Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Exchange : add full access right to an user for a mailbox

Posted on 2014-02-21
14
Medium Priority
?
11,398 Views
Last Modified: 2014-03-14
Hi Experts,

We encounter a strange behavior adding full access right to a specific mailbox for an user while any other mailboxes are working fine (we can access them in Outlook without problem with this user's profile). If I put off and on this user to access full right to that mailbox, an unknown error appears randomly. Some times it works without error but in Outlook we can't open the mailbox because of insufficient  rights error.

Cannot display the folder. Microsoft Outlook cannot access the specified folder location. The operation failed. An object cannot be found.

Even when I try to add full access right to that mailbox to an admin of the domain...

I found this in eventvwr on the Exchange Server with the event ID 6 from MSExchange Cmdletlogs:

Cmdlet failed. Cmdlet Add-ADPermission, parameters {Identity=DMN.local/Company/Users/Clovis Cornillac, User=DMN\user, ExtendedRights={Send-as}}.

Detailed view :

Microsoft.Exchange.Data.Directory.ADOperationException: Active Directory operation failed on SERVER07.DMN.local. This error is not retriable. Additional information: Access is denied. Active directory response: 00000005: SecErr: DSID-031521E1, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 ---> System.DirectoryServices.Protocols.DirectoryOperationException: The user has insufficient access rights. at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut) at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout) at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, IAccountingObject budget, Nullable`1 clientSideSearchTimeout) at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException) --- End of inner exception stack trace --- at Microsoft.Exchange.Data.Directory.ADSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer) at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException) at Microsoft.Exchange.Data.Directory.ADSession.SaveSecurityDescriptor(ADObject obj, RawSecurityDescriptor sd, Boolean modifyOwner) at Microsoft.Exchange.Data.Directory.ADSession.SaveSecurityDescriptor(ADObjectId id, RawSecurityDescriptor sd) at Microsoft.Exchange.Management.Tasks.DirectoryCommon.SetAces(TaskVerboseLoggingDelegate verboseLogger, TaskWarningLoggingDelegate warningLogger, ErrorLoggerDelegate errorLogger, ADSession session, ADObjectId id, Boolean remove, ActiveDirectoryAccessRule[] aces) at Microsoft.Exchange.Management.Tasks.DirectoryCommon.SetAces(TaskVerboseLoggingDelegate verboseLogger, TaskWarningLoggingDelegate warningLogger, ErrorLoggerDelegate errorLogger, ADSession session, ADObjectId id, ActiveDirectoryAccessRule[] aces) at Microsoft.Exchange.Management.RecipientTasks.AddADPermission.ApplyModification(ADRawEntry modifiedObject, ActiveDirectoryAccessRule[] modifiedAces) at Microsoft.Exchange.Management.RecipientTasks.SetPermissionTaskBase`3.InternalEndProcessing()
   23
   System.DirectoryServices.Protocols.DirectoryOperationException: The user has insufficient access rights. at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut) at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout) at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, IAccountingObject budget, Nullable`1 clientSideSearchTimeout) at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)

An AD problem apparently...

If you have a suggestion to fix it quickly, I would appreciate it a lot !


Thanks in advance for your help, best regards,


Guillaume
0
Comment
Question by:jet-info
  • 8
  • 5
14 Comments
 
LVL 20

Expert Comment

by:Peter Hutchison
ID: 39876793
Please use the Add-MailboxPermission instead of the Add-ADPermission cmdlet to give rights to mailboxes to other users.
0
 

Author Comment

by:jet-info
ID: 39877220
OK I'll try that.
0
 
LVL 14

Expert Comment

by:Justin Yeung
ID: 39877598
I will say instead of just adding the permission first check the permission

do get-MailboxPermission -id "mailbox"

and determine what is missing from there

then you can add-mailboxpermission -id "mailbox" -accessright ("fullaccess, send as, etc")
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 

Author Comment

by:jet-info
ID: 39903591
Dear all,

Sorry for the delay.

I removed all specific users rights on the mailbox with this command :

Remove-MailboxPermission -Identity maibox -User user1 -AccessRights FullAccess -InheritanceType All


Then I added the FullAccess Rights to the needed users with this command :

Add-MailboxPermission -Identity mailbox -User user1 -AccessRights FullAccess -InheritanceType All

The result is the same in Outlook when I try to open the mailbox :

 Cannot display the folder. Microsoft Outlook cannot access the specified folder location. The operation failed. An object cannot be found.

Any idea ?
0
 
LVL 20

Expert Comment

by:Peter Hutchison
ID: 39903625
Is your account a Domain Admin? If so, then you may still have Deny rights applied which may be overridding those permissions.

To remove the Deny rights, try these commands:

Get-OrganizationConfig | Remove-ADPermission -user "Domain Admins" -ExtendedRights "Receive-As","Send-As" -Deny
Get-OrganizationConfig | Remove-ADPermission -user "Enterprise Admins" -ExtendedRights "Receive-As","Send-As" -Deny
Get-OrganizationConfig | Remove-ADPermission -user "Organization Management" -ExtendedRights "Receive-As","Send-As" -Deny
0
 

Author Comment

by:jet-info
ID: 39917815
I try this on wednesday, it is the day I work for this customer.

Thank you for your patience !

Best
0
 

Author Comment

by:jet-info
ID: 39928819
My last post disapeared...! Maybe it was too large?

So, I tried first to launch  Get-OrganizationConfig | Get-ADPermission and found some deny permissions. See result in attachment.

Is there any risk to launch the three commands above?

Thank you for your help.
140314-ADPermission-mod.txt
0
 
LVL 20

Expert Comment

by:Peter Hutchison
ID: 39928827
The only risk, is that there are users in these groups that may have more rights than needed but other than that, it should be okay.
0
 

Author Comment

by:jet-info
ID: 39928853
OK, let's go for it.

Why do we limit this action to "Receive-As","Send-As" ?
Could we launch a command for a particular user ?

Thanks !
0
 

Author Comment

by:jet-info
ID: 39928947
OK, commands launched. I still have deny permissions on some users like this:
User                : DOMAIN\Domain Admins
Identity            : Firm-Mail
Deny                : True
AccessRights        : {ExtendedRight}
IsInherited         : False
Properties          :
ChildObjectTypes    :
InheritedObjectType :
InheritanceType     : All

Which command should I launch to remove them ?


I still have FullAccess deny permission for some groups or users when I launch Get-MailboxPermission for this mailbox, I launched this command to remove them:

Remove-MailboxPermission -Identity user -User "DOMAIN\Domain Admins" -AccessRights FullAccess -deny -InheritanceType All

I received this message:

WARNING: An inherited access control entry has been specified: [Rights: CreateChild, ControlType: Deny]  and was ignored on object "CN=User Name,OU=Users,OU=Firm,DC=DOMAIN,DC=local".

So I launched these commands:

Remove-MailboxPermission -Identity user -User "DOMAIN\Domain Admins" -AccessRights FullAccess -InheritanceType All

Add-MailboxPermission -Identity user -User "DOMAIN\Domain Admins" -AccessRights FullAccess -InheritanceType All

I received this message:

WARNING: Some delegates added may not show up automatically in Outlook. Outlook is limited to displaying only the first 32 entries (If a delegate user has an archive, the user counts as 2 entries).

FullAccess deny permission are still present...

What to do please?


Thank you.
0
 
LVL 20

Expert Comment

by:Peter Hutchison
ID: 39929129
Could you look in ADSIEdit in the Configuration section for Exchange and check where your rights are applied at. See Configuration, Services, Microsoft Exchange, <org name> and look at the Security permissions at that level.
0
 

Author Comment

by:jet-info
ID: 39929395
There is a lot of deny permissions here. Which one can I remove without risk ?
I deleted the deny permission for a particular admin user for send-as.

There is Store transport access, Store read and write access, Store constrained delegation, and Special (nothing is checked under Special) Permissions for Domain admins, Enterprise admins, Org Management and Schema admins.
Could I remove the deny permissions without affecting normal operation?


There is also a Read msExchAvailabilityUserPassword permission for Authenbticated Users, I suppose that I have to leave it as is.


Thank you for your time.
0
 
LVL 20

Accepted Solution

by:
Peter Hutchison earned 2000 total points
ID: 39929403
The two properties you can remove deny rights is Send-As and Receive-As , this will give you full Mailbox permissons and Send As (another user) permission on mailboxes.
0
 

Author Closing Comment

by:jet-info
ID: 39929747
OK, so I removed all bad entries and it works great now.

Thank you very much !
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A few solutions to a problem some of us have been having when trying to add Hostgator email accounts to Outlook 2016 (will probably work with Outlook 2013 as well).
Exchange database can often fail to mount thereby halting the work of all users connected to it. Finding out why database isn’t mounting is crucial and getting the server back online. Stellar Phoenix Mailbox Exchange Recovery is a champion product t…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses
Course of the Month11 days, 16 hours left to enroll

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question