Need help resolving error when managing mailbox folder rights for users in different subdomains in Exchange 2016

Blaise Fournier
Blaise Fournier used Ask the Experts™
on
Hello,
We have trouble adding rights to the calendar folder of one user to another user who is on another subdomain.
We run Exchange 2016 (Version 15.1 (Build 1466.3) and have a main domain we will call domain.local and 5 subdomains. Exchange server is in domain.local.
User1 is in subdomain A.domain.local and has email address user1@customdomain1.com
User2 is in subdomain B.domain.local and has email address user2@customdomain2.com
We ran the following command to add LimitedDetails rights to B.domain.local\user2 on A.Domain.local user2’s calendar:
Add-MailboxFolderPermission -Identity A.domain.local\user1:\calendar -User user2@customdomain2.com -AccessRights LimitedDetails

We get the following error:
The user "FirstName Lastname user2@customdomain2.com" was found in Active Directory but isn't valid to use for permissions. Try an SMTP address instead.
+ CategoryInfo          : NotSpecified: (:) [Add-MailboxFolderPermission], InvalidInternalUserIdException
    + FullyQualifiedErrorId : [Server=XXXXXX,RequestId=XXXXXXX,TimeStamp=01.02.2019 10:31:07] [FailureCategory=Cmdlet-InvalidInternalUserIdException]XXXXXX,Microsoft.Exchange.Management.StoreTask
   s.AddMailboxFolderPermission
    + PSComputerName        : exc01.domain.com

Can you please help us solve this problem?
Thanks in advance for your help.
Best regards
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Roland LeeSenior Systems Engineer

Commented:
Maybe you can try something like this
Get-Mailbox "WhateverMailbox" | Add-MailboxPermission -AccessRights FullAccess, ExternalAccount -User "remote-domain\user"

Commented:
Is user2@customdomain2.com the person's SMTP address or is it their UPN with a custom suffix?

Can you try using User2's Alias or even their full DN as in:

Add-MailboxFolderPermission -Identity A.domain.local\user1:\calendar -User "CN=User2,OU=xyz,DC=B,DC=domainDC=local" -AccessRights LimitedDetails
Blaise FournierSystems Engineer

Author

Commented:
Thanks for the tip Ibrahim Benna, but the error remains the exactly same.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Blaise FournierSystems Engineer

Author

Commented:
Thank you Roland Lee but what I want to achieve is to add a permission to the user's calendar. The command you suggested would try to add permissions to the mailbox. In my case this is not an option.
Blaise FournierSystems Engineer

Author

Commented:
user2@customdomain2.com is the person's SMTP address. Sorry I forgot to mention this.
Blaise FournierSystems Engineer

Author

Commented:
Hello,

We have investigated and found out that the error appears only with users which have been migrated during a cross-forest migration. The command runs normally for users that have been created after the migration. Thank you all for you input. I will post more info as we continue to investigate.
Blaise FournierSystems Engineer

Author

Commented:
The command works again without action on our part ... I guess we'll never know what happened here.
Blaise FournierSystems Engineer

Author

Commented:
The error appears again. A case has been opened with MS support and will post a solution if one is found.
Best regards
Blaise
Blaise FournierSystems Engineer

Author

Commented:
No news so far sorry.
Systems Engineer
Commented:
Hello,

Turns out an AD attribute was causing the problem for users which had been migrated from a single domain forest to a multi domain forest.
AD Attribute msExchRecipientDisplayType of users with the problem was set to "0" when it should have been "1073741824"

The following powershell commands run on a DC allowed this issue to be corrected (use at your own risk)

Import-Module activedirectory
Get-ADUser -Filter * -Properties msExchRecipientDisplayType | Where-Object {$_.msExchRecipientDisplayType -eq "0"} | Set-ADObject -Replace @{msExchRecipientDisplayType=-1073741824}

For more on recipient type values :
https://answers.microsoft.com/en-us/msoffice/forum/msoffice_o365admin-mso_exchon-mso_o365b/recipient-type-values/7c2620e5-9870-48ba-b5c2-7772c739c651

NB ; solution was found by one of our engineers not by MS Support.

Best regards
Blaise Fournier

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial