INSUFF_ACCESS_RIGHTS
Summary: 1 item(s). 0 succeeded, 1 failed.
Elapsed time: 00:00:09
Hi, I have exchange 2010 and migrated from 2003. Everything worked fine till now. I asked to add send as permission to a public folder. I used the 'Managed As Permissions' but this caused the below error. I tried to change the user name using the EMS to
the full AD name but that as well got me the same error. I used the Administrator account and created another user and copied the Administrator account details called onladmin and the result is the same
ONLINE\john
Failed
Error:
Active Directory operation failed on ONLSRV12.online.com. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
Any Help
Thanks
Magid
The user has insufficient access rights.
Exchange Management Shell command attempted:
Add-ADPermission -Identity 'CN=Goods_in_OT,CN=Microsoft Exchange System Objects,DC=online,DC=com' -User 'ONLINE\john' -ExtendedRights 'Send-as'
Elapsed Time: 00:00:09
September 13th, 2010 5:02am
Hi,
Have a look into this article it might help : http://blog.nick.mackechnie.co.nz/post/2009/11/20/Exchange-2010-Active-Sync-Issue.aspxRipu Daman Mina | MCSE 2003 & MCSA Messaging
Free Windows Admin Tool Kit Click here and download it now
September 13th, 2010 5:49am
Hi, Thanks for your reply.
I tried this documents and it didn't sort my problem. Any more suggestion
September 13th, 2010 8:28am
Hi,
Here administrator mean member of exchange administration group?.You need to ADD the Role Group with the help of Get-RoleGroupMember
"Public Folder Management", Please
verify if the “Public
Folder Management”
role is associated with the account that you used
Get-ManagementRoleAssignment
-RoleAssignee Account | Ft -Wrap
Please
put the account into “Public Folder Management” role group, and see if the issue still occurs or not
Ripu Daman Mina | MCSE 2003 & MCSA Messaging
Free Windows Admin Tool Kit Click here and download it now
September 13th, 2010 8:51am
As you’ve already known, “Add-ADPermission” cmdlet is required for granting the “Send As” permission
The role that can run the cmdlet is the “Active Directory Permissions” role, so please verify if the administrator has the role (The
role will be assigned if administrator is the account that is used to install the exchange)
Get-managementRoleAssignment -RoleAssignee Administrator -Role “Active Directory Permissions”
Resources:
Active Directory Permissions RoleJames Luo
TechNet Subscriber Support (http://technet.microsoft.com/en-us/subscriptions/ms788697.aspx)
If you have any feedback on our support, please contact tngfb@microsoft.com
September 15th, 2010 3:58am
I am sorry for thte late reply, we werer soooo busy
Here is part of the details as it crash the web page everytime I paste the whole details
[PS] C:\Windows\system32>Get-ManagementRoleAssignment -RoleAssignee Administrator | Ft -Wrap
Name Role RoleAssigneeName
RoleAssigneeType AssignmentMethod EffectiveUserNam
e
---- ---- ----------------
---------------- ---------------- ----------------
Active Directory Permissions-O Active Directory Organization Mana RoleGroup RoleGroup All Group Member
rganization Management-Delegat Permissions gement
s
ing
Active Directory Permissions-O Active Directory Organization Mana RoleGroup RoleGroup All Group Member
rganization Management Permissions gement
s
Address Lists-Organization Man Address Lists Organization Mana RoleGroup RoleGroup All Group Member
agement-Delegating gement
s
Address Lists-Organization Man Address Lists Organization Mana RoleGroup RoleGroup All Group Member
agement gement
s
ApplicationImpersonation-Organ ApplicationImpers Organization Mana RoleGroup RoleGroup All Group Member
ization Management-Delegating onation gement
s
Audit Logs-Organization Manage Audit Logs Organization Mana RoleGroup RoleGroup All Group Member
ment-Delegating gement
s
Audit Logs-Organization Manage Audit Logs Organization Mana RoleGroup RoleGroup All Group Member
ment
gement
s
Cmdlet Extension Agents-Organi Cmdlet Extension Organization Mana RoleGroup RoleGroup All Group Member
zation Management-Delegating Agents gement
s
Cmdlet Extension Agents-Organi Cmdlet Extension Organization Mana RoleGroup RoleGroup All Group Member
zation Management Agents gement
s
Database Availability Groups-O Database Availabi Organization Mana RoleGroup RoleGroup All Group Member
rganization Management-Delegat lity Groups gement
s
ing
Database Availability Groups-O Database Availabi Organization Mana RoleGroup RoleGroup All Group Member
rganization Management lity Groups gement
s
Database Copies-Organization M Database Copies Organization Mana RoleGroup RoleGroup All Group Member
anagement-Delegating gement
s
