Link to home
Start Free TrialLog in
Avatar of jet-info
jet-infoFlag for Switzerland

asked on

Exchange : add full access right to an user for a mailbox

Hi Experts,

We encounter a strange behavior adding full access right to a specific mailbox for an user while any other mailboxes are working fine (we can access them in Outlook without problem with this user's profile). If I put off and on this user to access full right to that mailbox, an unknown error appears randomly. Some times it works without error but in Outlook we can't open the mailbox because of insufficient  rights error.

Cannot display the folder. Microsoft Outlook cannot access the specified folder location. The operation failed. An object cannot be found.

Even when I try to add full access right to that mailbox to an admin of the domain...

I found this in eventvwr on the Exchange Server with the event ID 6 from MSExchange Cmdletlogs:

Cmdlet failed. Cmdlet Add-ADPermission, parameters {Identity=DMN.local/Company/Users/Clovis Cornillac, User=DMN\user, ExtendedRights={Send-as}}.

Detailed view :

Microsoft.Exchange.Data.Directory.ADOperationException: Active Directory operation failed on SERVER07.DMN.local. This error is not retriable. Additional information: Access is denied. Active directory response: 00000005: SecErr: DSID-031521E1, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 ---> System.DirectoryServices.Protocols.DirectoryOperationException: The user has insufficient access rights. at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut) at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout) at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, IAccountingObject budget, Nullable`1 clientSideSearchTimeout) at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException) --- End of inner exception stack trace --- at Microsoft.Exchange.Data.Directory.ADSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer) at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException) at Microsoft.Exchange.Data.Directory.ADSession.SaveSecurityDescriptor(ADObject obj, RawSecurityDescriptor sd, Boolean modifyOwner) at Microsoft.Exchange.Data.Directory.ADSession.SaveSecurityDescriptor(ADObjectId id, RawSecurityDescriptor sd) at Microsoft.Exchange.Management.Tasks.DirectoryCommon.SetAces(TaskVerboseLoggingDelegate verboseLogger, TaskWarningLoggingDelegate warningLogger, ErrorLoggerDelegate errorLogger, ADSession session, ADObjectId id, Boolean remove, ActiveDirectoryAccessRule[] aces) at Microsoft.Exchange.Management.Tasks.DirectoryCommon.SetAces(TaskVerboseLoggingDelegate verboseLogger, TaskWarningLoggingDelegate warningLogger, ErrorLoggerDelegate errorLogger, ADSession session, ADObjectId id, ActiveDirectoryAccessRule[] aces) at Microsoft.Exchange.Management.RecipientTasks.AddADPermission.ApplyModification(ADRawEntry modifiedObject, ActiveDirectoryAccessRule[] modifiedAces) at Microsoft.Exchange.Management.RecipientTasks.SetPermissionTaskBase`3.InternalEndProcessing()
   23
   System.DirectoryServices.Protocols.DirectoryOperationException: The user has insufficient access rights. at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut) at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout) at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, IAccountingObject budget, Nullable`1 clientSideSearchTimeout) at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)

An AD problem apparently...

If you have a suggestion to fix it quickly, I would appreciate it a lot !


Thanks in advance for your help, best regards,


Guillaume
Avatar of Peter Hutchison
Peter Hutchison
Flag of United Kingdom of Great Britain and Northern Ireland image

Please use the Add-MailboxPermission instead of the Add-ADPermission cmdlet to give rights to mailboxes to other users.
Avatar of jet-info

ASKER

OK I'll try that.
I will say instead of just adding the permission first check the permission

do get-MailboxPermission -id "mailbox"

and determine what is missing from there

then you can add-mailboxpermission -id "mailbox" -accessright ("fullaccess, send as, etc")
Dear all,

Sorry for the delay.

I removed all specific users rights on the mailbox with this command :

Remove-MailboxPermission -Identity maibox -User user1 -AccessRights FullAccess -InheritanceType All


Then I added the FullAccess Rights to the needed users with this command :

Add-MailboxPermission -Identity mailbox -User user1 -AccessRights FullAccess -InheritanceType All

The result is the same in Outlook when I try to open the mailbox :

 Cannot display the folder. Microsoft Outlook cannot access the specified folder location. The operation failed. An object cannot be found.

Any idea ?
Is your account a Domain Admin? If so, then you may still have Deny rights applied which may be overridding those permissions.

To remove the Deny rights, try these commands:

Get-OrganizationConfig | Remove-ADPermission -user "Domain Admins" -ExtendedRights "Receive-As","Send-As" -Deny
Get-OrganizationConfig | Remove-ADPermission -user "Enterprise Admins" -ExtendedRights "Receive-As","Send-As" -Deny
Get-OrganizationConfig | Remove-ADPermission -user "Organization Management" -ExtendedRights "Receive-As","Send-As" -Deny
I try this on wednesday, it is the day I work for this customer.

Thank you for your patience !

Best
My last post disapeared...! Maybe it was too large?

So, I tried first to launch  Get-OrganizationConfig | Get-ADPermission and found some deny permissions. See result in attachment.

Is there any risk to launch the three commands above?

Thank you for your help.
140314-ADPermission-mod.txt
The only risk, is that there are users in these groups that may have more rights than needed but other than that, it should be okay.
OK, let's go for it.

Why do we limit this action to "Receive-As","Send-As" ?
Could we launch a command for a particular user ?

Thanks !
OK, commands launched. I still have deny permissions on some users like this:
User                : DOMAIN\Domain Admins
Identity            : Firm-Mail
Deny                : True
AccessRights        : {ExtendedRight}
IsInherited         : False
Properties          :
ChildObjectTypes    :
InheritedObjectType :
InheritanceType     : All

Which command should I launch to remove them ?


I still have FullAccess deny permission for some groups or users when I launch Get-MailboxPermission for this mailbox, I launched this command to remove them:

Remove-MailboxPermission -Identity user -User "DOMAIN\Domain Admins" -AccessRights FullAccess -deny -InheritanceType All

I received this message:

WARNING: An inherited access control entry has been specified: [Rights: CreateChild, ControlType: Deny]  and was ignored on object "CN=User Name,OU=Users,OU=Firm,DC=DOMAIN,DC=local".

So I launched these commands:

Remove-MailboxPermission -Identity user -User "DOMAIN\Domain Admins" -AccessRights FullAccess -InheritanceType All

Add-MailboxPermission -Identity user -User "DOMAIN\Domain Admins" -AccessRights FullAccess -InheritanceType All

I received this message:

WARNING: Some delegates added may not show up automatically in Outlook. Outlook is limited to displaying only the first 32 entries (If a delegate user has an archive, the user counts as 2 entries).

FullAccess deny permission are still present...

What to do please?


Thank you.
Could you look in ADSIEdit in the Configuration section for Exchange and check where your rights are applied at. See Configuration, Services, Microsoft Exchange, <org name> and look at the Security permissions at that level.
There is a lot of deny permissions here. Which one can I remove without risk ?
I deleted the deny permission for a particular admin user for send-as.

There is Store transport access, Store read and write access, Store constrained delegation, and Special (nothing is checked under Special) Permissions for Domain admins, Enterprise admins, Org Management and Schema admins.
Could I remove the deny permissions without affecting normal operation?


There is also a Read msExchAvailabilityUserPassword permission for Authenbticated Users, I suppose that I have to leave it as is.


Thank you for your time.
ASKER CERTIFIED SOLUTION
Avatar of Peter Hutchison
Peter Hutchison
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
OK, so I removed all bad entries and it works great now.

Thank you very much !