Solved

Exchange : add full access right to an user for a mailbox

Posted on 2014-02-21
14
10,255 Views
Last Modified: 2014-03-14
Hi Experts,

We encounter a strange behavior adding full access right to a specific mailbox for an user while any other mailboxes are working fine (we can access them in Outlook without problem with this user's profile). If I put off and on this user to access full right to that mailbox, an unknown error appears randomly. Some times it works without error but in Outlook we can't open the mailbox because of insufficient  rights error.

Cannot display the folder. Microsoft Outlook cannot access the specified folder location. The operation failed. An object cannot be found.

Even when I try to add full access right to that mailbox to an admin of the domain...

I found this in eventvwr on the Exchange Server with the event ID 6 from MSExchange Cmdletlogs:

Cmdlet failed. Cmdlet Add-ADPermission, parameters {Identity=DMN.local/Company/Users/Clovis Cornillac, User=DMN\user, ExtendedRights={Send-as}}.

Detailed view :

Microsoft.Exchange.Data.Directory.ADOperationException: Active Directory operation failed on SERVER07.DMN.local. This error is not retriable. Additional information: Access is denied. Active directory response: 00000005: SecErr: DSID-031521E1, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 ---> System.DirectoryServices.Protocols.DirectoryOperationException: The user has insufficient access rights. at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut) at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout) at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, IAccountingObject budget, Nullable`1 clientSideSearchTimeout) at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException) --- End of inner exception stack trace --- at Microsoft.Exchange.Data.Directory.ADSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer) at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException) at Microsoft.Exchange.Data.Directory.ADSession.SaveSecurityDescriptor(ADObject obj, RawSecurityDescriptor sd, Boolean modifyOwner) at Microsoft.Exchange.Data.Directory.ADSession.SaveSecurityDescriptor(ADObjectId id, RawSecurityDescriptor sd) at Microsoft.Exchange.Management.Tasks.DirectoryCommon.SetAces(TaskVerboseLoggingDelegate verboseLogger, TaskWarningLoggingDelegate warningLogger, ErrorLoggerDelegate errorLogger, ADSession session, ADObjectId id, Boolean remove, ActiveDirectoryAccessRule[] aces) at Microsoft.Exchange.Management.Tasks.DirectoryCommon.SetAces(TaskVerboseLoggingDelegate verboseLogger, TaskWarningLoggingDelegate warningLogger, ErrorLoggerDelegate errorLogger, ADSession session, ADObjectId id, ActiveDirectoryAccessRule[] aces) at Microsoft.Exchange.Management.RecipientTasks.AddADPermission.ApplyModification(ADRawEntry modifiedObject, ActiveDirectoryAccessRule[] modifiedAces) at Microsoft.Exchange.Management.RecipientTasks.SetPermissionTaskBase`3.InternalEndProcessing()
   23
   System.DirectoryServices.Protocols.DirectoryOperationException: The user has insufficient access rights. at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut) at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout) at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, IAccountingObject budget, Nullable`1 clientSideSearchTimeout) at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)

An AD problem apparently...

If you have a suggestion to fix it quickly, I would appreciate it a lot !


Thanks in advance for your help, best regards,


Guillaume
0
Comment
Question by:jet-info
  • 8
  • 5
14 Comments
 
LVL 18

Expert Comment

by:Peter Hutchison
Comment Utility
Please use the Add-MailboxPermission instead of the Add-ADPermission cmdlet to give rights to mailboxes to other users.
0
 

Author Comment

by:jet-info
Comment Utility
OK I'll try that.
0
 
LVL 14

Expert Comment

by:Justin Yeung
Comment Utility
I will say instead of just adding the permission first check the permission

do get-MailboxPermission -id "mailbox"

and determine what is missing from there

then you can add-mailboxpermission -id "mailbox" -accessright ("fullaccess, send as, etc")
0
 

Author Comment

by:jet-info
Comment Utility
Dear all,

Sorry for the delay.

I removed all specific users rights on the mailbox with this command :

Remove-MailboxPermission -Identity maibox -User user1 -AccessRights FullAccess -InheritanceType All


Then I added the FullAccess Rights to the needed users with this command :

Add-MailboxPermission -Identity mailbox -User user1 -AccessRights FullAccess -InheritanceType All

The result is the same in Outlook when I try to open the mailbox :

 Cannot display the folder. Microsoft Outlook cannot access the specified folder location. The operation failed. An object cannot be found.

