Summary: 1 item(s). 0 succeeded, 1 failed. Elapsed time: 00:00:09 Hi, I have exchange 2010 and migrated from 2003. Everything worked fine till now. I asked to add send as permission to a public folder. I used the 'Managed As Permissions' but this caused the below error. I tried to change the user name using the EMS to the full AD name but that as well got me the same error. I used the Administrator account and created another user and copied the Administrator account details called onladmin and the result is the same ONLINE\john Failed Error: Active Directory operation failed on ONLSRV12.online.com. This error is not retriable. Additional information: Access is denied. Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 Any Help Thanks Magid The user has insufficient access rights. Exchange Management Shell command attempted: Add-ADPermission -Identity 'CN=Goods_in_OT,CN=Microsoft Exchange System Objects,DC=online,DC=com' -User 'ONLINE\john' -ExtendedRights 'Send-as' Elapsed Time: 00:00:09

Hi, Have a look into this article it might help : http://blog.nick.mackechnie.co.nz/post/2009/11/20/Exchange-2010-Active-Sync-Issue.aspxRipu Daman Mina | MCSE 2003 & MCSA Messaging

Hi, Thanks for your reply. I tried this documents and it didn't sort my problem. Any more suggestion

Hi, Here administrator mean member of exchange administration group?.You need to ADD the Role Group with the help of Get-RoleGroupMember "Public Folder Management", Please verify if the “Public Folder Management” role is associated with the account that you used Get-ManagementRoleAssignment -RoleAssignee Account | Ft -Wrap Please put the account into “Public Folder Management” role group, and see if the issue still occurs or not Ripu Daman Mina | MCSE 2003 & MCSA Messaging

As you’ve already known, “Add-ADPermission” cmdlet is required for granting the “Send As” permission The role that can run the cmdlet is the “Active Directory Permissions” role, so please verify if the administrator has the role (The role will be assigned if administrator is the account that is used to install the exchange) Get-managementRoleAssignment -RoleAssignee Administrator -Role “Active Directory Permissions” Resources: Active Directory Permissions RoleJames Luo TechNet Subscriber Support (http://technet.microsoft.com/en-us/subscriptions/ms788697.aspx) If you have any feedback on our support, please contact tngfb@microsoft.com

