locked
Exchange 2010 and resource mailboxes creation problem RRS feed

  • Question

  • I'm reposting my question in Microsoft's monitored forum hoping to get an answer from Microsoft support too. My problem is described there:

    http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/a63b6d9e-7de3-4c6d-bb58-2b730f2ecbe8

    But I'll repost my initial problem:

    I have Exchange 2010 Sp2 RU3 servers in Windows 2008 R2 domain. I'm using completely split permissions model. In general - AD admins precreate users and exchange admins create mailboxes for them. Everything works great for user mailboxes. But today I've tried to create room mailbox (resource mailbox). I created user in ADUC and disabled this account as this is required step. Then I've tried to create room mailbox and assign this user to new resource mailbox. And I have nice error at creation finish:

    Summary: 1 item(s). 1 succeeded, 0 failed.
    Elapsed time: 00:00:00

    Completed

    Warning:
    The ntSecurityDescriptor of the Active Directory object "xxx/xxx/xxx" wasn't updated successfully. Error: "Active Directory operation failed on msft-dc-01.lbank.msft. This error is not retriable. Additional information: Access is denied.
    Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
    ".

    Exchange Management Shell command completed:
    Enable-Mailbox -Identity xxx/xxx/xxx' -Alias '213ppsale' -Database 'DB' -Room

    Elapsed Time: 00:00:00

    I suspect that this problem is because split permissions model I use. DC logs the following error:

    Log Name:      Security
     Source:        Microsoft-Windows-Security-Auditing
     Date:          6/1/2012 1:25:45 PM
     Event ID:      4662
     Task Category: Directory Service Access
     Level:         Information
     Keywords:      Audit Failure
     User:          N/A
     Computer:      msft-dc-01.lbank.msft
     Description:
     An operation was performed on an object.
     
    Subject :
     Security ID:  LBANKMSFT\MSFT-V-MBX-01$
     Account Name:  MSFT-V-MBX-01$
     Account Domain:
     LBANKMSFT
     Logon ID:  0x81d6fc0b
     
    Object:
     Object Server:
     DS
     Object Type:  user
     Object Name:  CN=213 Pirma Posedziu Sale,OU=tarnybiniai vartotojai,DC=lbank,DC=msft
     Handle ID:  0x0
     
    Operation:
     Operation Type:
     Object Access
     Accesses:  WRITE_DAC
     
    Access Mask:  0x40000
     Properties:  ---
     {bf967aba-0de6-11d0-a285-00aa003049e2}

    It seems that mailbox server tried to modify user account and fails. So I've tried to set full access right on this disabled account for mailbox server. And then I was able to create resource mailbox without any problems. From that I can assume that when I enabled split permissions model - permissions were set incorrectly. Maybe it was a bug, as I have the same situation on completely different domains (production and testing ones). So how can I correct this problem?

    Monday, June 4, 2012 5:43 AM

All replies

  • Have you tried disabling the account after creating the mailbox for it?

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    Monday, June 4, 2012 8:03 PM
  • Dear Ed,

    It is not possible to create resource mailbox for enabled pre-created account.

    Tuesday, June 5, 2012 3:25 AM
  • I wasn't aware of that but I see that's true.

    I was able to turn a disabled account into a resource account, though, but I wasn't using any split permissions model, so I don't have an answer for you except that you're going to have to spend whatever cycles it takes to find out where your permissions are missing.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    Tuesday, June 5, 2012 4:44 AM
  • Ed,

    Can you enable Active directory split permissions model to test this issue?:)

    setup.com /PrepareAD /ActiveDirectorySplitPermissions:true

    You'll be able to revert back after all tests. O f cource if you have testing environment. Thanks.

    Tuesday, June 5, 2012 5:05 AM
  • I'll try to look at it sometime, but I can't do it now, sorry.  I hope someone else can chime in with their opinion in the meantime.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    Tuesday, June 5, 2012 5:12 AM
  • Hi Rimvvdas,

    I have not seen this issue before, I will try to test in my lab, and post the updates.

    Thanks,

    Evan Liu

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com  


    Evan Liu

    TechNet Community Support

    Tuesday, June 5, 2012 9:07 AM
    Moderator
  • Hi Rimvvdas,

    I checked in my lab, get the same result.

