none
INSUFF_ACCESS_RIGHTS on Exchange 2013 SP1 during /prepareAD

    Question

  • I am working on performing a migration from Exchange 2007 to Exchange 2013. I ran setup and prepared the schema, then when I got to trying to /prepareAD I received the error below.

    I have tried a few suggestions found in the forum linked below but none of them resolved the issue. Any help is appreciated, thanks!

    INSUFF_ACCESS_RIGHTS on Exchange 2013 SP1

    From ExchangeSetup log file:

    [09-23-2014 22:32:02.0672] [2] Adding access control entries to the security descriptor for the object CN=Configuration,DC=apptius,DC=com.
    [09-23-2014 22:32:02.0672] [2] The appropriate access control entry is already present on the object "CN=Configuration,DC=apptius,DC=com" for account "APPTIUS\Exchange Servers".
    [09-23-2014 22:32:02.0688] [2] Taking ownership of CN=Deleted Objects,CN=Configuration,DC=apptius,DC=com.
    [09-23-2014 22:32:02.0703] [2] [ERROR] Active Directory operation failed on DC121.apptius.com. This error is not retriable. Additional information: Access is denied.
    Active directory response: 00000005: SecErr: DSID-031521E1, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

    [09-23-2014 22:32:02.0703] [2] [ERROR] The user has insufficient access rights.
    [09-23-2014 22:32:02.0719] [2] Ending processing initialize-ExchangeConfigurationPermissions
    [09-23-2014 22:32:02.0719] [1] The following 1 error(s) occurred during task execution:
    [09-23-2014 22:32:02.0719] [1] 0.  ErrorRecord: Active Directory operation failed on DC121.apptius.com. This error is not retriable. Additional information: Access is denied.
    Active directory response: 00000005: SecErr: DSID-031521E1, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

    [09-23-2014 22:32:02.0719] [1] 0.  ErrorRecord: Microsoft.Exchange.Data.Directory.ADOperationException: Active Directory operation failed on DC121.apptius.com. This error is not retriable. Additional information: Access is denied.
    Active directory response: 00000005: SecErr: DSID-031521E1, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
     ---> System.DirectoryServices.Protocols.DirectoryOperationException: The user has insufficient access rights.
       at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
       at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
       at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, Nullable`1 clientSideSearchTimeout, IActivityScope activityScope, String callerInfo)
       at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync)
       --- End of inner exception stack trace ---
       at Microsoft.Exchange.Data.Directory.ADDataSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer)
       at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync)
       at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)
       at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId)
       at Microsoft.Exchange.Management.Tasks.InitializeConfigPermissions.InternalProcessRecord()
       at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b()
       at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)
    [09-23-2014 22:32:02.0719] [1] [ERROR] The following error was generated when "$error.Clear();
        initialize-ExchangeConfigurationPermissions -DomainController $RoleDomainController

    " was run: "Microsoft.Exchange.Data.Directory.ADOperationException: Active Directory operation failed on DC121.apptius.com. This error is not retriable. Additional information: Access is denied.
    Active directory response: 00000005: SecErr: DSID-031521E1, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
     ---> System.DirectoryServices.Protocols.DirectoryOperationException: The user has insufficient access rights.
       at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
       at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
       at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, Nullable`1 clientSideSearchTimeout, IActivityScope activityScope, String callerInfo)
       at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync)
       --- End of inner exception stack trace ---
       at Microsoft.Exchange.Data.Directory.ADDataSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer)
       at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync)
       at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)
       at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId)
       at Microsoft.Exchange.Management.Tasks.InitializeConfigPermissions.InternalProcessRecord()
       at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b()
       at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)".
    [09-23-2014 22:32:02.0719] [1] [ERROR] Active Directory operation failed on DC121.apptius.com. This error is not retriable. Additional information: Access is denied.
    Active directory response: 00000005: SecErr: DSID-031521E1, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

    [09-23-2014 22:32:02.0719] [1] [ERROR] The user has insufficient access rights.
    [09-23-2014 22:32:02.0719] [1] [ERROR-REFERENCE] Id=-790439948 Component=
    [09-23-2014 22:32:02.0719] [1] Setup is stopping now because of one or more critical errors.
    [09-23-2014 22:32:02.0719] [1] Finished executing component tasks.
    [09-23-2014 22:32:02.0750] [1] Ending processing Install-ExchangeOrganization
    [09-23-2014 22:34:13.0541] [0] The registry key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\V15\Setup, wasn't found.
    [09-23-2014 22:34:13.0541] [0] CurrentResult setupbase.maincore:396: 0
    [09-23-2014 22:34:13.0541] [0] End of Setup
    [09-23-2014 22:34:13.0541] [0] **********************************************

    Tuesday, September 23, 2014 10:42 PM

Answers

  • Hi,

    I met a similar case before and recommend you refer to the following steps to resolve the issue and check if any helps:

    1.Start - Administrative Tools - Group Policy Management - Expand domain name - Expand Domain Controllers OU - Right Click "Default Domain Policy" - Edit - Expand Policies under Computer Configuration - Expand Windows Settings - Expand Security Settings - Expand Local Policies - User Rights Assignment - Take ownership of files or other objects
    2.Add the administrators groups

    3.Run "Gpupdate /force"

    Best regards,


    Niko Cheng
    TechNet Community Support

    Wednesday, September 24, 2014 10:08 AM
    Moderator

All replies

  • Hi,

    I met a similar case before and recommend you refer to the following steps to resolve the issue and check if any helps:

    1.Start - Administrative Tools - Group Policy Management - Expand domain name - Expand Domain Controllers OU - Right Click "Default Domain Policy" - Edit - Expand Policies under Computer Configuration - Expand Windows Settings - Expand Security Settings - Expand Local Policies - User Rights Assignment - Take ownership of files or other objects
    2.Add the administrators groups

    3.Run "Gpupdate /force"

    Best regards,


    Niko Cheng
    TechNet Community Support

    Wednesday, September 24, 2014 10:08 AM
    Moderator
  • Thanks alot Niko! After your suggestion I was succesful!

    You are a gem!

    Wednesday, September 24, 2014 2:42 PM