Hello! I installed a new Exchange server in a new domain yesterday. Everything went well and I can (as a administrator) access mailboxes in OWA. Today I tried toadd as a standard user from the AD. The login went well, he was getting the option to choose language but after that he doent get any further. The error message was:RequestUrl: http://localhost:80/owa/lang.owaUser host address: 127.0.0.1ExceptionException type: Microsoft.Exchange.Data.Storage.StoragePermanentExceptionException message: There was a problem accessing Active Directory.Call stack Microsoft.Exchange.Data.Storage.ExchangePrincipal.Save() Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchLanguagePostLocally(OwaContext owaContext, OwaIdentity logonIdentity, CultureInfo culture, String timeZoneKeyName, Boolean isOptimized) Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchLanguagePostRequest(OwaContext owaContext) Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.PrepareRequestWithoutSession(OwaContext owaContext, UserContextCookie userContextCookie) Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.InternalDispatchRequest(OwaContext owaContext) Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchRequest(OwaContext owaContext) System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) Inner ExceptionException type: Microsoft.Exchange.Data.Directory.ADOperationExceptionException message: Active Directory operation failed on aksad1.aksgroup. This error is not retriable. Additional information: Insufficient access rights to perform the operation. Active directory response: 00002098: SecErr: DSID-03150A45, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 Call stack Microsoft.Exchange.Data.Directory.ADSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32& retries, Int32 maxRetries) Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADRawEntry entry, DirectoryRequest request, ADObjectId originalId) Microsoft.Exchange.Data.Directory.ADSession.Save(ADObject instanceToSave, IEnumerable`1 properties) Microsoft.Exchange.Data.Storage.ExchangePrincipal.Save() Inner ExceptionException type: System.DirectoryServices.Protocols.DirectoryOperationExceptionException message: The user has insufficient access rights.Call stack System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut) System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout) Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation) Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADRawEntry entry, DirectoryRequest request, ADObjectId originalId)

By any chance is this new user a domain admin?

I am having the exact same problem with the exact same error. I only have this problem with my account (so far). I can login with domain admin account, new accounts created after exchange was loaded and from existing users that I created a mailbox for. I have removed my mailbox and tried to recreate it with the same results.Any clues?

This fixed my problemOriginal post: http://blog.justinho.com/SyndicationService.asmx/GetRssCategory?categoryName=Exchange%202007Update: Fix 'em permissionsIf your Exchange 2007 OWA is failing for a user after the mailbox is migrated fromExchange 2003 to Exchange 2007, the user account should be checked on the securitytab under advanced to see if it has "Allow inheritable permissions from the parentto propagate to this object and all child objects. Include these with entries explicitlydefined here." 1. Open up Active Directory Users and Computers 2. Go to the View menu, Advanced. 3. Locate the user in AD, right click, properties. Jump to the security tab. 4. Click "Advanced" next to the "For special permissions or for advanced settings, click Advanced. 5. Click "Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here." Check box and apply. 6. Click OK and OK again. Once changed and replicated OWA works. This is checked by default but is turned offfor accounts with administrative privileges. So how does this get turned off? Well if the account is an administrative accountor was ever an administrative account previously. It will be turned off automatically.Reference the following.XADM: Do Not Assign Mailboxes to Administrative Accounts http://support.microsoft.com/kb/328753 which says By not assigning mailboxes to accounts with administrative permissions, you avoid security issues related to "elevation of privilege" attacks. For example, in an elevation of privilege attack, a security hole exists in which Group X is made a member of the Domain Administrators group, and access control lists (ACLs) exist on Group X that permit Group Y to modify Group X. In this situation, members of Group Y can make themselves members of Group X and so become a member of the Domain Administrators group. To help guard against such security issues, the Administrator account and accounts that are members of these security groups are not permitted to inherit permissions. On the Security tab of the group or account's properties page, you can see that the Allow inheritable permissions from parent to propagate to this object check box is not selected. Moreover, if you click to select this check box, a Microsoft Windows 2000 system task soon clears it automatically. Clearing the check box is a function of Windows 2000 intended to prevent hackers from playing with security and inappropriately increasing their permissions to the level of administrator. As a side effect of this inheritance setting, if you do try to use a mailbox assigned to an administrative account, you may not be able to log on to or resolve the mailbox. Also, in Exchange System Manager, although the Administrator account can have an Exchange 2000 alias and an Exchange 2000 mailbox, it does not have e-mail addresses. The Recipient Update Service, which updates the e-mail addresses and several other attributes, does not have the authority to update objects if the Allow inheritable permissions from parent to propagate to this object check box is not selected.

I have the same problem. However the CHECKBOX in the above mentioned fix is ALREADY selected... Did anyone get any further to the SPECIFIC permission that is causling this?

I to have the same problem. Checkbox is already selected in my case too. All the accounts with mailboxes created before installing exchange 2007 has this problem after they are moved. Allthough the domain admin accounts have no problem whatsoever after the move.

Anyone got any further on this? I can "fix" it but not in a sane way,if you give authenticated users all write permissions in the users ACE (or at any level above) itit works fineand no amount of playing has revealed what perm is reallyneeded, it's not one you can select at an OU level. But givingauthenticated userswrite permissions is nigh on making an administrator out of the user, so I guess it's really broken for everyone (even admins in child domains can't use webmail either)and the admin rights just get round it.

i am also having this issue... The "Check Box Fix" did not work for me as well.

had same problem, but I resolved it...sigh I actually had an OU that was missing the "allow inherittable permission" checked so of course it didn't matter what the user was set to. So check your OU that the user resides in. Check the permissions and make sure the inherritance is checked. In my case someone modified the default "users" ou to not inherit. hope that helps u all...drove me crazy...

ok, got the same probelm with the first new account in created on Exchange 2007. All of the OUs are set to inherite permissions. any ideas?

Planwithtan, did you check the user account? If not, give it a go. My is like most of the users have that inherit while until now I found out only 2 users have their account untick. Even on the OU there is a tick but down to the user account may be a few user get miss. I give my credit to the one who gave us the answer. It solve my problem too. Thank you.

There is an issue with the ExchangeVersion for the user. This is caused by a user being created the "old" method in AD and adding a mailbox for that user in the 2007 environment. Read this blog as it fixed my issue. I was having the same problem and the inheret permissions was all correct. http://nmdouh.blogspot.com/2008/02/error-message-when-users-try-to-log-on.html

Thanks Jason. The link and the workaround fixed it for my user. The key for me wasthis error: Property Languages cannot be set on this object because it requires the object to have version 0.1 (8.0.535.0) or later. Current version of the object is 0.0 (6.5.6500.0).Running the shell command (Set-Mailbox User_Name -ApplyMandatoryProperties) on the user changes their mailbox version to 0.1 (8.0.535.0)

Fontyyy's suggestion helped me. My test user mailbox was moved from Exchange03 to Exchange07, so I had the "Version Issue". Once I fixed that, I then ran into the "Access Denied Issue". The Inherit Properties checkbox was checked, so I then gave the "Authenticated Users" Write Permissions on the accountand it worked. But what the hay as we say here in NM?

JasonWilks post fixed it for me. cheers for the link. F

Over 4 years old... and yet, still very helpful!