Database Copies-Organization M Database Copies Organization Mana RoleGroup RoleGroup All Group Member
anagement gement
s
Databases-Organization Managem Databases Organization Mana RoleGroup RoleGroup All Group Member
ent-Delegating gement
s
Databases-Organization Managem Databases Organization Mana RoleGroup RoleGroup All Group Member
ent
gement
s
Disaster Recovery-Organization Disaster Recovery Organization Mana RoleGroup RoleGroup All Group Member
Management-Delegating gement
s
Disaster Recovery-Organization Disaster Recovery Organization Mana RoleGroup RoleGroup All Group Member
Management gement
s
Distribution Groups-Organizati Distribution Grou Organization Mana RoleGroup RoleGroup All Group Member
on Management-Delegating ps gement
s
Distribution Groups-Organizati Distribution Grou Organization Mana RoleGroup RoleGroup All Group Member
on Management ps gement
s
Edge Subscriptions-Organizatio Edge Subscription Organization Mana RoleGroup RoleGroup All Group Member
n Management-Delegating s gement
s
Edge Subscriptions-Organizatio Edge Subscription Organization Mana RoleGroup RoleGroup All Group Member
n Management s gement
s
E-Mail Address Policies-Organi E-Mail Address Po Organization Mana RoleGroup RoleGroup All Group Member
zation Management-Delegating licies gement
s
E-Mail Address Policies-Organi E-Mail Address Po Organization Mana RoleGroup RoleGroup All Group Member
zation Management licies gement
s
Exchange Connectors-Organizati Exchange Connecto Organization Mana RoleGroup RoleGroup All Group Member
on Management-Delegating rs gement
s
Exchange Connectors-Organizati Exchange Connecto Organization Mana RoleGroup RoleGroup All Group Member
on Management rs gement
s
Exchange Server Certificates-O Exchange Server C Organization Mana RoleGroup RoleGroup All Group Member
rganization Management-Delegat ertificates gement
s
ing
Exchange Server Certificates-O Exchange Server C Organization Mana RoleGroup RoleGroup All Group Member
rganization Management ertificates gement
s
Exchange Servers-Organization Exchange Servers Organization Mana RoleGroup RoleGroup All Group Member
Management-Delegating gement
s
Exchange Servers-Organization Exchange Servers Organization Mana RoleGroup RoleGroup All Group Member
Management gement
s
Exchange Virtual Directories-O Exchange Virtual Organization Mana RoleGroup RoleGroup All Group Member
rganization Management-Delegat Directories gement
s
ing
Exchange Virtual Directories-O Exchange Virtual Organization Mana RoleGroup RoleGroup All Group Member
rganization Management Directories gement
s
Federated Sharing-Organization Federated Sharing Organization Mana RoleGroup RoleGroup All Group Member
Management-Delegating gement
s
Federated Sharing-Organization Federated Sharing Organization Mana RoleGroup RoleGroup All Group Member
Management gement
s
Information Rights Management- Information Right Organization Mana RoleGroup RoleGroup All Group Member
Organization Management-Delega s Management gement
s
ting
Information Rights Management- Information Right Organization Mana RoleGroup RoleGroup All Group Member
Organization Management s Management gement
s
Journaling-Organization Manage Journaling Organization Mana RoleGroup RoleGroup All Group Member
ment-Delegating gement
s
Journaling-Organization Manage Journaling Organization Mana RoleGroup RoleGroup All Group Member
ment
gement
s
Legal Hold-Organization Manage Legal Hold Organization Mana RoleGroup RoleGroup All Group Member
ment-Delegating gement
s
Legal Hold-Organization Manage Legal Hold Organization Mana RoleGroup RoleGroup All Group Member
ment
gement
s
Mail Enabled Public Folders-Or Mail Enabled Publ Organization Mana RoleGroup RoleGroup All Group Member
ganization Management-Delegati ic Folders gement
s
ng
Mail Enabled Public Folders-Or Mail Enabled Publ Organization Mana RoleGroup RoleGroup All Group Member
ganization Management ic Folders gement
s
Mail Recipient Creation-Organi Mail Recipient Cr Organization Mana RoleGroup RoleGroup All Group Member
zation Management-Delegating eation gement
s
Mail Recipient Creation-Organi Mail Recipient Cr Organization Mana RoleGroup RoleGroup All Group Member
zation Management eation gement
s
Mail Recipients-Organization M Mail Recipients Organization Mana RoleGroup RoleGroup All Group Member
anagement-Delegating gement
s
Mail Recipients-Organization M Mail Recipients Organization Mana RoleGroup RoleGroup All Group Member
anagement gement
s
Mail Tips-Organization Managem Mail Tips Organization Mana RoleGroup RoleGroup All Group Member
ent-Delegating gement
s
Mail Tips-Organization Managem Mail Tips Organization Mana RoleGroup RoleGroup All Group Member
ent
