Recovery-Organization Disaster Recovery Organization Mana RoleGroup         RoleGroup         All Group Member
     Management-Delegating                           gement                                                s
    Disaster Recovery-Organization Disaster Recovery Organization Mana RoleGroup         RoleGroup         All Group Member
     Management                                      gement                                                s
    Distribution Groups-Organizati Distribution Grou Organization Mana RoleGroup         RoleGroup         All Group Member
    on Management-Delegating       ps                gement                                                s
    Distribution Groups-Organizati Distribution Grou Organization Mana RoleGroup         RoleGroup         All Group Member
    on Management                  ps                gement                                                s
    Edge Subscriptions-Organizatio Edge Subscription Organization Mana RoleGroup         RoleGroup         All Group Member
    n Management-Delegating        s                 gement                                                s
    Edge Subscriptions-Organizatio Edge Subscription Organization Mana RoleGroup         RoleGroup         All Group Member
    n Management                   s                 gement                                                s
    E-Mail Address Policies-Organi E-Mail Address Po Organization Mana RoleGroup         RoleGroup         All Group Member
    zation Management-Delegating   licies            gement                                                s
    E-Mail Address Policies-Organi E-Mail Address Po Organization Mana RoleGroup         RoleGroup         All Group Member
    zation Management              licies            gement                                                s
    Exchange Connectors-Organizati Exchange Connecto Organization Mana RoleGroup         RoleGroup         All Group Member
    on Management-Delegating       rs                gement                                                s
    Exchange Connectors-Organizati Exchange Connecto Organization Mana RoleGroup         RoleGroup         All Group Member
    on Management                  rs                gement                                                s
    Exchange Server Certificates-O Exchange Server C Organization Mana RoleGroup         RoleGroup         All Group Member
    rganization Management-Delegat ertificates       gement                                                s
    ing
    Exchange Server Certificates-O Exchange Server C Organization Mana RoleGroup         RoleGroup         All Group Member
    rganization Management         ertificates       gement                                                s
    Exchange Servers-Organization  Exchange Servers  Organization Mana RoleGroup         RoleGroup         All Group Member
    Management-Delegating                            gement                                                s
    Exchange Servers-Organization  Exchange Servers  Organization Mana RoleGroup         RoleGroup         All Group Member
    Management                                       gement                                                s
    Exchange Virtual Directories-O Exchange Virtual  Organization Mana RoleGroup         RoleGroup         All Group Member
    rganization Management-Delegat Directories       gement                                                s
    ing
    Exchange Virtual Directories-O Exchange Virtual  Organization Mana RoleGroup         RoleGroup         All Group Member
    rganization Management         Directories       gement                                                s
    Federated Sharing-Organization Federated Sharing Organization Mana RoleGroup         RoleGroup         All Group Member
     Management-Delegating                           gement                                                s
    Federated Sharing-Organization Federated Sharing Organization Mana RoleGroup         RoleGroup         All Group Member
     Management                                      gement                                                s
    Information Rights Management- Information Right Organization Mana RoleGroup         RoleGroup         All Group Member
    Organization Management-Delega s Management      gement                                                s
    ting
    Information Rights Management- Information Right Organization Mana RoleGroup         RoleGroup         All Group Member
    Organization Management        s Management      gement                                                s
    Journaling-Organization Manage Journaling        Organization Mana RoleGroup         RoleGroup         All Group Member
    ment-Delegating                                  gement                                                s
    Journaling-Organization Manage Journaling        Organization Mana RoleGroup         RoleGroup         All Group Member
    ment                                             gement                                                s
    Legal Hold-Organization Manage Legal Hold        Organization Mana RoleGroup         RoleGroup         All Group Member
    ment-Delegating                                  gement                                                s
    Legal Hold-Organization Manage Legal Hold        Organization Mana RoleGroup         RoleGroup         All Group Member
    ment                                             gement                                                s
    Mail Enabled Public Folders-Or Mail Enabled Publ Organization Mana RoleGroup         RoleGroup         All Group Member
    ganization Management-Delegati ic Folders        gement                                                s
    ng
    Mail Enabled Public Folders-Or Mail Enabled Publ Organization Mana RoleGroup         RoleGroup         All Group Member
    ganization Management          ic Folders        gement                                                s
    Mail Recipient Creation-Organi Mail Recipient Cr Organization Mana RoleGroup         RoleGroup         All Group Member
    zation Management-Delegating   eation            gement                                                s
    Mail Recipient Creation-Organi Mail Recipient Cr Organization Mana RoleGroup         RoleGroup         All Group Member
    zation Management              eation            gement                                                s
    Mail Recipients-Organization M Mail Recipients   Organization Mana RoleGroup         RoleGroup         All Group Member
    anagement-Delegating                             gement                                                s
    Mail Recipients-Organization M Mail Recipients   Organization Mana RoleGroup         RoleGroup         All Group Member
    anagement                                        gement                                                s
    Mail Tips-Organization Managem Mail Tips         Organization Mana RoleGroup         RoleGroup         All Group Member
    ent-Delegating                                   gement                                                s
    Mail Tips-Organization Managem Mail Tips         Organization Mana RoleGroup         RoleGroup         All Group Member
    ent                                              gement                                                s
    Mailbox Import Export-Organiza Mailbox Import Ex Organization Mana RoleGroup         RoleGroup         All Group Member
    tion Management-Delegating     port              gement                                                s
    Mailbox Search-Organization Ma Mailbox Search    Organization Mana RoleGroup         RoleGroup         All Group Member
    nagement-Delegating                              gement                                                s
    Message Tracking-Organization  Message Tracking  Organization Mana RoleGroup         RoleGroup         All Group Member
    Management-Delegating                            gement                                                s
    Message Tracking-Organization  Message Tracking  Organization Mana RoleGroup         RoleGroup         All Group Member
    Management                                       gement                                                s
    Migration-Organization Managem Migration         Organization Mana RoleGroup         RoleGroup         All Group Member
    ent-Delegating                                   gement                                                s
    Migration-Organization Managem Migration         Organization Mana RoleGroup         RoleGroup         All Group Member
    ent                                              gement                                                s
    Monitoring-Organization Manage Monitoring        Organization Mana RoleGroup         RoleGroup         All Group Member
    ment-Delegating                                  gement                                                s
    Monitoring-Organization Manage Monitoring        Organization Mana RoleGroup         RoleGroup         All Group Member
    ment                                             gement                                                s
    Move Mailboxes-Organization Ma Move Mailboxes    Organization Mana RoleGroup         RoleGroup         All Group Member
    nagement-Delegating                              gement                                                s
    Move Mailboxes-Organization Ma Move Mailboxes    Organization Mana RoleGroup         RoleGroup         All Group Member
    nagement                                         gement                                                s
    Organization Client Access-Org Organization Clie Organization Mana RoleGroup         RoleGroup         All Group Member
    anization Management-Delegatin nt Access         gement                                                s
    g
    Organization Client Access-Org Organization Clie Organization Mana RoleGroup         RoleGroup         All Group Member
    anization Management           nt Access         gement                                                s
    Organization Configuration-Org Organization Conf Organization Mana RoleGroup         RoleGroup         All Group Member
    anization Management-Delegatin iguration         gement                                                s
    g
    Organization Configuration-Org Organization Conf Organization Mana RoleGroup         RoleGroup         All Group Member
    anization Management           iguration         gement                                                s
    Organization Transport Setting Organization Tran Organization Mana RoleGroup         RoleGroup         All Group Member
    s-Organization Management-Dele sport Settings    gement                                                s
    gati
    Organization Transport Setting Organization Tran Organization Mana RoleGroup         RoleGroup         All Group Member
    s-Organization Management      sport Settings    gement                                                s
    POP3 And IMAP4 Protocols-Organ POP3 And IMAP4 Pr Organization Mana RoleGroup         RoleGroup         All Group Member
    ization Management-Delegating  otocols           gement                                                s
    POP3 And IMAP4 Protocols-Organ POP3 And IMAP4 Pr Organization Mana RoleGroup         RoleGroup         All Group Member
    ization Management             otocols           gement                                                s
    Public Folder Replication-Orga Public Folder Rep Organization Mana RoleGroup         RoleGroup         All Group Member
    nization Management-Delegating lication          gement                                                s
    Public Folder Replication-Orga Public Folder Rep Organization Mana RoleGroup         RoleGroup         All Group Member
    nization Management            lication          gement                                                s
    Public Folders-Organization Ma Public Folders    Organization Mana RoleGroup         RoleGroup         All Group Member
    nagement-Delegating                              gement                                                s
    Public Folders-Organization Ma Public Folders    Organization Mana RoleGroup         RoleGroup         All Group Member
    nagement                                         gement                                                s

