locked
Non-Local users cannot be given rights on this server. RRS feed

  • Question

  • I am trying to change the permissions on a calendar.  I have just migrated mail over to a new Exchange 2010 server, and a new Active Directory Domain.  I have used ADMT tool to migrate user accounts but I am having this same problem on a new account that was created in the new server and was not a migrated account.

    The error is;  One or more users cannot be added to the folder access list.  Non-Local users cannot be given rights on this server.   This is when trying to add a USER account to the calendar permissions, and I saw the article and posts where this could not be done to distributions groups but that is not my issue.  I actually CAN assign permissions to my security/distribution groups.  

    I also saw some posts saying to make sure the mailbox is a user type and is not shared.  In looking in EMC, it shows all mailbox types as user.  I have ran the following command as well on the mailbox, Set-Mailbox -Identity username -Type Regular and it says that the mailbox type is already regular.

    Any help is appreciated!

     

     


    Wednesday, August 24, 2011 9:12 PM

Answers

  • Hello,

     

    Thanks for the update.

     

    How about exporting the user’s attributes and compare with the differences.

     

    [Dump the attribute of a good user and a problematic user]

    =============================================== 

    On the DC\GC server, open Command Prompt, type the commands, compress and send the output files to me.

     

    ldifde -f c:\<Name of User>.txt -d "distinguishedName of User"

     

    Here is the detailed steps for getting the distinguishedName of a user:

     

    a. Run the Adsiedit.msc from a command prompt.

    b. Expand “Domain”->”DC=domainName,DC=com”->”CN=Users”

    c. Right click on ”CN=the problematic user name”, click “Properties”.

    d. Find the attribute “distinguishedName” attribute. Double click copy the value of it.

     

    Thanks,

    Simon

    Monday, August 29, 2011 12:57 AM
    Moderator
  • OK, yes thank you.  I see the difference is the RecipientDisplayType = 1073741824, on the migrated users this is all 0.  Found this info in this post here: http://msexchangetips.blogspot.com/2009_06_01_archive.html

    Is there a way to update that for all users quickly?  Or a command line to update it vs. doing them all in ADSIEdit?

    Thanks so much, this was driving me insane!

    Monday, August 29, 2011 6:42 PM

All replies

  • Hello,

     

    Try using “Add-MailboxFolderPermission” to assign the related permission:

     

    http://technet.microsoft.com/en-us/library/dd298062.aspx

     

    Does this issue occur to all the new created users on Exchange 2010 MBX?

     

    Thanks,

    Simon

    Friday, August 26, 2011 6:53 AM
    Moderator
  • Yes, It works to use the Add-MailboxFolderPermission to do this.  And I can give permissions to newly created users in the domain, so it seems like somehow the existing/migrated users outlook thinks still belong to my old domain.  The account that I am logged into outlook with was NOT a migrated account.  And I have deleted and recreated the outlook profile.   When I got to browse the users, they all have the red circle with line through them, but anything newly created in the domain works.   It must be some property of the migrated users, but i dont' know what that would be.  Thanks for the help!

    Friday, August 26, 2011 1:12 PM
  • Hello,

     

    Thanks for the update.

     

    How about exporting the user’s attributes and compare with the differences.

     

    [Dump the attribute of a good user and a problematic user]

    =============================================== 

    On the DC\GC server, open Command Prompt, type the commands, compress and send the output files to me.

     

    ldifde -f c:\<Name of User>.txt -d "distinguishedName of User"

     

    Here is the detailed steps for getting the distinguishedName of a user:

     

    a. Run the Adsiedit.msc from a command prompt.

    b. Expand “Domain”->”DC=domainName,DC=com”->”CN=Users”

    c. Right click on ”CN=the problematic user name”, click “Properties”.

    d. Find the attribute “distinguishedName” attribute. Double click copy the value of it.

     

    Thanks,

    Simon

    Monday, August 29, 2011 12:57 AM
    Moderator
  • OK, yes thank you.  I see the difference is the RecipientDisplayType = 1073741824, on the migrated users this is all 0.  Found this info in this post here: http://msexchangetips.blogspot.com/2009_06_01_archive.html

    Is there a way to update that for all users quickly?  Or a command line to update it vs. doing them all in ADSIEdit?

    Thanks so much, this was driving me insane!

    Monday, August 29, 2011 6:42 PM
  • Hello,

    You may need to made scripts to modify the attributes for all the users. Please create a new thread for Windows Server Forum via the following link:

     

    http://social.technet.microsoft.com/forums/en-US/category/windowsserver/


    Thanks,
    Simon

     

    Tuesday, August 30, 2011 3:33 AM
    Moderator