jet-info
asked on
Exchange : add full access right to an user for a mailbox
Hi Experts,
We encounter a strange behavior adding full access right to a specific mailbox for an user while any other mailboxes are working fine (we can access them in Outlook without problem with this user's profile). If I put off and on this user to access full right to that mailbox, an unknown error appears randomly. Some times it works without error but in Outlook we can't open the mailbox because of insufficient rights error.
Cannot display the folder. Microsoft Outlook cannot access the specified folder location. The operation failed. An object cannot be found.
Even when I try to add full access right to that mailbox to an admin of the domain...
I found this in eventvwr on the Exchange Server with the event ID 6 from MSExchange Cmdletlogs:
Cmdlet failed. Cmdlet Add-ADPermission, parameters {Identity=DMN.local/Compan y/Users/Cl ovis Cornillac, User=DMN\user, ExtendedRights={Send-as}}.
Detailed view :
Microsoft.Exchange.Data.Di rectory.AD OperationE xception: Active Directory operation failed on SERVER07.DMN.local. This error is not retriable. Additional information: Access is denied. Active directory response: 00000005: SecErr: DSID-031521E1, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 ---> System.DirectoryServices.P rotocols.D irectoryOp erationExc eption: The user has insufficient access rights. at System.DirectoryServices.P rotocols.L dapConnect ion.Constr uctRespons e(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut) at System.DirectoryServices.P rotocols.L dapConnect ion.SendRe quest(Dire ctoryReque st request, TimeSpan requestTimeout) at Microsoft.Exchange.Data.Di rectory.Po oledLdapCo nnection.S endRequest (Directory Request request, LdapOperation ldapOperation, IAccountingObject budget, Nullable`1 clientSideSearchTimeout) at Microsoft.Exchange.Data.Di rectory.AD Session.Ex ecuteModif icationReq uest(ADObj ect entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnExcept ion) --- End of inner exception stack trace --- at Microsoft.Exchange.Data.Di rectory.AD Session.An alyzeDirec toryError( PooledLdap Connection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer) at Microsoft.Exchange.Data.Di rectory.AD Session.Ex ecuteModif icationReq uest(ADObj ect entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnExcept ion) at Microsoft.Exchange.Data.Di rectory.AD Session.Sa veSecurity Descriptor (ADObject obj, RawSecurityDescriptor sd, Boolean modifyOwner) at Microsoft.Exchange.Data.Di rectory.AD Session.Sa veSecurity Descriptor (ADObjectI d id, RawSecurityDescriptor sd) at Microsoft.Exchange.Managem ent.Tasks. DirectoryC ommon.SetA ces(TaskVe rboseLoggi ngDelegate verboseLogger, TaskWarningLoggingDelegate warningLogger, ErrorLoggerDelegate errorLogger, ADSession session, ADObjectId id, Boolean remove, ActiveDirectoryAccessRule[ ] aces) at Microsoft.Exchange.Managem ent.Tasks. DirectoryC ommon.SetA ces(TaskVe rboseLoggi ngDelegate verboseLogger, TaskWarningLoggingDelegate warningLogger, ErrorLoggerDelegate errorLogger, ADSession session, ADObjectId id, ActiveDirectoryAccessRule[ ] aces) at Microsoft.Exchange.Managem ent.Recipi entTasks.A ddADPermis sion.Apply Modificati on(ADRawEn try modifiedObject, ActiveDirectoryAccessRule[ ] modifiedAces) at Microsoft.Exchange.Managem ent.Recipi entTasks.S etPermissi onTaskBase `3.Interna lEndProces sing()
23
System.DirectoryServices.P rotocols.D irectoryOp erationExc eption: The user has insufficient access rights. at System.DirectoryServices.P rotocols.L dapConnect ion.Constr uctRespons e(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut) at System.DirectoryServices.P rotocols.L dapConnect ion.SendRe quest(Dire ctoryReque st request, TimeSpan requestTimeout) at Microsoft.Exchange.Data.Di rectory.Po oledLdapCo nnection.S endRequest (Directory Request request, LdapOperation ldapOperation, IAccountingObject budget, Nullable`1 clientSideSearchTimeout) at Microsoft.Exchange.Data.Di rectory.AD Session.Ex ecuteModif icationReq uest(ADObj ect entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnExcept ion)
An AD problem apparently...