I am sorry for thte late reply, we werer soooo busy Here is part of the details as it crash the web page everytime I paste the whole details [PS] C:\Windows\system32>Get-ManagementRoleAssignment -RoleAssignee Administrator | Ft -Wrap Name Role RoleAssigneeName RoleAssigneeType AssignmentMethod EffectiveUserNam e ---- ---- ---------------- ---------------- ---------------- ---------------- Active Directory Permissions-O Active Directory Organization Mana RoleGroup RoleGroup All Group Member rganization Management-Delegat Permissions gement s ing Active Directory Permissions-O Active Directory Organization Mana RoleGroup RoleGroup All Group Member rganization Management Permissions gement s Address Lists-Organization Man Address Lists Organization Mana RoleGroup RoleGroup All Group Member agement-Delegating gement s Address Lists-Organization Man Address Lists Organization Mana RoleGroup RoleGroup All Group Member agement gement s ApplicationImpersonation-Organ ApplicationImpers Organization Mana RoleGroup RoleGroup All Group Member ization Management-Delegating onation gement s Audit Logs-Organization Manage Audit Logs Organization Mana RoleGroup RoleGroup All Group Member ment-Delegating gement s Audit Logs-Organization Manage Audit Logs Organization Mana RoleGroup RoleGroup All Group Member ment gement s Cmdlet Extension Agents-Organi Cmdlet Extension Organization Mana RoleGroup RoleGroup All Group Member zation Management-Delegating Agents gement s Cmdlet Extension Agents-Organi Cmdlet Extension Organization Mana RoleGroup RoleGroup All Group Member zation Management Agents gement s Database Availability Groups-O Database Availabi Organization Mana RoleGroup RoleGroup All Group Member rganization Management-Delegat lity Groups gement s ing Database Availability Groups-O Database Availabi Organization Mana RoleGroup RoleGroup All Group Member rganization Management lity Groups gement s Database Copies-Organization M Database Copies Organization Mana RoleGroup RoleGroup All Group Member anagement-Delegating gement s Database Copies-Organization M Database Copies Organization Mana RoleGroup RoleGroup All Group Member anagement gement s Databases-Organization Managem Databases Organization Mana RoleGroup RoleGroup All Group Member ent-Delegating gement s Databases-Organization Managem Databases Organization Mana RoleGroup RoleGroup All Group Member ent gement s Disaster Recovery-Organization Disaster Recovery Organization Mana RoleGroup RoleGroup All Group Member Management-Delegating gement s Disaster Recovery-Organization Disaster Recovery Organization Mana RoleGroup RoleGroup All Group Member Management gement s Distribution Groups-Organizati Distribution Grou Organization Mana RoleGroup RoleGroup All Group Member on Management-Delegating ps gement s Distribution Groups-Organizati Distribution Grou Organization Mana RoleGroup RoleGroup All Group Member on Management ps gement s Edge Subscriptions-Organizatio Edge Subscription Organization Mana RoleGroup RoleGroup All Group Member n Management-Delegating s gement s Edge Subscriptions-Organizatio Edge Subscription Organization Mana RoleGroup RoleGroup All Group Member n Management s gement s E-Mail Address Policies-Organi E-Mail Address Po Organization Mana RoleGroup RoleGroup All Group Member zation Management-Delegating licies gement s E-Mail Address Policies-Organi E-Mail Address Po Organization Mana RoleGroup RoleGroup All Group Member zation Management licies gement s Exchange Connectors-Organizati Exchange Connecto Organization Mana RoleGroup RoleGroup All Group Member on Management-Delegating rs gement s Exchange Connectors-Organizati Exchange Connecto Organization Mana RoleGroup RoleGroup All Group Member on Management rs gement s Exchange Server Certificates-O Exchange Server C Organization Mana RoleGroup RoleGroup All Group Member rganization Management-Delegat ertificates gement s ing Exchange Server Certificates-O Exchange Server C Organization Mana RoleGroup RoleGroup All Group Member rganization Management ertificates gement s Exchange Servers-Organization Exchange Servers Organization Mana RoleGroup RoleGroup All Group Member Management-Delegating gement s Exchange Servers-Organization Exchange Servers Organization Mana RoleGroup RoleGroup All Group Member Management gement s Exchange Virtual Directories-O Exchange Virtual Organization Mana RoleGroup RoleGroup All Group Member rganization Management-Delegat Directories gement s ing Exchange Virtual Directories-O Exchange Virtual Organization Mana RoleGroup RoleGroup All Group Member rganization Management Directories gement s Federated Sharing-Organization Federated Sharing Organization Mana RoleGroup RoleGroup All Group Member Management-Delegating gement s Federated Sharing-Organization Federated Sharing Organization Mana RoleGroup RoleGroup All Group Member