Any idea ?
0
 
LVL 18

Expert Comment

by:Peter Hutchison
Comment Utility
Is your account a Domain Admin? If so, then you may still have Deny rights applied which may be overridding those permissions.

To remove the Deny rights, try these commands:

Get-OrganizationConfig | Remove-ADPermission -user "Domain Admins" -ExtendedRights "Receive-As","Send-As" -Deny
Get-OrganizationConfig | Remove-ADPermission -user "Enterprise Admins" -ExtendedRights "Receive-As","Send-As" -Deny
Get-OrganizationConfig | Remove-ADPermission -user "Organization Management" -ExtendedRights "Receive-As","Send-As" -Deny
0
 

Author Comment

by:jet-info
Comment Utility
I try this on wednesday, it is the day I work for this customer.

Thank you for your patience !

Best
0
 

Author Comment

by:jet-info
Comment Utility
My last post disapeared...! Maybe it was too large?

So, I tried first to launch  Get-OrganizationConfig | Get-ADPermission and found some deny permissions. See result in attachment.

Is there any risk to launch the three commands above?

Thank you for your help.
140314-ADPermission-mod.txt
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 18

Expert Comment

by:Peter Hutchison
Comment Utility
The only risk, is that there are users in these groups that may have more rights than needed but other than that, it should be okay.
0
 

Author Comment

by:jet-info
Comment Utility
OK, let's go for it.

Why do we limit this action to "Receive-As","Send-As" ?
Could we launch a command for a particular user ?

Thanks !
0
 

Author Comment

by:jet-info
Comment Utility
OK, commands launched. I still have deny permissions on some users like this:
User                : DOMAIN\Domain Admins
Identity            : Firm-Mail
Deny                : True
AccessRights        : {ExtendedRight}
IsInherited         : False
Properties          :
ChildObjectTypes    :
InheritedObjectType :
InheritanceType     : All

Which command should I launch to remove them ?


I still have FullAccess deny permission for some groups or users when I launch Get-MailboxPermission for this mailbox, I launched this command to remove them:

Remove-MailboxPermission -Identity user -User "DOMAIN\Domain Admins" -AccessRights FullAccess -deny -InheritanceType All

I received this message:

WARNING: An inherited access control entry has been specified: [Rights: CreateChild, ControlType: Deny]  and was ignored on object "CN=User Name,OU=Users,OU=Firm,DC=DOMAIN,DC=local".

So I launched these commands:

Remove-MailboxPermission -Identity user -User "DOMAIN\Domain Admins" -AccessRights FullAccess -InheritanceType All

Add-MailboxPermission -Identity user -User "DOMAIN\Domain Admins" -AccessRights FullAccess -InheritanceType All

I received this message:

WARNING: Some delegates added may not show up automatically in Outlook. Outlook is limited to displaying only the first 32 entries (If a delegate user has an archive, the user counts as 2 entries).

FullAccess deny permission are still present...

What to do please?


Thank you.
0
 
LVL 18

Expert Comment

by:Peter Hutchison
Comment Utility
Could you look in ADSIEdit in the Configuration section for Exchange and check where your rights are applied at. See Configuration, Services, Microsoft Exchange, <org name> and look at the Security permissions at that level.
0
 

Author Comment

by:jet-info
Comment Utility
There is a lot of deny permissions here. Which one can I remove without risk ?
I deleted the deny permission for a particular admin user for send-as.

There is Store transport access, Store read and write access, Store constrained delegation, and Special (nothing is checked under Special) Permissions for Domain admins, Enterprise admins, Org Management and Schema admins.
Could I remove the deny permissions without affecting normal operation?


There is also a Read msExchAvailabilityUserPassword permission for Authenbticated Users, I suppose that I have to leave it as is.


Thank you for your time.
0
 
LVL 18

Accepted Solution

by:
Peter Hutchison earned 500 total points
Comment Utility
The two properties you can remove deny rights is Send-As and Receive-As , this will give you full Mailbox permissons and Send As (another user) permission on mailboxes.
0
 

Author Closing Comment

by:jet-info
Comment Utility
OK, so I removed all bad entries and it works great now.

Thank you very much !
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now