gement
s
Mailbox Import Export-Organiza Mailbox Import Ex Organization Mana RoleGroup RoleGroup All Group Member
tion Management-Delegating port gement
s
Mailbox Search-Organization Ma Mailbox Search Organization Mana RoleGroup RoleGroup All Group Member
nagement-Delegating gement
s
Message Tracking-Organization Message Tracking Organization Mana RoleGroup RoleGroup All Group Member
Management-Delegating gement
s
Message Tracking-Organization Message Tracking Organization Mana RoleGroup RoleGroup All Group Member
Management gement
s
Migration-Organization Managem Migration Organization Mana RoleGroup RoleGroup All Group Member
ent-Delegating gement
s
Migration-Organization Managem Migration Organization Mana RoleGroup RoleGroup All Group Member
ent
gement
s
Monitoring-Organization Manage Monitoring Organization Mana RoleGroup RoleGroup All Group Member
ment-Delegating gement
s
Monitoring-Organization Manage Monitoring Organization Mana RoleGroup RoleGroup All Group Member
ment
gement
s
Move Mailboxes-Organization Ma Move Mailboxes Organization Mana RoleGroup RoleGroup All Group Member
nagement-Delegating gement
s
Move Mailboxes-Organization Ma Move Mailboxes Organization Mana RoleGroup RoleGroup All Group Member
nagement gement
s
Organization Client Access-Org Organization Clie Organization Mana RoleGroup RoleGroup All Group Member
anization Management-Delegatin nt Access gement
s
g
Organization Client Access-Org Organization Clie Organization Mana RoleGroup RoleGroup All Group Member
anization Management nt Access gement
s
Organization Configuration-Org Organization Conf Organization Mana RoleGroup RoleGroup All Group Member
anization Management-Delegatin iguration gement
s
g
Organization Configuration-Org Organization Conf Organization Mana RoleGroup RoleGroup All Group Member
anization Management iguration gement
s
Organization Transport Setting Organization Tran Organization Mana RoleGroup RoleGroup All Group Member
s-Organization Management-Dele sport Settings gement
s
gati
Organization Transport Setting Organization Tran Organization Mana RoleGroup RoleGroup All Group Member
s-Organization Management sport Settings gement
s
POP3 And IMAP4 Protocols-Organ POP3 And IMAP4 Pr Organization Mana RoleGroup RoleGroup All Group Member
ization Management-Delegating otocols gement
s
POP3 And IMAP4 Protocols-Organ POP3 And IMAP4 Pr Organization Mana RoleGroup RoleGroup All Group Member
ization Management otocols gement
s
Public Folder Replication-Orga Public Folder Rep Organization Mana RoleGroup RoleGroup All Group Member
nization Management-Delegating lication gement
s
Public Folder Replication-Orga Public Folder Rep Organization Mana RoleGroup RoleGroup All Group Member
nization Management lication gement
s
Public Folders-Organization Ma Public Folders Organization Mana RoleGroup RoleGroup All Group Member
nagement-Delegating gement
s
Public Folders-Organization Ma Public Folders Organization Mana RoleGroup RoleGroup All Group Member
nagement gement
s
Free Windows Admin Tool Kit Click here and download it now
September 15th, 2010 5:22am
thanks for your input here what you asked me to do
[PS] C:\Windows\system32>Get-managementRoleAssignment -RoleAssignee Administrator -Role "Active Directory Permissions" |
ft -wrap
Name Role RoleAssigneeName
RoleAssigneeType AssignmentMethod EffectiveUserNam
e
---- ---- ----------------
---------------- ---------------- ----------------
Active Directory Permissions-O Active Directory Organization Mana RoleGroup RoleGroup All Group Member
rganization Management-Delegat Permissions gement
s
ing
Active Directory Permissions-O Active Directory Organization Mana RoleGroup RoleGroup All Group Member
rganization Management Permissions gement
s
[PS] C:\Windows\system32>
September 15th, 2010 7:13am
thanks for your input here what you asked me to do
[PS] C:\Windows\system32>Get-managementRoleAssignment -RoleAssignee Administrator -Role "Active Directory Permissions" |
ft -wrap
Name Role RoleAssigneeName
RoleAssigneeType AssignmentMethod EffectiveUserNam
e
---- ---- ----------------
---------------- ---------------- ----------------
Active Directory Permissions-O Active Directory Organization Mana RoleGroup RoleGroup All Group Member
rganization Management-Delegat Permissions gement
s
ing
Active Directory Permissions-O Active Directory Organization Mana RoleGroup RoleGroup All Group Member
rganization Management Permissions gement
s
[PS] C:\Windows\system32>
Any new information I am still having the same problem
Free Windows Admin Tool Kit Click here and download it now
September 17th, 2010 6:24am
To everyone who stuck like me in this issue I found the solution .