Management gement s Information Rights Management- Information Right Organization Mana RoleGroup RoleGroup All Group Member Organization Management-Delega s Management gement s ting Information Rights Management- Information Right Organization Mana RoleGroup RoleGroup All Group Member Organization Management s Management gement s Journaling-Organization Manage Journaling Organization Mana RoleGroup RoleGroup All Group Member ment-Delegating gement s Journaling-Organization Manage Journaling Organization Mana RoleGroup RoleGroup All Group Member ment gement s Legal Hold-Organization Manage Legal Hold Organization Mana RoleGroup RoleGroup All Group Member ment-Delegating gement s Legal Hold-Organization Manage Legal Hold Organization Mana RoleGroup RoleGroup All Group Member ment gement s Mail Enabled Public Folders-Or Mail Enabled Publ Organization Mana RoleGroup RoleGroup All Group Member ganization Management-Delegati ic Folders gement s ng Mail Enabled Public Folders-Or Mail Enabled Publ Organization Mana RoleGroup RoleGroup All Group Member ganization Management ic Folders gement s Mail Recipient Creation-Organi Mail Recipient Cr Organization Mana RoleGroup RoleGroup All Group Member zation Management-Delegating eation gement s Mail Recipient Creation-Organi Mail Recipient Cr Organization Mana RoleGroup RoleGroup All Group Member zation Management eation gement s Mail Recipients-Organization M Mail Recipients Organization Mana RoleGroup RoleGroup All Group Member anagement-Delegating gement s Mail Recipients-Organization M Mail Recipients Organization Mana RoleGroup RoleGroup All Group Member anagement gement s Mail Tips-Organization Managem Mail Tips Organization Mana RoleGroup RoleGroup All Group Member ent-Delegating gement s Mail Tips-Organization Managem Mail Tips Organization Mana RoleGroup RoleGroup All Group Member ent gement s Mailbox Import Export-Organiza Mailbox Import Ex Organization Mana RoleGroup RoleGroup All Group Member tion Management-Delegating port gement s Mailbox Search-Organization Ma Mailbox Search Organization Mana RoleGroup RoleGroup All Group Member nagement-Delegating gement s Message Tracking-Organization Message Tracking Organization Mana RoleGroup RoleGroup All Group Member Management-Delegating gement s Message Tracking-Organization Message Tracking Organization Mana RoleGroup RoleGroup All Group Member Management gement s Migration-Organization Managem Migration Organization Mana RoleGroup RoleGroup All Group Member ent-Delegating gement s Migration-Organization Managem Migration Organization Mana RoleGroup RoleGroup All Group Member ent gement s Monitoring-Organization Manage Monitoring Organization Mana RoleGroup RoleGroup All Group Member ment-Delegating gement s Monitoring-Organization Manage Monitoring Organization Mana RoleGroup RoleGroup All Group Member ment gement s Move Mailboxes-Organization Ma Move Mailboxes Organization Mana RoleGroup RoleGroup All Group Member nagement-Delegating gement s Move Mailboxes-Organization Ma Move Mailboxes Organization Mana RoleGroup RoleGroup All Group Member nagement gement s Organization Client Access-Org Organization Clie Organization Mana RoleGroup RoleGroup All Group Member anization Management-Delegatin nt Access gement s g Organization Client Access-Org Organization Clie Organization Mana RoleGroup RoleGroup All Group Member anization Management nt Access gement s Organization Configuration-Org Organization Conf Organization Mana RoleGroup RoleGroup All Group Member anization Management-Delegatin iguration gement s g Organization Configuration-Org Organization Conf Organization Mana RoleGroup RoleGroup All Group Member anization Management iguration gement s Organization Transport Setting Organization Tran Organization Mana RoleGroup RoleGroup All Group Member s-Organization Management-Dele sport Settings gement s gati Organization Transport Setting Organization Tran Organization Mana RoleGroup RoleGroup All Group Member s-Organization Management sport Settings gement s POP3 And IMAP4 Protocols-Organ POP3 And IMAP4 Pr Organization Mana RoleGroup RoleGroup All Group Member ization Management-Delegating otocols gement s POP3 And IMAP4 Protocols-Organ POP3 And IMAP4 Pr Organization Mana RoleGroup RoleGroup All Group Member ization Management otocols gement s Public Folder Replication-Orga Public Folder Rep Organization Mana RoleGroup RoleGroup All Group Member nization Management-Delegating lication gement s Public Folder Replication-Orga Public Folder Rep Organization Mana RoleGroup RoleGroup All Group Member nization Management lication gement s Public Folders-Organization Ma Public Folders Organization Mana RoleGroup RoleGroup All Group Member nagement-Delegating gement s Public Folders-Organization Ma Public Folders Organization Mana RoleGroup RoleGroup All Group Member nagement gement s