If you have a suggestion to fix it quickly, I would appreciate it a lot !
Thanks in advance for your help, best regards,
Guillaume
We encounter a strange behavior adding full access right to a specific mailbox for an user while any other mailboxes are working fine (we can access them in Outlook without problem with this user's profile). If I put off and on this user to access full right to that mailbox, an unknown error appears randomly. Some times it works without error but in Outlook we can't open the mailbox because of insufficient rights error.
Cannot display the folder. Microsoft Outlook cannot access the specified folder location. The operation failed. An object cannot be found.
Even when I try to add full access right to that mailbox to an admin of the domain...
I found this in eventvwr on the Exchange Server with the event ID 6 from MSExchange Cmdletlogs:
Cmdlet failed. Cmdlet Add-ADPermission, parameters {Identity=DMN.local/Compan
Detailed view :
Microsoft.Exchange.Data.Di
23
System.DirectoryServices.P
An AD problem apparently...
If you have a suggestion to fix it quickly, I would appreciate it a lot !
Thanks in advance for your help, best regards,
Guillaume
Please use the Add-MailboxPermission instead of the Add-ADPermission cmdlet to give rights to mailboxes to other users.
ASKER
OK I'll try that.
I will say instead of just adding the permission first check the permission
do get-MailboxPermission -id "mailbox"
and determine what is missing from there
then you can add-mailboxpermission -id "mailbox" -accessright ("fullaccess, send as, etc")
do get-MailboxPermission -id "mailbox"
and determine what is missing from there
then you can add-mailboxpermission -id "mailbox" -accessright ("fullaccess, send as, etc")
ASKER
Dear all,
Sorry for the delay.
I removed all specific users rights on the mailbox with this command :
Remove-MailboxPermission -Identity maibox -User user1 -AccessRights FullAccess -InheritanceType All
Then I added the FullAccess Rights to the needed users with this command :
Add-MailboxPermission -Identity mailbox -User user1 -AccessRights FullAccess -InheritanceType All
The result is the same in Outlook when I try to open the mailbox :
Cannot display the folder. Microsoft Outlook cannot access the specified folder location. The operation failed. An object cannot be found.
Any idea ?
Sorry for the delay.
I removed all specific users rights on the mailbox with this command :
Remove-MailboxPermission -Identity maibox -User user1 -AccessRights FullAccess -InheritanceType All
Then I added the FullAccess Rights to the needed users with this command :
Add-MailboxPermission -Identity mailbox -User user1 -AccessRights FullAccess -InheritanceType All
The result is the same in Outlook when I try to open the mailbox :
Cannot display the folder. Microsoft Outlook cannot access the specified folder location. The operation failed. An object cannot be found.
Any idea ?
Is your account a Domain Admin? If so, then you may still have Deny rights applied which may be overridding those permissions.
To remove the Deny rights, try these commands:
Get-OrganizationConfig | Remove-ADPermission -user "Domain Admins" -ExtendedRights "Receive-As","Send-As" -Deny
Get-OrganizationConfig | Remove-ADPermission -user "Enterprise Admins" -ExtendedRights "Receive-As","Send-As" -Deny
Get-OrganizationConfig | Remove-ADPermission -user "Organization Management" -ExtendedRights "Receive-As","Send-As" -Deny
To remove the Deny rights, try these commands:
Get-OrganizationConfig | Remove-ADPermission -user "Domain Admins" -ExtendedRights "Receive-As","Send-As" -Deny
Get-OrganizationConfig | Remove-ADPermission -user "Enterprise Admins" -ExtendedRights "Receive-As","Send-As" -Deny
Get-OrganizationConfig | Remove-ADPermission -user "Organization Management" -ExtendedRights "Receive-As","Send-As" -Deny
ASKER
I try this on wednesday, it is the day I work for this customer.
Thank you for your patience !
Best
Thank you for your patience !
Best
ASKER
My last post disapeared...! Maybe it was too large?
So, I tried first to launch Get-OrganizationConfig | Get-ADPermission and found some deny permissions. See result in attachment.
Is there any risk to launch the three commands above?
Thank you for your help.