I worked with a genius chap from MS (Sudhir Kaushik)
who put me to the road to solve this issue.
And this what we did:
First check the above and follow what Ripu Daman Mina and James Luo (thanks for both of you)
Create a new public folder and see if you can add the Send-As permissions to it or you will have the same error above. If that the case stop here and this will not sort your issue or may be yes (let me know please)
Open ADSIEdit and check that the ownership of the new folder by going to Default naming context -> DC=domainname,DC=co,DC=uk ->CN=Microsoft Exchange System Objects -> right click on the object of the PF you just created and select properties
then Advanced, Ownership and note the name of who owned the public folder (in my case the servername$)
Repeat step 2 for the Public Folder object in question and go to the ownership tab in (in my case it said system is the owner) change it to one that worked in step 2 (in my case the servername$)
Save and try again the send as permission again and it should work.
The only draw back, it needs to be changed manually.
I hope this will help and please let me know if it works with you.
September 23rd, 2010 6:31am
In my case, I have 4 exchange 2010 servers.
I had this problem. I used the solution of Magic174 and have checked that the ownership was other server. I connect to the PF from the owner server and I can set the permissions without problems.
Free Windows Admin Tool Kit Click here and download it now
July 26th, 2011 5:19am
I sort of tried Magic174's idea, except instead of changing the Owner, I went to the server that was the owner and was able to make the Send As permission change there no problem...
Seems like an bug that you can only administer that permission from the server owner... I have a politically incorrect term I would like to insert here, but I won't.
December 2nd, 2011 6:59pm
Hi,
in my case it was a HUB server. It was enough to connect to that HUB server, which was owner and run the script under its context.
With regards
Zbynk
Free Windows Admin Tool Kit Click here and download it now
February 24th, 2012 12:00am
This is truly a bug that MS should consider fixing. Why in gods name should an admin need to log into the mailbox server to administer Public Folder permissions like this?!
I know MS has tried to kill off public folders bu this is borderline ridiculous!
I was able to assign the send-as extendedrights only after logging into the mailbox server. What happened to distributed administration?
Boo MS, fix this.
April 18th, 2012 3:32pm
Unless you are a Domain Backup Operator or a Domain Administrator, you cannot change the owner of the public folder objects even if you have modfiy permissions on them:
http://networkadminkb.com/KB/a22/how-to-allow-assignment-ownership-without-being-local.aspx
The quicker/easier fix to this issue, which is one our Exchange DSE from Microsoft Premiere support clued us into, is to add the "Exchange Trusted Subsystem" group to have "Modify Permissions"
for "Descendant Public Folder objects" in the "Microsoft Exchange System Objects" container.
Making an Exchange server an owner of the public folder as others have found simply allows you to set permissions on the object w/o having permissions, as an owner can always do anything.
The real issue is the Exchange Trusted Subsystem didn't have permissions to change the permissions on the Public Folder objects.
The reason why this is necessary is due to the fact with RBAC, the server is the one proxying the change on behalf of the user once the server confirms the user has the right to do so, so the
user's actual permissions on this container (such as through the Exchange Org admins group or Public Folder admins group) don't matter.
I guess Microsoft missed this in their Exchange 2010 ADPrep/DomainPrep?
Free Windows Admin Tool Kit Click here and download it now
June 27th, 2012 9:54am