    Wednesday, September 15, 2010 9:22 AM
  • thanks for your input here what you asked me to do

    [PS] C:\Windows\system32>Get-managementRoleAssignment -RoleAssignee Administrator -Role "Active Directory Permissions" |
     ft -wrap

    Name                           Role              RoleAssigneeName  RoleAssigneeType  AssignmentMethod  EffectiveUserNam
                                                                                                           e
    ----                           ----              ----------------  ----------------  ----------------  ----------------
    Active Directory Permissions-O Active Directory  Organization Mana RoleGroup         RoleGroup         All Group Member
    rganization Management-Delegat Permissions       gement                                                s
    ing
    Active Directory Permissions-O Active Directory  Organization Mana RoleGroup         RoleGroup         All Group Member
    rganization Management         Permissions       gement                                                s


    [PS] C:\Windows\system32>

    Wednesday, September 15, 2010 11:13 AM
  • thanks for your input here what you asked me to do

    [PS] C:\Windows\system32>Get-managementRoleAssignment -RoleAssignee Administrator -Role "Active Directory Permissions" |
     ft -wrap

    Name                           Role              RoleAssigneeName  RoleAssigneeType  AssignmentMethod  EffectiveUserNam
                                                                                                           e
    ----                           ----              ----------------  ----------------  ----------------  ----------------
    Active Directory Permissions-O Active Directory  Organization Mana RoleGroup         RoleGroup         All Group Member
    rganization Management-Delegat Permissions       gement                                                s
    ing
    Active Directory Permissions-O Active Directory  Organization Mana RoleGroup         RoleGroup         All Group Member
    rganization Management         Permissions       gement                                                s


    [PS] C:\Windows\system32>

    Any new information I am still having the same problem
    Friday, September 17, 2010 10:24 AM
  • To everyone who stuck like me in this issue I found the solution .