thanks for your input here what you asked me to do [PS] C:\Windows\system32>Get-managementRoleAssignment -RoleAssignee Administrator -Role "Active Directory Permissions" | ft -wrap Name Role RoleAssigneeName RoleAssigneeType AssignmentMethod EffectiveUserNam e ---- ---- ---------------- ---------------- ---------------- ---------------- Active Directory Permissions-O Active Directory Organization Mana RoleGroup RoleGroup All Group Member rganization Management-Delegat Permissions gement s ing Active Directory Permissions-O Active Directory Organization Mana RoleGroup RoleGroup All Group Member rganization Management Permissions gement s [PS] C:\Windows\system32>

thanks for your input here what you asked me to do [PS] C:\Windows\system32>Get-managementRoleAssignment -RoleAssignee Administrator -Role "Active Directory Permissions" | ft -wrap Name Role RoleAssigneeName RoleAssigneeType AssignmentMethod EffectiveUserNam e ---- ---- ---------------- ---------------- ---------------- ---------------- Active Directory Permissions-O Active Directory Organization Mana RoleGroup RoleGroup All Group Member rganization Management-Delegat Permissions gement s ing Active Directory Permissions-O Active Directory Organization Mana RoleGroup RoleGroup All Group Member rganization Management Permissions gement s [PS] C:\Windows\system32> Any new information I am still having the same problem

To everyone who stuck like me in this issue I found the solution . I worked with a genius chap from MS (Sudhir Kaushik) who put me to the road to solve this issue. And this what we did: First check the above and follow what Ripu Daman Mina and James Luo (thanks for both of you) Create a new public folder and see if you can add the Send-As permissions to it or you will have the same error above. If that the case stop here and this will not sort your issue or may be yes (let me know please) Open ADSIEdit and check that the ownership of the new folder by going to Default naming context -> DC=domainname,DC=co,DC=uk ->CN=Microsoft Exchange System Objects -> right click on the object of the PF you just created and select properties then Advanced, Ownership and note the name of who owned the public folder (in my case the servername$) Repeat step 2 for the Public Folder object in question and go to the ownership tab in (in my case it said system is the owner) change it to one that worked in step 2 (in my case the servername$) Save and try again the send as permission again and it should work. The only draw back, it needs to be changed manually. I hope this will help and please let me know if it works with you.

In my case, I have 4 exchange 2010 servers. I had this problem. I used the solution of Magic174 and have checked that the ownership was other server. I connect to the PF from the owner server and I can set the permissions without problems.

I sort of tried Magic174's idea, except instead of changing the Owner, I went to the server that was the owner and was able to make the Send As permission change there no problem... Seems like an bug that you can only administer that permission from the server owner... I have a politically incorrect term I would like to insert here, but I won't.

Hi, in my case it was a HUB server. It was enough to connect to that HUB server, which was owner and run the script under its context. With regards Zbynk

This is truly a bug that MS should consider fixing. Why in gods name should an admin need to log into the mailbox server to administer Public Folder permissions like this?! I know MS has tried to kill off public folders bu this is borderline ridiculous! I was able to assign the send-as extendedrights only after logging into the mailbox server. What happened to distributed administration? Boo MS, fix this.

Unless you are a Domain Backup Operator or a Domain Administrator, you cannot change the owner of the public folder objects even if you have modfiy permissions on them: http://networkadminkb.com/KB/a22/how-to-allow-assignment-ownership-without-being-local.aspx The quicker/easier fix to this issue, which is one our Exchange DSE from Microsoft Premiere support clued us into, is to add the "Exchange Trusted Subsystem" group to have "Modify Permissions" for "Descendant Public Folder objects" in the "Microsoft Exchange System Objects" container. Making an Exchange server an owner of the public folder as others have found simply allows you to set permissions on the object w/o having permissions, as an owner can always do anything. The real issue is the Exchange Trusted Subsystem didn't have permissions to change the permissions on the Public Folder objects. The reason why this is necessary is due to the fact with RBAC, the server is the one proxying the change on behalf of the user once the server confirms the user has the right to do so, so the user's actual permissions on this container (such as through the Exchange Org admins group or Public Folder admins group) don't matter. I guess Microsoft missed this in their Exchange 2010 ADPrep/DomainPrep?