Solved

Exchange : add full access right to an user for a mailbox

Posted on 2014-02-21
14
10,597 Views
Last Modified: 2014-03-14
Hi Experts,

We encounter a strange behavior adding full access right to a specific mailbox for an user while any other mailboxes are working fine (we can access them in Outlook without problem with this user's profile). If I put off and on this user to access full right to that mailbox, an unknown error appears randomly. Some times it works without error but in Outlook we can't open the mailbox because of insufficient  rights error.

Cannot display the folder. Microsoft Outlook cannot access the specified folder location. The operation failed. An object cannot be found.

Even when I try to add full access right to that mailbox to an admin of the domain...

I found this in eventvwr on the Exchange Server with the event ID 6 from MSExchange Cmdletlogs:

Cmdlet failed. Cmdlet Add-ADPermission, parameters {Identity=DMN.local/Company/Users/Clovis Cornillac, User=DMN\user, ExtendedRights={Send-as}}.

Detailed view :

Microsoft.Exchange.Data.Directory.ADOperationException: Active Directory operation failed on SERVER07.DMN.local. This error is not retriable. Additional information: Access is denied. Active directory response: 00000005: SecErr: DSID-031521E1, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 ---> System.DirectoryServices.Protocols.DirectoryOperationException: The user has insufficient access rights. at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut) at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout) at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, IAccountingObject budget, Nullable`1 clientSideSearchTimeout) at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException) --- End of inner exception stack trace --- at Microsoft.Exchange.Data.Directory.ADSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer) at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException) at Microsoft.Exchange.Data.Directory.ADSession.SaveSecurityDescriptor(ADObject obj, RawSecurityDescriptor sd, Boolean modifyOwner) at Microsoft.Exchange.Data.Directory.ADSession.SaveSecurityDescriptor(ADObjectId id, RawSecurityDescriptor sd) at Microsoft.Exchange.Management.Tasks.DirectoryCommon.SetAces(TaskVerboseLoggingDelegate verboseLogger, TaskWarningLoggingDelegate warningLogger, ErrorLoggerDelegate errorLogger, ADSession session, ADObjectId id, Boolean remove, ActiveDirectoryAccessRule[] aces) at Microsoft.Exchange.Management.Tasks.DirectoryCommon.SetAces(TaskVerboseLoggingDelegate verboseLogger, TaskWarningLoggingDelegate warningLogger, ErrorLoggerDelegate errorLogger, ADSession session, ADObjectId id, ActiveDirectoryAccessRule[] aces) at Microsoft.Exchange.Management.RecipientTasks.AddADPermission.ApplyModification(ADRawEntry modifiedObject, ActiveDirectoryAccessRule[] modifiedAces) at Microsoft.Exchange.Management.RecipientTasks.SetPermissionTaskBase`3.InternalEndProcessing()
   23
   System.DirectoryServices.Protocols.DirectoryOperationException: The user has insufficient access rights. at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut) at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout) at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, IAccountingObject budget, Nullable`1 clientSideSearchTimeout) at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)

An AD problem apparently...

If you have a suggestion to fix it quickly, I would appreciate it a lot !


Thanks in advance for your help, best regards,


Guillaume
0
Comment
Question by:jet-info
  • 8
  • 5
14 Comments
 
LVL 19

Expert Comment

by:Peter Hutchison
ID: 39876793
Please use the Add-MailboxPermission instead of the Add-ADPermission cmdlet to give rights to mailboxes to other users.
0
 

Author Comment

by:jet-info
ID: 39877220
OK I'll try that.
0
 
LVL 14

Expert Comment

by:Justin Yeung
ID: 39877598
I will say instead of just adding the permission first check the permission

do get-MailboxPermission -id "mailbox"

and determine what is missing from there

then you can add-mailboxpermission -id "mailbox" -accessright ("fullaccess, send as, etc")
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:jet-info
ID: 39903591
Dear all,

Sorry for the delay.

I removed all specific users rights on the mailbox with this command :

Remove-MailboxPermission -Identity maibox -User user1 -AccessRights FullAccess -InheritanceType All


Then I added the FullAccess Rights to the needed users with this command :

Add-MailboxPermission -Identity mailbox -User user1 -AccessRights FullAccess -InheritanceType All

The result is the same in Outlook when I try to open the mailbox :

 Cannot display the folder. Microsoft Outlook cannot access the specified folder location. The operation failed. An object cannot be found.

