?
Solved

Exchange 2013 Management Console "because the ACE isn't present" error

Posted on 2014-12-18
6
Medium Priority
?
2,330 Views
Last Modified: 2016-01-21
Hi,

I am trying to hide internal hostname from outgoing email through an Exchange Send Connector and have used the following command, as per a few blogs, including this one http://exchangepedia.com/2008/05/removing-internal-host-names-and-ip-addresses-from-message-headers.html.

However, when I run the command from Exchange Management Console I get errors, as shown below.

[PS] C:\Windows\system32>Get-SendConnector "AVG AntiSpam Outbound" | Remove-ADPermission -AccessRight ExtendedRight -Ext
endedRights ms-Exch-Send-Headers-Routing -user "NT AUTHORITY\Anonymous Logon"

Confirm
Are you sure you want to perform this action?
Removing Active Directory permission "AVG AntiSpam Outbound" for user "NT AUTHORITY\Anonymous Logon" with access rights
 "'ExtendedRight'".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): y
WARNING: Can't remove the access control entry on the object "CN=AVG AntiSpam Outbound,CN=Connections,CN=Exchange
Routing Group (DWBGZMFD01QNBJR),CN=Routing Groups,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative
Groups,CN=DPC,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=dpc,DC=local" for attribute "ExtendedRight
(ObjectType: eb8c07ad-b5ad-49c3-831e-bc439cca4c2a)" because the ACE isn't present.
[PS] C:\Windows\system32>

I have used ADSIedit to check the object is present but not sure how to investigate after this and am hoping someone has experience if this? Please help.

The OS of the Exchange server and DC is Windows 2012 R2 and the AD is at the latest Windows 2012 version.

Thanks
0
Comment
Question by:Gavin75
6 Comments
 
LVL 20

Expert Comment

by:Satya Pathak
ID: 40508640
0
 

Author Comment

by:Gavin75
ID: 40510723
Hi, thanks for trying but this is just the same command in slightly different order, so same result.
0
 
LVL 31

Accepted Solution

by:
Gareth Gudger earned 1500 total points
ID: 40511101
This error almost implies that the permission has already been removed. Is this the only Send Connector you have in the environment?

After the change did you restart the Transport Queue?

Looks like you are doing outbound filtering with AVG. My guess would be that the AVG hop is applying internal information to the headers and not Exchange. Based on your error. Vendors like AVG can also add X-Header information to messages.

Maybe temporarily remove the outbound filtering through AVG and send directly to the internet. Send some test messages and see if your internal information is still present in the headers with AVG out of the mix. If not, then AVG is the culprit, not Exchange.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 

Author Comment

by:Gavin75
ID: 40625019
I'm not in a position to switch off the AVG outbound filtering due to potential business impact and have abandoned looking for answers. Thanks anyway
0
 

Author Closing Comment

by:Gavin75
ID: 40625021
I never had the opportunity to test this theory but could be viable?
0
 

Expert Comment

by:gangatrend
ID: 41426285
When you see this in 2013 - Can't remove the access control entry on the object because the ACE isn't present.

Go to the AD and search for the AD Object for the "Shared/Mailbox" - Right Click and Go to Properties - Go to the Security TAB - There users would be listed in there. Remove the users who you want to revoke their access or permissions from being able to access the "Shared/Mailbox" - Click Apply and OK.

This shall take a while for the AD to replicate the same on the mailbox and the permissions would be removed from it.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

This is a very interesting topic. Ransomware has been around for a while but has increased drastically over the last year or so.
Lotus Notes is the most prominent choice of all users due to its advance email management. It provides email features along with contact management, appointments, task, calendar etc. Many users rely on its service to carry out electronic communicati…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
To export Lotus Notes to Outlook PST or Exchange and Domino Server files to Exchange Server or PST files with ease, go for Kernel for Lotus Notes to Outlook conversion tool. Through the video, you can watch the conversion process. A common user with…

589 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question