Unable to create user mailboxes in Exchange Server 2013

Hi,

We have a .NET application that creates user mailboxes and other stuffs in Exchange server. Recently, I've added a Exchange 2013 Server with CU6 in the test domain and tried to create user mailbox in the Exchange server through our code. But ran into a issue. The following error is received by our code:

Error occured while executing PS command. Error : Active Directory operation failed on E2E100SPT2013RF.spt.resource.forest. This error is not retriable. Additional information: Insufficient access rights to perform the operation.
Active directory response: 00002098: SecErr: DSID-03150BC1, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

On the Exchange server found the following error in the event log:

Enable-Mailbox
-Identity "spt.resource.forest/ocs tenants/exch19062015org1.test/u2@exch19062015org1.test" -Database "Mailbox Database 1033272470" -Alias "u2" -DomainController "E2E100SPT2013RF.spt.resource.forest" -PrimarySmtpAddress "u2@exch19062015org1.test"
spt.resource.forest/Users/Administrator
S-1-5-21-917764294-1177313591-2627756481-500
S-1-5-21-917764294-1177313591-2627756481-500
Remote-PowerShell-Unknown
6932 w3wp#MSExchangePowerShellFrontEndAppPool
41
00:00:00.5472377
View Entire Forest: 'False', Default Scope: 'spt.resource.forest', Configuration Domain Controller: 'E2E100SPT2013RF.spt.resource.forest', Preferred Global Catalog: 'E2E100SPT2013RF.spt.resource.forest', Preferred Domain Controllers: '{ E2E100SPT2013RF.spt.resource.forest }'
Microsoft.Exchange.Data.Directory.ADOperationException: Active Directory operation failed on E2E100SPT2013RF.spt.resource.forest. This error is not retriable. Additional information: Insufficient access rights to perform the operation. Active directory response: 00002098: SecErr: DSID-03150BC1, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 ---> System.DirectoryServices.Protocols.DirectoryOperationException: The user has insufficient access rights. at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut) at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout) at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, Nullable`1 clientSideSearchTimeout, IActivityScope activityScope, String callerInfo) at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync) --- End of inner exception stack trace --- at Microsoft.Exchange.Data.Directory.ADDataSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer) at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync) at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException) at Microsoft.Exchange.Data.Directory.ADDataSession.Save(ADObject instanceToSave, IEnumerable`1 properties, Boolean bypassValidation) at Microsoft.Exchange.Management.RecipientTasks.EnableMailbox.PrepareRecipientObject(ADUser& user) at Microsoft.Exchange.Management.RecipientTasks.EnableRecipientObjectTask`2.PrepareDataObject() at Microsoft.Exchange.Configuration.Tasks.SetTaskBase`1.InternalValidate() at Microsoft.Exchange.Configuration.Tasks.RecipientObjectActionTask`2.InternalValidate() at Microsoft.Exchange.Management.RecipientTasks.EnableMailbox.InternalValidate() at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b() at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)
ServerOperation
System.DirectoryServices.Protocols.DirectoryOperationException: The user has insufficient access rights. at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut) at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout) at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, Nullable`1 clientSideSearchTimeout, IActivityScope activityScope, String callerInfo) at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync)
Ex6AE46B
False
0 objects execution has been proxied to remote server.
0
ActivityId: 5ffc6148-476a-4357-9ea1-220c29b33c6c
ServicePlan:;IsAdmin:True;

I almost tried everything, but still the error persist. This is becoming a nightmare for me. 

Please can somebody help me to sort out this permission related issue. (From the log I guess this is a permission issue, but unable to find where exactly the permission is to be set).

Thanks in advance,

Arnab

June 23rd, 2015 10:57am

Try these steps and report back if it worked or not:

  • Open Active Directory Users and Computers
  • Find the user of which the mailbox error occured
  • Open the properties of the user and go to the security tab (if this is not available, choose view and then advanced features in the AD users and computers under MMC)
  • Click on [Advanced]
  • Check the box at the bottom which says Include inheritable permissions from this objects parent and then click [OK] twice.

Free Windows Admin Tool Kit Click here and download it now
June 23rd, 2015 11:02am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics