locked
INSUFF_ACCESS_RIGHTS on any AD operation RRS feed

  • Question

  • Hi,

    I’ve built myself a predicament.  About  two weeks ago I installed Exchange 2010 on a Server 2008R2x64 virtual server (Hyper-V) and had everything running well.  I installed to coexist with Exchange 2003 production server.  No E2007 in between.  For some now forgotten reason, I needed to uninstall the E2010 and reinstall it. 

    I ran into a problem with the Arbitration mailboxes and searched for a way around that.  I found an article (On this forum) about removing the databases using ADSIEDIT and did so.  I apparently removed too much.  Looking back now, I think the article was on E2007.

    I had a great deal of trouble reinstalling.  Especially the Hub Transport Role.  Permission issues and other problems.  Finally worked around those issues and have all of E2010 back up and running, but I cannot do anything. 

    I cannot create, delete or move a mailbox in console or shell.  Cannot remove a dismounted database.  Can't add members to groups using shell.  Everything I attempt results in an error similar to this:

    --------------------------------------------------------

    Microsoft Exchange Error

    --------------------------------------------------------

    The mailbox database 'Mailbox Database 1132409229' cannot be deleted.

     

    Mailbox Database 1132409229

    Failed

    Error:

    Active Directory operation failed on “Domain-Controller FQDN”. This error is not retriable. Additional information: Access is denied.

    Active directory response: 00000005: SecErr: DSID-0315202A, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

     

    The user has insufficient access rights.

    ***

    The same errors in the console or shell.

     

    It has to be AD permissions, but where????

    I've tried to use  ADD-ADPermission, but get INSUFF_ACCESS_RIGHTS there as well.

    I have run PrepareAD, PreparePL, PrepareSchema over again.

    I have a Microsoft Exchange Security Group object and all of the required groups are there.

    The Domain Administrator account is a member of Organization Management, and a few others.

    I’m using the Domain Administrator account, but have tried using another with admin rights.

    My 3 DC’s were all Server 2003, so I built a Server 2008 DC and have it replicating to see if it was a communications issue.

    DNS seems to be working fine across all.

    Exchange 2003 server is working fine, but I cannot manage mailboxes any longer.

     

    All of this was working correctly on my original install.

     

    Any suggestions would be greatly appreciated.  I’ve worked on this for 4 days now and I’m stumped.  The NW is a Public School system, so not many changes this time of year, but I’ve got to get it fixed soon.

    Thanks,

     

    Charles M. Allen

    Wednesday, March 31, 2010 1:50 PM

Answers

  • Never mind, I stumbled onto the answer. Another post on this forum that I had not read all of.  It wasn't exactly the same, because my server was a member of the "Exchange Trusted Subsystem"Group, but after reading the other post I decided to remove my server from the group, put it back in and restart it.  Problems solved.  Not sure why, but probably had something to do with building, removing, and rebuilding the server.

    Here was the other post:

    http://social.technet.microsoft.com/Forums/en/exchange2010/thread/5683b9c1-3d1e-48b7-88c7-ae0f7515104f

    Thanks again..

    Thursday, April 1, 2010 4:08 PM

All replies

  • Hi,

    I’ve built myself a predicament.  About  two weeks ago I installed Exchange 2010 on a Server 2008R2x64 virtual server (Hyper-V) and had everything running well.  I installed to coexist with Exchange 2003 production server.  No E2007 in between.  For some now forgotten reason, I needed to uninstall the E2010 and reinstall it. 

    I ran into a problem with the Arbitration mailboxes and searched for a way around that.  I found an article (On this forum) about removing the databases using ADSIEDIT and did so.  I apparently removed too much.  Looking back now, I think the article was on E2007.

    Exchange 2007 does not have arbitration mailboxes.  It must have been for 2010.  You can easily delete them by get-mailbox –arbitration | remove-mailbox

    I had a great deal of trouble reinstalling.  Especially the Hub Transport Role.  Permission issues and other problems.  Finally worked around those issues and have all of E2010 back up and running, but I cannot do anything. 

    I cannot create, delete or move a mailbox in console or shell.  Cannot remove a dismounted database.  Can't add members to groups using shell.  Everything I attempt results in an error similar to this:

    --------------------------------------------------------

    Microsoft Exchange Error

    --------------------------------------------------------

    The mailbox database 'Mailbox Database 1132409229' cannot be deleted.

     

    Before you worry about deleting this database, do you have permissions to perform other exchange tasks?  Is your user account in the “organization management” group?

     

    Mailbox Database 1132409229

    Failed

    Error:

    Active Directory operation failed on “Domain-Controller FQDN”. This error is not retriable. Additional information: Access is denied.

    Active directory response: 00000005: SecErr: DSID-0315202A, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

     

    The user has insufficient access rights.

    ***

    The same errors in the console or shell.

     

    It has to be AD permissions, but where????

    I've tried to use  ADD-ADPermission, but get INSUFF_ACCESS_RIGHTS there as well.

    I have run PrepareAD, PreparePL, PrepareSchema over again.

    I have a Microsoft Exchange Security Group object and all of the required groups are there.

    The Domain Administrator account is a member of Organization Management, and a few others.

    I’m using the Domain Administrator account, but have tried using another with admin rights.

    My 3 DC’s were all Server 2003, so I built a Server 2008 DC and have it replicating to see if it was a communications issue.

    DNS seems to be working fine across all.

    Exchange 2003 server is working fine, but I cannot manage mailboxes any longer.

     

    The installation of Exchange 2010 or the removal of it should not have impacted your rights onto 2003 mailboxes.  Are you trying to manage them with the 2003 tools or the 2010 tools?  Do you get the same errors with both?

     

    All of this was working correctly on my original install.

     

    Any suggestions would be greatly appreciated.  I’ve worked on this for 4 days now and I’m stumped.  The NW is a Public School system, so not many changes this time of year, but I’ve got to get it fixed soon.

    Thanks,

     

    Charles M. Allen

     

     

     


    Mike Crowley: MCT, MCSE, MCTS, MCITP: Enterprise Administrator / Messaging Administrator
    Thursday, April 1, 2010 1:56 AM
  • Hi Mike, Thanks for the reply..

    Exchange 2007 does not have arbitration mailboxes.  It must have been for 2010.  You can easily delete them by get-mailbox –arbitration | remove-mailbox

    I tried the Remove from the shell, but kept getting an error message.  Like I said, I probably was doing something wrong and jumped without thinking to ADSIEDIT.

    Before you worry about deleting this database, do you have permissions to perform other exchange tasks?  Is your user account in the “organization management” group?

    The database is just one of many areas that come back INSUFF_RIGHTS.  It's just easy to recreate the error message, so was easy to refernce.  I cannot add, or set up a local move for any mailbox. Also cannot create or modify Distribution Groups.  Everything that connects to AD throws an error.  I'm using the Domain Administrator account, which is in the Organization Management user group.

    The installation of Exchange 2010 or the removal of it should not have impacted your rights onto 2003 mailboxes.  Are you trying to manage them with the 2003 tools or the 2010 tools?  Do you get the same errors with both?

    You are correct.  I was mistaken about that.  The Exchange System Manager on my E2003 server quit connecting to the store and I thought the worse.  I closed and reopened System Manager and could get to the management tasks again.  I can also manage it with a third party program I use called Hyena.  Everything is fine with that server, including adding mailboxes, etc.  It's only the E2010 server that will not allow me to do anything.  I can see the all of my mailboxes, distribution lists, the E2003 database, but cannot manage any of it.

     

    Thursday, April 1, 2010 3:18 PM
  • Never mind, I stumbled onto the answer. Another post on this forum that I had not read all of.  It wasn't exactly the same, because my server was a member of the "Exchange Trusted Subsystem"Group, but after reading the other post I decided to remove my server from the group, put it back in and restart it.  Problems solved.  Not sure why, but probably had something to do with building, removing, and rebuilding the server.

    Here was the other post:

    http://social.technet.microsoft.com/Forums/en/exchange2010/thread/5683b9c1-3d1e-48b7-88c7-ae0f7515104f

    Thanks again..

    Thursday, April 1, 2010 4:08 PM
  • Active Directory operation failed on *DomainController*. This error is not retriable. Additional information: Insufficient access rights to perform the operation.

    Hi;

    We came across an error today when we were trying to move a mailbox from Exchange 2007 onto Exchange 2010 or Exchange 2010 mailbox delete which was stopping us moving the mailbox.


    Error: 

    Active Directory operation failed on *DomainController*. This error is not retriable. Additional information: Insufficient access rights to perform the operation.
    Active directory response: 00002098: SecErr: DSID-03150E8A, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

    The user has insufficient access rights.

    Exchange Management Shell command attempted:
    ’*OUStructure*’ | New-MoveRequest -TargetDatabase ‘Mailbox Database 1985885663′ -BadItemLimit ‘-1′

     

    Resolution 1

     Open Active Directory Users and Computers

    • Find the user of which the mailbox move caused the error
    • Open up the properties of this user and go to the security tab (if this is not available, choose view and then advanced features in the AD users and computers MMC)
    • Click on [Advanced]
    • Activate the checkbox “Include inheritable permissions from this object’s parent” and then click [OK] twice.

     

    Resolution 2 : If you are using Office Communicator. The following actions will resolve your question


    • Open Run
    • Adsiedit.msc
    • User properties
    • RTC values check
    • Clear RTC Values
    OCS RTC Active Directory operation failed on *DomainController*. This error is not retriable. Additional information: Insufficient access rights to perform the operation.

    • Proposed as answer by Andrew J Price Monday, January 28, 2013 12:25 PM
    Friday, March 23, 2012 8:55 PM