locked
Exchange 2010 Send-As error RRS feed

  • Question

  • Error is "Active Directory operation failed on <domain/server>.  This error is not retriable.  Additional information: Access is denied.  Active Directory Response: 0000005: SecErr: DSID-0315E04, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0.:

     

    I'm trying to give a user Send-As permissions for a public folder.  Folder is mail enabled and used to work and all of a sudden just stopped working.  I have tried everything.  I am the admin.  The only admin.  Any help would be great if anybody knows anything.  If you need additonal info please let me know.

    Tuesday, July 12, 2011 3:12 PM

Answers

  • Hi,

    Please try this :

    Using ADSIEDIT.msc, on the Exchange 2010 server object verify the "Advanced Security Settings", sort the ACEs by Name and scroll down to the concerned account that you're using in EMC


    Most likely this account would have an explicit DENY on the following permissions

    "Create Public Information Store Objects"
    "Delete Public Information Store Objects"


    Uncheck the DENY on these permissions for the user concerned and replicate the AD changes


    If the account you're looking for has 'ALLOW' for these permissions, then check the groups its member of and verify if any of those groups are denied these permissions. An easier way to sort all the objects that has DENY on the above permissions would be to sort by Permissions in the Advanced Security Settings and look for ACEs for "Create/Delete Public Information Store Objects"

     

    • Proposed as answer by Rowen-Xu Wednesday, July 13, 2011 7:10 AM
    • Marked as answer by Rowen-Xu Friday, July 22, 2011 7:47 AM
    Wednesday, July 13, 2011 6:40 AM

All replies

  • Give SEND AS perms via adsiedit instead ( SEND AS are directory perms, so you can do that.) and see if it allows that

    Since the folder is mail-enabled, it will be under the Microsoft Exchange System Objects container for the domain.

    What SP and RU is Exchange at?

     

    Tuesday, July 12, 2011 6:06 PM
  • Hi,

    Please try this :

    Using ADSIEDIT.msc, on the Exchange 2010 server object verify the "Advanced Security Settings", sort the ACEs by Name and scroll down to the concerned account that you're using in EMC


    Most likely this account would have an explicit DENY on the following permissions

    "Create Public Information Store Objects"
    "Delete Public Information Store Objects"


    Uncheck the DENY on these permissions for the user concerned and replicate the AD changes


    If the account you're looking for has 'ALLOW' for these permissions, then check the groups its member of and verify if any of those groups are denied these permissions. An easier way to sort all the objects that has DENY on the above permissions would be to sort by Permissions in the Advanced Security Settings and look for ACEs for "Create/Delete Public Information Store Objects"

     

    • Proposed as answer by Rowen-Xu Wednesday, July 13, 2011 7:10 AM
    • Marked as answer by Rowen-Xu Friday, July 22, 2011 7:47 AM
    Wednesday, July 13, 2011 6:40 AM
  • Here is the shell command

    Add-AdPermission -Identity "/Publicfolder" -User "Domain Name/User Name" -ExtendedRights "Send-As" -AccessRights ReadProperty, WriteProperty -Properties "Personal Information"

    Wednesday, July 13, 2011 6:49 AM