locked
Public Folder Issues - Exchange 2010 after migration from 2003 (INSUFF_ACCESS_RIGHTS) RRS feed

  • Question

  • Has anyone had any experience with the following:

     

    Exchange 2003 has been migrated to Exchange 2010 and the Exchange 2003 has been removed. All public folders were replicated and there accessible by users without issue.

    The issue we currently have is the management of the public folders. On trying to either 1) Mail enabling a public folder (Even when creating a new Public folder, the error comes when you try to mail enabled it) and 2) Manage the send-as permission on any existing mail enabled Public Folders:

    --------------------------------------------------------
    Microsoft Exchange Error
    --------------------------------------------------------
    Action 'Mail Enable' could not be performed on object 'Test1'.

    Test1
    Failed
    Error:
    Active Directory operation failed on AS-DC01.Domain.local. This error is not retriable. Additional information: Access is denied.
    Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0


    The user has insufficient access rights.
    --------------------------------------------------

     

    Other comments:

    This affects only mail enabled public folders, user mailboxes are fine.

    The old Exchange 2003 server object under the "first administration group" has been removed, along with the container "Servers" within ANSIEdit. (as suggested via another KB)

    The "Folder Hierarchies" object has been recreated under the "Exchange Administration Group" (Also as suggested via other forum posts)

    There are no other issues, mail can flow to the Public Folder (Can't be send from them as there are no permissions), users can add posts, etc.

    New Public folders can be created on the Root, but none of them or child folders can be mail enabled without the above error.

    I have checked most if not all of the permissions and inheritance and cannot see any issue or breaks in the inheritance.

     

    I have tested this on another similar deployment/project (2003 > 2010) which shows EXACTLY the same issues. On testing with a pure Exchange 2010 environment (No 2003 previously) there is no such issue.

    Many thanks in advance if anyone can offer any assistance.

    A.

    Tuesday, August 23, 2011 10:57 PM

Answers

  • Agreed with Rowen....

    Also you can try below if the above does work

    Open ADSIEdit and check that the ownership of the new folder by going to Default naming context -> DC=domainname,DC=co,DC=uk ->CN=Microsoft Exchange System Objects -> right click on the object of the PF you just created and select properties
    then Advanced, Ownership and note the name of who owned the public folder (in my case the servername$)
    Repeat step 2 for the Public Folder object in question and go to the ownership tab in (in my case it said system is the owner) change it to one that worked in step 2 (in my case the servername$)
    Save and try again the send as permission again and it should work.
    The only draw back, it needs to be changed manually.
    I hope this will help and please let me know if it works with you.

    Thanks


    Mihir Nayak
    • Marked as answer by awharmby Wednesday, August 24, 2011 8:12 PM
    Wednesday, August 24, 2011 1:39 AM
  • UPDATE: (WORKING)

    I tried Mihir's suggestion to change the ownership to the SERVERNAME$ for the objects within the CN=Microsoft Exchange System Objects container. I could not check the actual owner on any new folders as they will not appear in this container until they are mail enabled. (Of which I cannot mail enable them)

    On trying to change the owner from SYSTEM which is what it is on seemingly all objects, whilst I could select the Exchange server from the list, the setting would not take. (The SERVERNAME$ never appears in the list of possible owners after selecting it)

    Instead I tested giving the Exchange Server (SERVERNAME$) full control permission on one of the objects/Public Folders. (Via ADSIEdit) This immediately allowed me to change as properties for the folder to include Send-As. (At last!!)

    To fully resolve all permission issues, noting the Exchange server is a member of the Exchange Trusted Subsystem Group, I gave this group full control permissions on the CN=Microsoft Exchange System Objects folder and this resolved ALL permission issues to include being able to create new folders, mail enable them etc.

    No reboots/logoff etc were required, the settings are taken immediately. (Mileage may vary with replication)

    Many thanks for getting me on the right track.

    • Marked as answer by awharmby Wednesday, August 24, 2011 8:12 PM
    Wednesday, August 24, 2011 8:12 PM

All replies

  • Hi,

    Please try below action:

    Disable and enable mail-enabled feature for the PF (and wait the AD replication time for this operation)

    If it fails, run the /prepareAD on env.

    Then try again.


    Best Regards!
    Wednesday, August 24, 2011 1:13 AM
  • Agreed with Rowen....

    Also you can try below if the above does work

    Open ADSIEdit and check that the ownership of the new folder by going to Default naming context -> DC=domainname,DC=co,DC=uk ->CN=Microsoft Exchange System Objects -> right click on the object of the PF you just created and select properties
    then Advanced, Ownership and note the name of who owned the public folder (in my case the servername$)
    Repeat step 2 for the Public Folder object in question and go to the ownership tab in (in my case it said system is the owner) change it to one that worked in step 2 (in my case the servername$)
    Save and try again the send as permission again and it should work.
    The only draw back, it needs to be changed manually.
    I hope this will help and please let me know if it works with you.

    Thanks


    Mihir Nayak
    • Marked as answer by awharmby Wednesday, August 24, 2011 8:12 PM
    Wednesday, August 24, 2011 1:39 AM
  • please update
    "Abhi" "Exchange Specialist" ------------- Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, August 24, 2011 3:42 AM
  • I will update shortly once I have given some of the steps a try. I think I will try Mihir's suggestion first as since I have really having problems just Mail Enabling a new PF, I'm not keen to Mail disable existing folders just in case I cannot reenable them. (Production environment)

    I assume by mail disabling / enabling all contents within the folder is retained?

    Just for info the current owner of all existing folders is "SYSTEM".

    Wednesday, August 24, 2011 2:28 PM
  • UPDATE: (WORKING)

    I tried Mihir's suggestion to change the ownership to the SERVERNAME$ for the objects within the CN=Microsoft Exchange System Objects container. I could not check the actual owner on any new folders as they will not appear in this container until they are mail enabled. (Of which I cannot mail enable them)

    On trying to change the owner from SYSTEM which is what it is on seemingly all objects, whilst I could select the Exchange server from the list, the setting would not take. (The SERVERNAME$ never appears in the list of possible owners after selecting it)

    Instead I tested giving the Exchange Server (SERVERNAME$) full control permission on one of the objects/Public Folders. (Via ADSIEdit) This immediately allowed me to change as properties for the folder to include Send-As. (At last!!)

    To fully resolve all permission issues, noting the Exchange server is a member of the Exchange Trusted Subsystem Group, I gave this group full control permissions on the CN=Microsoft Exchange System Objects folder and this resolved ALL permission issues to include being able to create new folders, mail enable them etc.

    No reboots/logoff etc were required, the settings are taken immediately. (Mileage may vary with replication)

    Many thanks for getting me on the right track.

    • Marked as answer by awharmby Wednesday, August 24, 2011 8:12 PM
    Wednesday, August 24, 2011 8:12 PM
  • We had the same Problem mit Exchange 2010 SP1 UR 3v3. All Public Folders were migrated from Exchange 2003.

    On New created Public Folders we could add users for "Send As" but not with the old one.

    We had to mail disable and mail enable the folders.

    regards

    schuetti

    Thursday, December 1, 2011 4:21 PM
  • changing the owner to the exchange server using ADSIedit on the public folder object resolved this for me.
    • Proposed as answer by metallicor Wednesday, March 9, 2016 2:04 PM
    Thursday, September 4, 2014 1:56 PM