We help IT Professionals succeed at work.
Get Started

problem 4003 (insuff_access_rights) when setting send as permission for a mailbox Exch2013

NSI-Tech
NSI-Tech asked
on
5,387 Views
Last Modified: 2017-04-05
Hello

I have an exchange 2013 server where send as permission was working fine in the past.

Since yesterday afternoon it seems the permissions has disappeared for all the users that had the send as permission configured on mailboxes.
The send as permission for distribution groups is working fine.

I am now unable to set the send as permission via ECP on a mailbox as well as using exchange shell:

Powershell gives me the following error:

[PS] C:\Windows\system32>get-user -identity "johan@fischercons.com" | Add-ADPermission -User "johan.fischer@magnabc.co.z
a" -ExtendedRights Send-As
Active Directory operation failed on SRV-MG-AUT-DC02.Magnabc.co.za. This error is not retriable. Additional
information: Access is denied.
Active directory response: 00000005: SecErr: DSID-03152612, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
    + CategoryInfo          : WriteError: (0:Int32) [Add-ADPermission], ADOperationException
    + FullyQualifiedErrorId : [Server=SRV-MG-EXH-MB01,RequestId=bcbeb446-fe44-4bc3-aad4-641b8dc219c3,TimeStamp=2017-03
   -15 02:54:11 PM] [FailureCategory=Cmdlet-ADOperationException] 3C1A4496,Microsoft.Exchange.Management.RecipientTas
  ks.AddADPermission
    + PSComputerName        : srv-mg-exh-mb01.magnabc.co.za

ECP give me the following error:

error:
 
Active Directory operation failed on SRV-MG-AUT-DC02.Magnabc.co.za. This error is not retriable. Additional information: Access is denied. Active directory response: 00000005: SecErr: DSID-03152612, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0  
 
 I have tried the following setting the Exchange trusted subsystem to allow full and enable inheritable permissions. This made no difference.

https://support.microsoft.com/en-za/help/2983209/access-denied-when-you-try-to-give-user-send-as-or-receive-as-permission-for-a-distribution-group-in-exchange-server-2010-or-exchange-server-2013

I also tried granting the user send as rights by opening the users account in AD security tab and granting the rights there. After a few minutes when I go back the setting has disappeared.

 
I discovered a temporary work around to fix the send as permission problem by granting the user a domain admin.

Can someone please help to find an alternate solution as to me granting the users domain admins to fix this permission problem?

Thank you

Regards
Jan
Comment
Watch Question
IT Superintendent
CERTIFIED EXPERT
Distinguished Expert 2017
Commented:
This problem has been solved!
Unlock 2 Answers and 6 Comments.
See Answers
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE