Solved

Exchange 2013 Management Console "because the ACE isn't present" error

Posted on 2014-12-18
6
1,204 Views
Last Modified: 2016-01-21
Hi,

I am trying to hide internal hostname from outgoing email through an Exchange Send Connector and have used the following command, as per a few blogs, including this one http://exchangepedia.com/2008/05/removing-internal-host-names-and-ip-addresses-from-message-headers.html.

However, when I run the command from Exchange Management Console I get errors, as shown below.

[PS] C:\Windows\system32>Get-SendConnector "AVG AntiSpam Outbound" | Remove-ADPermission -AccessRight ExtendedRight -Ext
endedRights ms-Exch-Send-Headers-Routing -user "NT AUTHORITY\Anonymous Logon"

Confirm
Are you sure you want to perform this action?
Removing Active Directory permission "AVG AntiSpam Outbound" for user "NT AUTHORITY\Anonymous Logon" with access rights
 "'ExtendedRight'".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): y
WARNING: Can't remove the access control entry on the object "CN=AVG AntiSpam Outbound,CN=Connections,CN=Exchange
Routing Group (DWBGZMFD01QNBJR),CN=Routing Groups,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative
Groups,CN=DPC,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=dpc,DC=local" for attribute "ExtendedRight
(ObjectType: eb8c07ad-b5ad-49c3-831e-bc439cca4c2a)" because the ACE isn't present.
[PS] C:\Windows\system32>

I have used ADSIedit to check the object is present but not sure how to investigate after this and am hoping someone has experience if this? Please help.

The OS of the Exchange server and DC is Windows 2012 R2 and the AD is at the latest Windows 2012 version.

Thanks
0
Comment
Question by:Gavin75
6 Comments
 
LVL 20

Expert Comment

by:Satya Pathak
ID: 40508640
0
 

Author Comment

by:Gavin75
ID: 40510723
Hi, thanks for trying but this is just the same command in slightly different order, so same result.
0
 
LVL 31

Accepted Solution

by:
Gareth Gudger earned 500 total points
ID: 40511101
This error almost implies that the permission has already been removed. Is this the only Send Connector you have in the environment?

After the change did you restart the Transport Queue?

Looks like you are doing outbound filtering with AVG. My guess would be that the AVG hop is applying internal information to the headers and not Exchange. Based on your error. Vendors like AVG can also add X-Header information to messages.

Maybe temporarily remove the outbound filtering through AVG and send directly to the internet. Send some test messages and see if your internal information is still present in the headers with AVG out of the mix. If not, then AVG is the culprit, not Exchange.
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:Gavin75
ID: 40625019
I'm not in a position to switch off the AVG outbound filtering due to potential business impact and have abandoned looking for answers. Thanks anyway
0
 

Author Closing Comment

by:Gavin75
ID: 40625021
I never had the opportunity to test this theory but could be viable?
0
 

Expert Comment

by:gangatrend
ID: 41426285
When you see this in 2013 - Can't remove the access control entry on the object because the ACE isn't present.

Go to the AD and search for the AD Object for the "Shared/Mailbox" - Right Click and Go to Properties - Go to the Security TAB - There users would be listed in there. Remove the users who you want to revoke their access or permissions from being able to access the "Shared/Mailbox" - Click Apply and OK.

This shall take a while for the AD to replicate the same on the mailbox and the permissions would be removed from it.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

929 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now