I have a helpdesk who able to create a mailbox user. However, when he try to create a distribution list, an error appeared: Active Directory operation failed on dc.domain.local. This error is not retriable. Additional information : Access is denied. Active directory response: 00000005: SecErr: DSID-03152492, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 + CategoryInfo : WriteError: (0:Int32) [Add-ADPermission], ADOperationException + FullyQualifiedErrorId : B0A9888A,Microsoft.Exchange.Management.RecipientTasks.AddADPermission I give the helpdesk to be a member of Exchange Recipient Administrator group. It is about permission but I not sure where to check. Some on internet, they said check on "Ineherent permission on......." On of I found is:http://social.technet.microsoft.com/Forums/en-US/exchangesvradmin/thread/b94be7f2-cdc3-4312-9bb5-a86b86f10d22 Pleae help

Hi You had better tell us the version of your exchange system. According to your link which you offer, your exchange version is 2007. 1. You can check all the permission of exchange recipient admin group by adsiedit. In windows 2003, you can install support tools from your windows 2003 CD. Then run regsvr32 adsiedit.dll -> run adsiedit.msc -> domain-> cn=Microsoft Exchange System Objects -> right click ->properties-> security. In windows 2008, run adsiedit.msc and do the same. 2. I just test create distribution group by EMC and EMS using account which belongs to Exchange recipient admin role. It works without any other configuration. You can try to remove it and add helpdesk by organization->addexchange admin. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

I'm logging to Exchange server. Launch EMC > Click on Organization level > Click on Add Exchange Addministrator then select the helpdesk mailbox and assign with "Exchange Recipient Administrator" but it failed

Hi Can you post the error information? You can try powershell : Add-ExchangeAdministrator –Identity ‘domain/user’ –Role ‘RecipientAdmin’ Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Identity Role -------- ---- //ManagedExchangeRecipient OrgAdmin /Admin Purpose/Exchange Manage Group OrgAdmin /Users/Migrate PF OrgAdmin /Mimosa/NPAdmin OrgAdmin OrgAdmin /Users/Administrator OrgAdmin //ManagedExchangeRecipient RecipientAdmin //ExchangeViewOnly RecipientAdmin /Test/Helpdeks IT Support RecipientAdmin /Microsoft Exchange Security Groups/Exchange Organization Administrators RecipientAdmin /Microsoft Exchange Security Groups/Exchange Public Folder Administrators ViewOnlyAdmin /Microsoft Exchange Security Groups/Exchange Recipient Administrators ViewOnlyAdmin /Admin Purpose/Blackberry Exchange Server Admin ViewOnlyAdmin /Users/Administrator ViewOnlyAdmin /Microsoft Exchange Security Groups/Exchange Organization Administrators PublicFolderAdmin /Member Servers/Exchange/Mailbox/MUSCA As you can Helodesk IT Support has role "RecipientAdmin" The error: Active Directory operation failed on dc.domain.local. This error is not retriable. Additional information : Access is denied. Active directory response: 00000005: SecErr: DSID-03152492, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 + CategoryInfo : WriteError: (0:Int32) [Add-ADPermission], ADOperationException + FullyQualifiedErrorId : B0A9888A,Microsoft.Exchange.Management.RecipientTasks.AddADPermission

Hi It is too odd. 1. You can grant helpdesk IT support write and other permission by ADSI. 2. You can go to Active Directory users and Computers->helpdesk IT support ->porperties->member of You can try to remove it from recipient admin group and add it again. If you meet error, it seems to be AD error not exchange. If you don’t meet error, the IT support still can’t create distribution group. You can create new group and new user belongs to this group. Then you can add the group to exchange recipient admin group. Can this user create distribution group? Then we can narrow down the range of problem. AD problem or exchange recipient admin group problem. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

i did create a new security group and new Mailbox-enabled user. I added this user to the security group then assign permission to this group as Exchange Recipient Administrator. I logged on to the PC which joined to PC using new user and launch EMC. I had installed the EMC console on the PC. With this test user, i create a DL but unfortunately same error appear. When I went to the user AD properties | Security | Exchange Recipient Administrator. I saw that the pemission is ALLOW "READ". Is this correct settings?

It is correct. You can roll down and see allow read exchange information/write exchange information/read exchange personal information/ write exchange personal information/read phone and mail options/special permissions. You can grant other permission to Exchange Recipient AdministratorPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

so what wrong with user?

No wrong ......Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.