Any idea ?
0
 
LVL 19

Expert Comment

by:Peter Hutchison
ID: 39903625
Is your account a Domain Admin? If so, then you may still have Deny rights applied which may be overridding those permissions.

To remove the Deny rights, try these commands:

Get-OrganizationConfig | Remove-ADPermission -user "Domain Admins" -ExtendedRights "Receive-As","Send-As" -Deny
Get-OrganizationConfig | Remove-ADPermission -user "Enterprise Admins" -ExtendedRights "Receive-As","Send-As" -Deny
Get-OrganizationConfig | Remove-ADPermission -user "Organization Management" -ExtendedRights "Receive-As","Send-As" -Deny
0
 

Author Comment

by:jet-info
ID: 39917815
I try this on wednesday, it is the day I work for this customer.

Thank you for your patience !

Best
0
 

Author Comment

by:jet-info
ID: 39928819
My last post disapeared...! Maybe it was too large?

So, I tried first to launch  Get-OrganizationConfig | Get-ADPermission and found some deny permissions. See result in attachment.

Is there any risk to launch the three commands above?

Thank you for your help.
140314-ADPermission-mod.txt
0
 
LVL 19

Expert Comment

by:Peter Hutchison
ID: 39928827
The only risk, is that there are users in these groups that may have more rights than needed but other than that, it should be okay.
0
 

Author Comment

by:jet-info
ID: 39928853
OK, let's go for it.

Why do we limit this action to "Receive-As","Send-As" ?
Could we launch a command for a particular user ?

Thanks !
0
 

Author Comment

by:jet-info
ID: 39928947
OK, commands launched. I still have deny permissions on some users like this:
User                : DOMAIN\Domain Admins
Identity            : Firm-Mail
Deny                : True
AccessRights        : {ExtendedRight}
IsInherited         : False
Properties          :
ChildObjectTypes    :
InheritedObjectType :
InheritanceType     : All

Which command should I launch to remove them ?


I still have FullAccess deny permission for some groups or users when I launch Get-MailboxPermission for this mailbox, I launched this command to remove them:

Remove-MailboxPermission -Identity user -User "DOMAIN\Domain Admins" -AccessRights FullAccess -deny -InheritanceType All

I received this message:

WARNING: An inherited access control entry has been specified: [Rights: CreateChild, ControlType: Deny]  and was ignored on object "CN=User Name,OU=Users,OU=Firm,DC=DOMAIN,DC=local".

So I launched these commands:

Remove-MailboxPermission -Identity user -User "DOMAIN\Domain Admins" -AccessRights FullAccess -InheritanceType All

Add-MailboxPermission -Identity user -User "DOMAIN\Domain Admins" -AccessRights FullAccess -InheritanceType All

I received this message:

WARNING: Some delegates added may not show up automatically in Outlook. Outlook is limited to displaying only the first 32 entries (If a delegate user has an archive, the user counts as 2 entries).

FullAccess deny permission are still present...

What to do please?


Thank you.
0
 
LVL 19

Expert Comment

by:Peter Hutchison
ID: 39929129
Could you look in ADSIEdit in the Configuration section for Exchange and check where your rights are applied at. See Configuration, Services, Microsoft Exchange, <org name> and look at the Security permissions at that level.
0
 

Author Comment

by:jet-info
ID: 39929395
There is a lot of deny permissions here. Which one can I remove without risk ?
I deleted the deny permission for a particular admin user for send-as.

There is Store transport access, Store read and write access, Store constrained delegation, and Special (nothing is checked under Special) Permissions for Domain admins, Enterprise admins, Org Management and Schema admins.
Could I remove the deny permissions without affecting normal operation?


There is also a Read msExchAvailabilityUserPassword permission for Authenbticated Users, I suppose that I have to leave it as is.


Thank you for your time.
0
 
LVL 19

Accepted Solution

by:
Peter Hutchison earned 500 total points
ID: 39929403
The two properties you can remove deny rights is Send-As and Receive-As , this will give you full Mailbox permissons and Send As (another user) permission on mailboxes.
0
 

Author Closing Comment

by:jet-info
ID: 39929747
OK, so I removed all bad entries and it works great now.

Thank you very much !
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article runs through the process of deploying a single EXE application selectively to a group of user.
Many people use more than one email account and so it becomes difficult for them to manage them when they use separate accounts,  so, in this article, I have shared an easy way to add Other Mail Accounts in your Google Inbox. It helps to combine all…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question