    But I think this may not a bug, the warning is because when you create resource mailbox Exchange administrators or groups need to creating security principals in Active Directory or modifying non-Exchange attributes on those objects, you can see these:

    Some cmdlets, although still available, may offer only limited functionality when used with Active Directory split permissions. This is because they may allow you to configure recipient objects that are in the domain Active Directory partition and Exchange configuration objects that are in the configuration Active Directory partition. They may also allow you to configure Exchange-related attributes on objects stored in the domain partition. Attempts to use the cmdlets to create objects, or modify non-Exchange-related attributes on objects, in the domain partition will result in an error.

    Know details from this document:

    Understanding Split Permissions
    http://technet.microsoft.com/en-us/library/dd638106.aspx

    To fix these issue, you can try to change the permission for Exchange administrators and groups.

    Thanks,

    Evan Liu

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com


    Evan Liu

    TechNet Community Support

    Wednesday, June 6, 2012 10:57 AM
    Moderator
  • In the particular issue mailbox server is trying to modify this disabled account. Don't you think that such an issues must be mentioned in some kind of KB articles? Because I don't know now if I can use resource mailbox created with error:/

    As you talked about permissions then another question:)

    What minimal permissions must I grant for exchange servers to be able to modify required account? I'm talking about MINIMAL permissions. Thanks.

    Wednesday, June 6, 2012 11:28 AM
  • Hi,

    I checked in my other environment, I found Exchange Servers have full control permission on room mailbox, so I suggest you follow this work around to work on this issue:

    Create one OU for all the resource mailboxes in ADUC

    Use Delegate control to give Exchange Servers, can "Create, delete, and manage user accounts"

    Then you will find, use users in that OU to create resource mailbox, will not have that warning.

    Thanks,

    Evan Liu

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com


    Evan Liu

    TechNet Community Support

    Thursday, June 7, 2012 6:10 AM
    Moderator
  • Evan,

    I think that "Create, delete, and manage user accounts" permissions are rather big ones. It would be nice to know what MINIMAL permissions are needed.

    Thursday, June 7, 2012 6:20 AM
  • I think it need that permission, you can check your error information above:

    Operation:
    Operation Type:
    Object Access
    Accesses:  WRITE_DAC

    WRITE_DAC  The right to modify the discretionary access control list (DACL) in the object's security descriptor.

    Thanks,

    Evan Liu

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com


    Evan Liu

    TechNet Community Support

    Thursday, June 7, 2012 6:25 AM
    Moderator
  • Hello,

    Any updates on this issue?

    Thanks,

    Evan Liu

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com


    Evan Liu

    TechNet Community Support

    Friday, June 8, 2012 2:31 AM
    Moderator
  • I think I'll live with this:) But it would be nice to mention this problem in some kind of article.
    Friday, June 8, 2012 8:48 AM
  • Maybe this will mention in later updates.

    Thanks for your understanding.

    Best Regards,

    Evan Liu

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com


    Evan Liu

    TechNet Community Support

    Tuesday, June 19, 2012 9:49 AM
    Moderator
  • I've tried to check once more and it seems that it is enough to set modify permissions right for the server account on the required AD object. But this whole thing seems like a bug in split permissions model of exchage:( Missed thing...
    Thursday, June 21, 2012 9:43 AM
  • I think this is not a bug, the document has explained clearly:

    Some cmdlets, although still available, may offer only limited functionality when used with Active Directory split permissions. This is because they may allow you to configure recipient objects that are in the domain Active Directory partition and Exchange configuration objects that are in the configuration Active Directory partition.

    Thanks,

    Evan Liu

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com


    Evan Liu

    TechNet Community Support

    Friday, June 22, 2012 1:33 AM
    Moderator
  • I completely understand your point but I still think that this is omission made by Microsoft:) Room mailbox creation is one of the important and frequently used option and I think that this thing must be fixed. Note, I can create user mailboxes without any single problem using this split permissions model. If it is not possible to fix this, this problem MUST be mentioned somewhere. It could be mailbox creation results window.
    Friday, June 22, 2012 4:50 AM
  • Hi Rimvydas,
     
    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

    Thanks,

    Evan Liu

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com


    Evan Liu

    TechNet Community Support

    Thursday, June 28, 2012 3:24 AM
    Moderator
  • Thank you for the feedback, I have raised a request to document the behaviour.
    Friday, August 17, 2012 2:55 AM