    I worked with a genius  chap from MS (Sudhir Kaushik) who put me to the road to solve this issue.

    And this what we did:

    1. First check the above and follow what Ripu Daman Mina and James Luo (thanks for both of you)
    2. Create a new public folder and see if you can add the Send-As permissions to it or you will have the same error above. If that the case stop here and this will not sort your issue or may be yes (let me know please)
    3. Open ADSIEdit and check that the ownership of the new folder by going to Default naming context -> DC=domainname,DC=co,DC=uk ->CN=Microsoft Exchange System Objects -> right click on the object of the PF you just created and select properties then Advanced, Ownership and note the name of who owned the public folder (in my case the servername$)
    4. Repeat step 2 for the Public Folder object in question and go to the ownership tab in (in my case it said system is the owner) change it to one that worked in step 2 (in my case the servername$)
    5. Save and try again the send as permission again and it should work.

    The only draw back, it needs to be changed manually.

    I hope this will help and please let me know if it works with you.

    • Marked as answer by Magic174 Thursday, September 23, 2010 10:31 AM
    Thursday, September 23, 2010 10:31 AM
  • In my case, I have 4 exchange 2010 servers.

    I had this problem. I used the solution of Magic174 and have checked that the ownership was other server. I connect to the PF from the owner server and I can set the permissions without problems.

     

    Tuesday, July 26, 2011 9:19 AM
  • I sort of tried Magic174's idea, except instead of changing the Owner, I went to the server that was the owner and was able to make the Send As permission change there no problem...

    Seems like an bug that you can only administer that permission from the server owner...  I have a politically incorrect term I would like to insert here, but I won't.

    Friday, December 2, 2011 11:59 PM
  • Hi,

    in my case it was a HUB server. It was enough to connect to that HUB server, which was owner and run the script under its context.

    With regards


    Zbyněk

    Friday, February 24, 2012 5:00 AM
  • This is truly a bug that MS should consider fixing.  Why in gods name should an admin need to log into the mailbox server to administer Public Folder permissions like this?!

    I know MS has tried to kill off public folders bu this is borderline ridiculous!

    I was able to assign the send-as extendedrights only after logging into the mailbox server.  What happened to distributed administration?

    Boo MS, fix this.

    Wednesday, April 18, 2012 7:32 PM
  • Unless you are a Domain Backup Operator or a Domain Administrator, you cannot change the owner of the public folder objects even if you have modfiy permissions on them:

    http://networkadminkb.com/KB/a22/how-to-allow-assignment-ownership-without-being-local.aspx

    The quicker/easier fix to this issue, which is one our Exchange DSE from Microsoft Premiere support clued us into, is to add the "Exchange Trusted Subsystem" group to have "Modify Permissions" for "Descendant Public Folder objects" in the "Microsoft Exchange System Objects" container.

    Making an Exchange server an owner of the public folder as others have found simply allows you to set permissions on the object w/o having permissions, as an owner can always do anything. The real issue is the Exchange Trusted Subsystem didn't have permissions to change the permissions on the Public Folder objects.

    The reason why this is necessary is due to the fact with RBAC, the server is the one proxying the change on behalf of the user once the server confirms the user has the right to do so, so the user's actual permissions on this container (such as through the Exchange Org admins group or Public Folder admins group) don't matter.

    I guess Microsoft missed this in their Exchange 2010 ADPrep/DomainPrep?


    Wednesday, June 27, 2012 1:44 PM
  • Although the Question is marked as answered, i'll post my 2 cents worth...

    Had a similar issue - in migrated environment (Exch2003->Exchn2010) when mail-enabling a PF, got the exact same error as Magic174. Obvoiusly, its a permissions issue. Digged around for a while and found, that it has nothing to doo with My accound (which had all the necessary permissions). But it had to do with Exchange server's permissions. What i found out, that Exchange Server group (the group Exchange 2010 Server account is in) had very-very limited permission on "Microsoft Exchange System Objects" OU. For example "Create Child objects" was missingand when Mail-Enable'ing a PF, an object for that PF is created in this OU. Seems to me, that Exchange Server was not able to create this object. When i added "Create Child objects" permission to "Exchange Servers" group, everityng suddenly worked just fine.

    I'ts not the exact same problem as posted by Magic174, but i believe that the root cause maybe the same - "Microsoft Exchange System Objects" OU's permissions are messed up.


    • Edited by McWax Friday, October 5, 2012 9:14 AM typo
    Friday, October 5, 2012 9:13 AM
  • This fixed the issue over Magic174's solution as I did not have to do this for each object and also can modify permissions from any server. Thanks!
    Tuesday, November 13, 2012 3:08 PM