Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Unable to add Delegate / Write Personal Information Problem

Posted on 2009-05-20
11
1,887 Views
Last Modified: 2012-05-07
Hi All,

Getting the following error when trying to add a Delegate

The Delegates Setting were not saved correctly. Unable to activate send-on-behalf-of list. You do not have sufficient permission to perform this operation on this object

Apparently this is due to the following permission setting not being set:
SELF - Write Personal Information

This seems to be happening with all users. Effecting both Outlook 03 and 07. We have upgraded to Exchange 07 about 1 year ago, since then we have not been aware of the problem. When it was exchange 03 we were defiantly able to add delegates.

From doing some research I found that if we add the Self account to the objects security and allow Write Personal Information. Sadly Write Personal Information is not available
 in the listing.

When manually doing it the command is successful  dsacls "cn=adminsdholder,cn=system,dc=<mydomain>,dc=com" /G "\SELF:RPWP;Personal Information"

However still unable to add the delegate.

0
Comment
Question by:supportemea
  • 7
  • 3
11 Comments
 
LVL 26

Expert Comment

by:Pber
ID: 24440511
I think you have to set that on each user's account, not the AdminSDHolder placeholder.
 
The AdminSDHolder is the placeholder template for administrative accounts that is used to sync to admins every hour.  See this: http://support.microsoft.com/kb/232199
 
I had a script at one time that I used to fix this same thing at our end, I'll see if I still have it.
0
 
LVL 26

Expert Comment

by:Pber
ID: 24440529
Here's the script

set oRootDSE = GetObject("LDAP://RootDSE")
strDomainNC = oRootDSE.Get("defaultNamingContext")
set oRootDSE = Nothing
 
Set oConnection   = CreateObject("ADODB.Connection")
oConnection.Provider   = "ADsDSOObject"
oConnection.Open "Active Directory Provider"
 
Set oCommand = CreateObject("ADODB.Command")
Set oCommand.ActiveConnection = oConnection
 
strQuery = "<LDAP://"&strDomainNC&">;(&(objectCategory=Person)(objectClass=User));AdsPath;subTree"
'strQuery = "<LDAP://"&strDomainNC&">;(objectCategory=user);AdsPath;subTree"
    
oCommand.CommandText = strQuery   
oCommand.Properties("Page Size") = 1000
Set oRecordSet = oCommand.Execute
 
if not oRecordSet.Eof Then
 
	WScript.Echo oRecordSet.RecordCount
	While Not oRecordSet.Eof
		Set x = GetObject(oRecordSet.Fields("AdsPath").Value)
		'dsacls "cn=someuser,ou=someOU,dc=domain,dc=com" /G "\SELF:WP;Personal Information
		strcmd = "dsacls """ & x.distinguishedName & """ /G ""\SELF:WP;Personal Information"""
		WScript.Echo strcmd
		Set objShell = CreateObject("Wscript.Shell")
		objShell.Run(strcmd),1,True
		oRecordSet.movenext
	Wend
end if
 
WScript.echo "done..."

Open in new window

0
 
LVL 2

Author Comment

by:supportemea
ID: 24441180
Thanks Pder, You are correct (I was using that as an example)
Even when doing that on the user account

0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 26

Expert Comment

by:Pber
ID: 24441245
Hmmm.  Could be this:
http://support.microsoft.com/kb/913696 
0
 
LVL 26

Expert Comment

by:Pber
ID: 24441348
Has AD had time to replicate?  I presume since we are at least at day 2, that it indeed has.
Are the user objects properly inheriting security.  
What do you mean by "Sadly Write Personal Information is not available
 in the listing."?
0
 
LVL 2

Author Comment

by:supportemea
ID: 24474448
Thanks Pber,

The Personal Information is only avalible on the user object rather than the OU of the users.

I have enabled the Write Personal Information (http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_23510556.html)

However the settings revert back after sometime, I would assume that this is when AD Replicates

Any Ideas on why the Allow Write Personal Information removes itself?

From doing more research I have found a work around http://support.microsoft.com/kb/950794 but this is at the Client level rather than the Enterprise level which I would like to resolve..

Thanks
0
 
LVL 26

Expert Comment

by:Pber
ID: 24474542
If it sets then removes itself, I suspect the adminSDHolder and the associated process is removing inheritance on the objects.  Can you confirm that the user objects are still inheriting.  One thing that I have found is that the adminSDHolder process seems to leave a attribute called admincount=1 set on any user that was ever in a protected group.  If admincount is set, it removed the inheritance from the user.  You can check the attribute using ADSIedit, but its a hassle.  The quick way is to created a save query in AD.  I've attached one, you can just save it (rename just with xml extension), then right click Saved Queries in AD users and computers and select Import Qeury Definition and pick the xml file.
I find that query quite useful.

admincount.xml.txt
0
 
LVL 2

Author Comment

by:supportemea
ID: 24481659
Thanks Pber for the Script,

There are a number of users effected with the AdminCount, However these users are part of an OU that we dont want to inhereit enabled,

The User Objects that are in effected are inheriting, The write personal attribute is allowed however users are still unable to add delegate (Same Error)
0
 
LVL 26

Expert Comment

by:Pber
ID: 24482911
You were saying the Write Personal Information was disappearing after some time.  Is this still the case?  Also before it disappeared, were users able to add delegates?
0
 
LVL 26

Accepted Solution

by:
Pber earned 500 total points
ID: 24483099
If it doesn't work even though the SELF account has the Write Personal Information set, you will likely need to do the KB950794 hotfix (as you've already found).
See this as well (similar issue where SELF doesn't seem to fix it):
http://social.technet.microsoft.com/Forums/en-US/exchangesvrgeneral/thread/f9768f81-1481-4eb7-91d0-54f103035551
We has this issue with Outlook 2003 and the SELF thing fixed it.  We haven't gone to Outlook 2007 as being a large company, things progress very slowly.  Also being a large company it is easy for us to deploy hotfixes such as the one above as we have System Center Configuration Manager to deploy stuff.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question