Issue With Assigning Exchange 2010 Role-Assignment Policies
Have you ever needed to change your Default Role Assignment Policy in Exchange 2010 through...
Exchange 2010 Public Folders allow your administrators the ability to grant specific users the ability to send mail on behalf of a mail-enabled public folder.
Before we look at the Manage Send As issue, let’s take a look at how an Exchange or Security administrator would adjust the mail-enabled Public Folder Send As Permissions.
How to Manage the Public Folder Send As Permissions
Issue
The following error appears when adding a user to be able to Manage Send As despite the fact that you are the Super Duper Exchange Administrator for your environment. Even your service account will return the same error.
Error:
Active Directory operation failed on domaincontroller.domain.com. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
The user has insufficient access rights.
Click here for help... http://technet.microsoft.com/en-US/library/ms.exch.err.default(EXCHG.141).aspx?v=14.3.158.1&t=exchgf1&e=ms.exch.err.Ex6AE46B
Exchange Management Shell command attempted:
Add-ADPermission -Identity 'CN=PublicFolderName,CN=Microsoft Exchange System Objects,DC=domain,DC=com’ -User 'domain\userid' -ExtendedRights 'Send As'
Under what circumstances will this error occur?
Basically, there are two scenarios that will generate this error. One is that the Owner set on the public folder is not correct. If your environment has been upgraded from previous versions of Exchange you may see an object GUID listed as shown below instead of an Exchange server name.
The second scenario in which you will receive this error is when the owner is set to one of the Exchange servers in your environment, but you attempt to manage the Send As permissions from a different server in your production environment. Both of these situations will generate the above error on a mail-enabled public folder.
How to check the Public Folder Ownership settings
Before we can adjust the Ownership, we need to know how to find out how the ownership is set. We will learn if the owner is incorrectly set with a GUID or an Exchange Server Name that is different than the server you are managing your public folder permissions. For this will need ADSIEDIT downloaded and installed on your workstation and will need access to Active Directory Users and computers.
Note: If you do not have ADSIEDIT installed here is an article that can help you get started installing ADSIEDIT.
Resolution Option 1 – Mail Disable/Mail Enable the public folder
This is only a good option and is best suited for an organization that plans to always manage public folders from the same server all the time. This method will apply the name of the Exchange server that was being used to mail disable/mail enable the public folder you are working with. While this resets the owner of the public folder, it will specifically be set to that individual server. If management will occur across multiple Exchange servers then the permissions error will resurface. Here are the steps to mail-disable and mail-enable your public folder.
Resolution Option 2 – Use ADSIEDIT to set the Folder Ownership to Exchange Servers
Earlier in this article we talked about how to use ADSIEDIT to check what the current folder owner is. You will only use resolution option 2 if your organization manages public folders from multiple exchange servers. Here are the steps to set the current owner to Exchange servers:
Summary
As discussed in the article above, if you have upgraded from previous versions of Exchange you may have issues managing the Send As permissions on your mail-enabled public folders. This article should provide you with the insight to resolve this issue as it applies to your environment.
Get proactive with Exchange Management – Trial the Mailscape Monitoring & Reporting Dashboard.
Theresa is a Sr. Technical Systems Administrator and has been working as a technical expert in IT for over 18 years. Theresa has her MCSE, CCA and EPIC ECSM certifications. Her areas of expertise are in the areas of Exchange, Active Directory, Lync, SharePoint and Citrix XenApp. She has architected, designed, implemented and led complex projects in all of these areas. She also is a public speaker, speaking at events such as Briforum 2013 and upcoming will be at E2E Virtulization conference in May 2014.
Have you ever needed to change your Default Role Assignment Policy in Exchange 2010 through...
Every mailbox object in Exchange has a series of fields called custom attributes. These can be...