Error when moving Mailbox from Exchange 2003 to 2010

Posted on 2009-12-18
Medium Priority
Last Modified: 2012-05-08
Getting the following message when I try to movea mailbox from 2003 2010. I am lokked in as thee domain administrator.

Summary: 1 item(s). 0 succeeded, 1 failed.
Elapsed time: 00:00:02


Active Directory operation failed on MyDomain.GPPSD.ab.ca. This error is not retriable. Additional information: Insufficient access rights to perform the operation.
Active directory response: 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

The user has insufficient access rights.

Exchange Management Shell command attempted:
'MyDomain.ab.ca/Windows 7 Security Guide EC Client OU/Department OU/Windows Windows 7 Users OU/GPAT Test' | New-MoveRequest -TargetDatabase 'GPPSDSTAFF'

Elapsed Time: 00:00:02

Question by:GPPSD2357

Expert Comment

ID: 26083962
Does the administrator have all the appropriate access rights to the mailbox? In Exchange 2003, the administrator , by default, does not possess a number of mail related permissions that are required in a migration to 07/2010.

You could create a new user and add him as a member to the mail administrators so you can avoid editing the deny permissions on the current Domain Administrator account.

Also, please make sure the user in question is not disabled within AD.
LVL 74

Expert Comment

by:Glen Knight
ID: 26083966
You don't have the appropriate permissions.
Set up a new user and give it full access to all mailboxes as per this guide: http://support.microsoft.com/kb/821897

Then login using this user and move the mailboxes again.

Expert Comment

ID: 26083968
Domain Admins cannot access Exchange 2003 mailboxs by default. Microsoft explicity denys read write access for Domain Admins (AD), Enterprise Admins (AD) Administrator (local),  Exchange Administrator role (Exchange), and Exchange Full Administrator role (Exchange).

Try to create a mail recovery user (AD User account) and grant that user Exchange Administrator role. Login with that user and run the mailbox migration again.
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

LVL 16

Expert Comment

ID: 26084744
Check the users properties in AD and make sure inherit permission is checked.

And also the OU in which the mailbox user is, Exchange Server group shoud have write permission.
1) Open Active Directory Users and Computers.
2) Navigate to the problematic OU where user is
(3) Right the OU click properties,click security tab
4) Select Exchange server group and enable "write" permissions and click advanced
5) Under Advanced security settings window,select the "Exchange server" goup and
click edit to apply "This objects and all descendant objects"
6) Click ok .

Expert Comment

ID: 26114384
Please verify your permissions as Narayan suggests as its what I was eluding to.  That should certainly allow you to do whatever you need to do (migrate, restore, access, etc).
LVL 74

Accepted Solution

Glen Knight earned 2000 total points
ID: 26114398
You will need to have permissions on both stores as per the instructions in the KB article just having permissions on the user will not help.

Featured Post

Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Stellar Exchange Toolkit: this 5 in 1 toolkit comes loaded with mega-software tool. Here’s an introduction to tools’ usage and advantages:
This article will help to fix the below errors for MS Exchange Server 2016 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Suggested Courses

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question