Insufficient Access Rights

During an Exchange 2003 to Exchange 2010 migration I ran into an issue where the mailbox could not be moved to Exchange 2010 because of an “Insufficient Access Rights” error:

[PS] C:\Windows\system32>get-mailbox -Identity “Joe Sixpack” | New-MoveRequest -TargetDatabase dB01 -BadItemLimit:25 -AcceptLargeDataLoss:$true

WARNING: When an item can’t be read from the source database or it can’t be written to the destination database, it will be considered corrupted. By specifying a non-zero BadItemLimit, you are requesting that Exchange not copy such items to the destination mailbox. At move completion, these corrupted items won’t be available in the destination mailbox.

Active Directory operation failed on <<domain controller>>. This error is not retriable. Additional information: Insufficient access rights to perform the operation.

Active directory response: 00002098: SecErr: DSID-03150A48, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

+ CategoryInfo : NotSpecified: (0:Int32) [New-MoveRequest], ADOperationException

+ FullyQualifiedErrorId : 7288A431,Microsoft.Exchange.Management.RecipientTasks.NewMoveRequest

[PS] C:\Windows\system32>

image

After some research it turned out that for most mailboxes (approx. 100 out of 120) changes were made to the permissions. The “allow inheritable permissions from this object’s parent” checkbox was cleared. This can happen for protected groups in Active Directory like the Domain Admins, Account Operators or the Backup Operators group. More information on the protected group can be found on Microsoft TechNet: http://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx

However, this was not the case for this particular customer. The checkbox was cleared since this was a workaround for some other issue a long time ago.

image

Ticking the checkbox resolved the Insufficient Access Rights issue for moving mailboxes. To tick this checkbox for all users the following script can be used:

Const SE_DACL_PROTECTED = &H1000
Const ForReading = 1
Const ForWriting = 2
Set oFSO = CreateObject("Scripting.FileSystemObject")
Set oOutFile = oFSO.OpenTextFile("results.txt", ForWriting, True)
strContainer = "OU=Accounts,DC=Contoso,DC=Com"
set objOU =GetObject("LDAP://" & strContainer )
For each oAccount in objOU
If oAccount.class="user" then
Set objNtSD = oAccount.Get("ntSecurityDescriptor")
intNtSDC = objNtSD.Control
If (intNtSDC And SE_DACL_PROTECTED) Then
intNtSDC = intNTSDC Xor SE_DACL_PROTECTED
objNtSD.Control = intNtSDC
oAccount.Put "nTSecurityDescriptor", objNtSD
oAccount.SetInfo
End If
End if
Next

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s