Friday, August 15, 2008

Problems occurred trying to use your mailboxes, Exception message: Active Directory operation failed on Dc1.smtp25.org



Scenario:


Exchange 2007 migration after moving mailboxes from exchange 2003 to exchange 2007 users can not log into OWA and receiving errors "problems occurred trying to use your mailboxes". The fix for this error is going to be easy.

Error:

Exception message: Active Directory operation failed on Dc1.smtp25.org. This error is not retriable. Additional information: Insufficient access rights to perform the operation. Active directory response: 00002098: SecErr: DSID-03150E8A, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

Fix:

  • Open ADUC,
  • Locate the user having trouble (turn advance futures on, by clicking view if you are not seeing security tab)
  • Put a check mark where it says "Include inheritable permissions from this object parent" or simply click restore
  • Go back to OWA and now you should be able to login


Oz Ozugurlu

MVP (Exchange)

MCITP (EMA), MCITP (SA)

MCSE 2003, M+, S+, MCDST

Security+, Project +, Server +

Blog: http://www.smtp25.blogspot.com

3 comments:

Anonymous said...

This error can also occur when trying to move users from Exchange 2003 to 2010. The fix also works here so you are able to move the users. Thanx

IT_Newb said...

I had the same issue when trying to allow modification of a Distribution list from OWA. I had to apply this security setting to the Distribution List, as the user was already inheriting the permissions correctly. The setting was made on the Distribution List object, and this resolved the issue. Thanks You for this posting, it had been an issue for several days, until I came across this article.

Anonymous said...

For anyone who finds this in the future:

This checkbox in the User object's Security tab will be unchecked for any user who is a member of the Domain Admins group - this is to protect those accounts from inheriting reduced permissions, and losing access.

This checkbox will not be re-checked when users are removed from the Domain Admins group.