Solved

Exchange 2013 Management Console "because the ACE isn't present" error

Posted on 2014-12-18
6
1,313 Views
Last Modified: 2016-01-21
Hi,

I am trying to hide internal hostname from outgoing email through an Exchange Send Connector and have used the following command, as per a few blogs, including this one http://exchangepedia.com/2008/05/removing-internal-host-names-and-ip-addresses-from-message-headers.html.

However, when I run the command from Exchange Management Console I get errors, as shown below.

[PS] C:\Windows\system32>Get-SendConnector "AVG AntiSpam Outbound" | Remove-ADPermission -AccessRight ExtendedRight -Ext
endedRights ms-Exch-Send-Headers-Routing -user "NT AUTHORITY\Anonymous Logon"

Confirm
Are you sure you want to perform this action?
Removing Active Directory permission "AVG AntiSpam Outbound" for user "NT AUTHORITY\Anonymous Logon" with access rights
 "'ExtendedRight'".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): y
WARNING: Can't remove the access control entry on the object "CN=AVG AntiSpam Outbound,CN=Connections,CN=Exchange
Routing Group (DWBGZMFD01QNBJR),CN=Routing Groups,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative
Groups,CN=DPC,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=dpc,DC=local" for attribute "ExtendedRight
(ObjectType: eb8c07ad-b5ad-49c3-831e-bc439cca4c2a)" because the ACE isn't present.
[PS] C:\Windows\system32>

I have used ADSIedit to check the object is present but not sure how to investigate after this and am hoping someone has experience if this? Please help.

The OS of the Exchange server and DC is Windows 2012 R2 and the AD is at the latest Windows 2012 version.

Thanks
0
Comment
Question by:Gavin75
6 Comments
 
LVL 20

Expert Comment

by:Satya Pathak
ID: 40508640
0
 

Author Comment

by:Gavin75
ID: 40510723
Hi, thanks for trying but this is just the same command in slightly different order, so same result.
0
 
LVL 31

Accepted Solution

by:
Gareth Gudger earned 500 total points
ID: 40511101
This error almost implies that the permission has already been removed. Is this the only Send Connector you have in the environment?

After the change did you restart the Transport Queue?

Looks like you are doing outbound filtering with AVG. My guess would be that the AVG hop is applying internal information to the headers and not Exchange. Based on your error. Vendors like AVG can also add X-Header information to messages.

Maybe temporarily remove the outbound filtering through AVG and send directly to the internet. Send some test messages and see if your internal information is still present in the headers with AVG out of the mix. If not, then AVG is the culprit, not Exchange.
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 

Author Comment

by:Gavin75
ID: 40625019
I'm not in a position to switch off the AVG outbound filtering due to potential business impact and have abandoned looking for answers. Thanks anyway
0
 

Author Closing Comment

by:Gavin75
ID: 40625021
I never had the opportunity to test this theory but could be viable?
0
 

Expert Comment

by:gangatrend
ID: 41426285
When you see this in 2013 - Can't remove the access control entry on the object because the ACE isn't present.

Go to the AD and search for the AD Object for the "Shared/Mailbox" - Right Click and Go to Properties - Go to the Security TAB - There users would be listed in there. Remove the users who you want to revoke their access or permissions from being able to access the "Shared/Mailbox" - Click Apply and OK.

This shall take a while for the AD to replicate the same on the mailbox and the permissions would be removed from it.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
Find out what you should include to make the best professional email signature for your organization.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question