Dear all: we are currently experiencing the following issue: when trying to give someone Full Access Permission on the Exchange Management Console over some account we cannot do it. When I click "Manage, I get a pop up saying "Some controls are not valid - Changes in the user/group list are required to grant or remove permissions." If I look at the list of users, the only one that is different is the "NT AUTHORITY\SELF", which has a little red arrow pointing up next to the user icon. If I remove that item, I can continue with the process. I also created a new account, and it has the same issue. I can remove the SELF item from the list and add it again, but it will show with the same "arrow" next to the icon. Users do have access to their accounts, and can send and receive emails at this moment. I have also verified that the option "Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here" is checked on the item and all OUs up to the domain level. The Exchange server is a Windows 2008 R2, and Exchange Server 2010 is installed. The Domain controller is a Windows 2003 R2 SP2. Any feedback will be greatly appreciated!

Have you tried to give the user full access using the EMS? Add-ADPermission -Identity <mailbox> -User <user account> -AccessRights FullAccess

Hi, Have you tried to give the user full access permission by using Add-MailboxPermission command? And check whether it will give any error. Best regards, Serena Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi! Thank you for replying and sorry for the late answer, we have been busy with other subject. When running the command, I get the following: Cannot process argument transformation on parameter 'AccessRights'. Cannot convert value "FullAccess" to type "System.D irectoryServices.ActiveDirectoryRights[]". Error: "Cannot convert value "FullAccess" to type "System.DirectoryServices. ActiveDirectoryRights" due to invalid enumeration values. Specify one of the following enumeration values and try again . The possible enumeration values are "CreateChild, DeleteChild, ListChildren, Self, ReadProperty, WriteProperty, Delet eTree, ListObject, ExtendedRight, Delete, ReadControl, GenericExecute, GenericWrite, GenericRead, WriteDacl, WriteOwner , GenericAll, Synchronize, AccessSystemSecurity"." + CategoryInfo : InvalidData: (:) [Add-ADPermission], ParameterBindin...mationException + FullyQualifiedErrorId : ParameterArgumentTransformationError,Add-ADPermission What I understand from this is that "FullAccess" is not an option here...

Hi Serena: I followed your suggestion and tried using Add-MailboxPermission (used: Add-MailboxPermission -Identity "myinbox" -User "myuser" -AccessRights FullAccess), and it returned the expected output (a little chart saying Identity, User, AccessRights, IsInherited and Deny, with data for each filed). However, checking on the Management Console, I still see the "Self" with the small arrow, and I still get the same error message if I try to do anything.

Some permission structure likley got messed up, seems like Exchange can't read\write to AD and or vice versa. I would probably run preparingAD again to bring back the default permission config. setup /PrepareAD [/OrganizationName: <organization name>James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

Hi James: Thank you for your feedback. I agree that it's worth looking into the permissions structure. The command you suggest, is suposed to be run on the Exchange server, or the AD? Do you see any adverse consequences on running it (like loosing some rights, messing up something else, etc)?

No running multiple times is fairly safe, if it sees objects and configs are there it doesn't touch it. Also people don't make changes to the default configs so I wouldn't worry about loosing any custom permission settings. Run it on the Exchange server. Also is this a new setup, when did this problem occur, after an upgrade etc?James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com