Solved

Exchange 2013 Management Console "because the ACE isn't present" error

Posted on 2014-12-18
6
1,491 Views
Last Modified: 2016-01-21
Hi,

I am trying to hide internal hostname from outgoing email through an Exchange Send Connector and have used the following command, as per a few blogs, including this one http://exchangepedia.com/2008/05/removing-internal-host-names-and-ip-addresses-from-message-headers.html.

However, when I run the command from Exchange Management Console I get errors, as shown below.

[PS] C:\Windows\system32>Get-SendConnector "AVG AntiSpam Outbound" | Remove-ADPermission -AccessRight ExtendedRight -Ext
endedRights ms-Exch-Send-Headers-Routing -user "NT AUTHORITY\Anonymous Logon"

Confirm
Are you sure you want to perform this action?
Removing Active Directory permission "AVG AntiSpam Outbound" for user "NT AUTHORITY\Anonymous Logon" with access rights
 "'ExtendedRight'".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): y
WARNING: Can't remove the access control entry on the object "CN=AVG AntiSpam Outbound,CN=Connections,CN=Exchange
Routing Group (DWBGZMFD01QNBJR),CN=Routing Groups,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative
Groups,CN=DPC,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=dpc,DC=local" for attribute "ExtendedRight
(ObjectType: eb8c07ad-b5ad-49c3-831e-bc439cca4c2a)" because the ACE isn't present.
[PS] C:\Windows\system32>

I have used ADSIedit to check the object is present but not sure how to investigate after this and am hoping someone has experience if this? Please help.

The OS of the Exchange server and DC is Windows 2012 R2 and the AD is at the latest Windows 2012 version.

Thanks
0
Comment
Question by:Gavin75
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 20

Expert Comment

by:Satya Pathak
ID: 40508640
0
 

Author Comment

by:Gavin75
ID: 40510723
Hi, thanks for trying but this is just the same command in slightly different order, so same result.
0
 
LVL 31

Accepted Solution

by:
Gareth Gudger earned 500 total points
ID: 40511101
This error almost implies that the permission has already been removed. Is this the only Send Connector you have in the environment?

After the change did you restart the Transport Queue?

Looks like you are doing outbound filtering with AVG. My guess would be that the AVG hop is applying internal information to the headers and not Exchange. Based on your error. Vendors like AVG can also add X-Header information to messages.

Maybe temporarily remove the outbound filtering through AVG and send directly to the internet. Send some test messages and see if your internal information is still present in the headers with AVG out of the mix. If not, then AVG is the culprit, not Exchange.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Gavin75
ID: 40625019
I'm not in a position to switch off the AVG outbound filtering due to potential business impact and have abandoned looking for answers. Thanks anyway
0
 

Author Closing Comment

by:Gavin75
ID: 40625021
I never had the opportunity to test this theory but could be viable?
0
 

Expert Comment

by:gangatrend
ID: 41426285
When you see this in 2013 - Can't remove the access control entry on the object because the ACE isn't present.

Go to the AD and search for the AD Object for the "Shared/Mailbox" - Right Click and Go to Properties - Go to the Security TAB - There users would be listed in there. Remove the users who you want to revoke their access or permissions from being able to access the "Shared/Mailbox" - Click Apply and OK.

This shall take a while for the AD to replicate the same on the mailbox and the permissions would be removed from it.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question