140314-ADPermission-mod.txt
So, I tried first to launch Get-OrganizationConfig | Get-ADPermission and found some deny permissions. See result in attachment.
Is there any risk to launch the three commands above?
Thank you for your help.
140314-ADPermission-mod.txt
The only risk, is that there are users in these groups that may have more rights than needed but other than that, it should be okay.
ASKER
OK, let's go for it.
Why do we limit this action to "Receive-As","Send-As" ?
Could we launch a command for a particular user ?
Thanks !
Why do we limit this action to "Receive-As","Send-As" ?
Could we launch a command for a particular user ?
Thanks !
ASKER
OK, commands launched. I still have deny permissions on some users like this:
User : DOMAIN\Domain Admins
Identity : Firm-Mail
Deny : True
AccessRights : {ExtendedRight}
IsInherited : False
Properties :
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
Which command should I launch to remove them ?
I still have FullAccess deny permission for some groups or users when I launch Get-MailboxPermission for this mailbox, I launched this command to remove them:
Remove-MailboxPermission -Identity user -User "DOMAIN\Domain Admins" -AccessRights FullAccess -deny -InheritanceType All
I received this message:
WARNING: An inherited access control entry has been specified: [Rights: CreateChild, ControlType: Deny] and was ignored on object "CN=User Name,OU=Users,OU=Firm,DC=D OMAIN,DC=l ocal".
So I launched these commands:
Remove-MailboxPermission -Identity user -User "DOMAIN\Domain Admins" -AccessRights FullAccess -InheritanceType All
Add-MailboxPermission -Identity user -User "DOMAIN\Domain Admins" -AccessRights FullAccess -InheritanceType All
I received this message:
WARNING: Some delegates added may not show up automatically in Outlook. Outlook is limited to displaying only the first 32 entries (If a delegate user has an archive, the user counts as 2 entries).
FullAccess deny permission are still present...
What to do please?
Thank you.
User : DOMAIN\Domain Admins
Identity : Firm-Mail
Deny : True
AccessRights : {ExtendedRight}
IsInherited : False
Properties :
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
Which command should I launch to remove them ?
I still have FullAccess deny permission for some groups or users when I launch Get-MailboxPermission for this mailbox, I launched this command to remove them:
Remove-MailboxPermission -Identity user -User "DOMAIN\Domain Admins" -AccessRights FullAccess -deny -InheritanceType All
I received this message:
WARNING: An inherited access control entry has been specified: [Rights: CreateChild, ControlType: Deny] and was ignored on object "CN=User Name,OU=Users,OU=Firm,DC=D
So I launched these commands:
Remove-MailboxPermission -Identity user -User "DOMAIN\Domain Admins" -AccessRights FullAccess -InheritanceType All
Add-MailboxPermission -Identity user -User "DOMAIN\Domain Admins" -AccessRights FullAccess -InheritanceType All
I received this message:
WARNING: Some delegates added may not show up automatically in Outlook. Outlook is limited to displaying only the first 32 entries (If a delegate user has an archive, the user counts as 2 entries).
FullAccess deny permission are still present...
What to do please?
Thank you.
Could you look in ADSIEdit in the Configuration section for Exchange and check where your rights are applied at. See Configuration, Services, Microsoft Exchange, <org name> and look at the Security permissions at that level.
ASKER
There is a lot of deny permissions here. Which one can I remove without risk ?
I deleted the deny permission for a particular admin user for send-as.
There is Store transport access, Store read and write access, Store constrained delegation, and Special (nothing is checked under Special) Permissions for Domain admins, Enterprise admins, Org Management and Schema admins.
Could I remove the deny permissions without affecting normal operation?
There is also a Read msExchAvailabilityUserPass word permission for Authenbticated Users, I suppose that I have to leave it as is.
Thank you for your time.
I deleted the deny permission for a particular admin user for send-as.
There is Store transport access, Store read and write access, Store constrained delegation, and Special (nothing is checked under Special) Permissions for Domain admins, Enterprise admins, Org Management and Schema admins.
Could I remove the deny permissions without affecting normal operation?
There is also a Read msExchAvailabilityUserPass
Thank you for your time.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK, so I removed all bad entries and it works great now.
Thank you very much !
Thank you very much !