During an Exchange 2003 to Exchange 2010 migration I ran into an issue where the mailbox could not be moved to Exchange 2010 because of an “Insufficient Access Rights” error:
[PS] C:\Windows\system32>get-mailbox -Identity “Joe Sixpack” | New-MoveRequest -TargetDatabase dB01 -BadItemLimit:25 -AcceptLargeDataLoss:$true
WARNING: When an item can’t be read from the source database or it can’t be written to the destination database, it will be considered corrupted. By specifying a non-zero BadItemLimit, you are requesting that Exchange not copy such items to the destination mailbox. At move completion, these corrupted items won’t be available in the destination mailbox.
Active Directory operation failed on <<domain controller>>. This error is not retriable. Additional information: Insufficient access rights to perform the operation.
Active directory response: 00002098: SecErr: DSID-03150A48, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
+ CategoryInfo : NotSpecified: (0:Int32) [New-MoveRequest], ADOperationException
+ FullyQualifiedErrorId : 7288A431,Microsoft.Exchange.Management.RecipientTasks.NewMoveRequest
After some research it turned out that for most mailboxes (approx. 100 out of 120) changes were made to the permissions. The “allow inheritable permissions from this object’s parent” checkbox was cleared. This can happen for protected groups in Active Directory like the Domain Admins, Account Operators or the Backup Operators group. More information on the protected group can be found on Microsoft TechNet: http://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx
However, this was not the case for this particular customer. The checkbox was cleared since this was a workaround for some other issue a long time ago.
Ticking the checkbox resolved the Insufficient Access Rights issue for moving mailboxes. To tick this checkbox for all users the following script can be used:
Const SE_DACL_PROTECTED = &H1000 Const ForReading = 1 Const ForWriting = 2 Set oFSO = CreateObject("Scripting.FileSystemObject") Set oOutFile = oFSO.OpenTextFile("results.txt", ForWriting, True) strContainer = "OU=Accounts,DC=Contoso,DC=Com" set objOU =GetObject("LDAP://" & strContainer ) For each oAccount in objOU If oAccount.class="user" then Set objNtSD = oAccount.Get("ntSecurityDescriptor") intNtSDC = objNtSD.Control If (intNtSDC And SE_DACL_PROTECTED) Then intNtSDC = intNTSDC Xor SE_DACL_PROTECTED objNtSD.Control = intNtSDC oAccount.Put "nTSecurityDescriptor", objNtSD oAccount.SetInfo End If End if Next