Problem
You’re transitioning an Exchange Server 2003 server to 2010 and when you make an attempt to move a mailbox, you receive the following error:
Active Directory operation failed on someDC.someDomain.com. This error is not retriable. Additional information: Insufficient access rights to perform the operation. Active directory response: 00002098: SecErr: DSID-03150A45, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
The user has insufficient access rights.
Click here for help... http://technet.microsoft.com/en-US/library/ms.exch.err.default(EXCHG.141).aspx?v=14.1.218.11&t=exchgf1&e=ms.exch.err.Ex6AE46B
Exchange Management Shell command attempted:
'someDomain.com/SomeName School/SomeNameUsers/SomeNameSecondary Students/S11/Eliot Smith' | New-MoveRequest -TargetDatabase 'SomeNameStudents - Light'
Elapsed Time: 00:00:01
Solution
The reason why you’re encountering this error is because the account of user’s mailbox you’re trying to move does not have the property: Include inheritable permissions from this object’s parent enabled. This is not the default configuration of user objects in the domain but I find that a lot of applications or administrators tend to deselect this option when trying to achieve customized settings for the user accounts in their environment. To correct this, simply open up Active Directory Users and Computers and turn on the Advanced Features as shown here:
Once the Advanced Features is enabled, search for the user account you have this problem with:
… open up the properties of this object:
Navigate to the Security tab of the user object’s property and click on the Advanced button:
Notice in the following screenshot that Include inheritable permissions from this object’s parent is not enabled:
Simply enable this property as such:
Once this property is enabled, you should now be able to move the mailbox. This manual process works well if you only have a few accounts to modify but if you have hundreds or even thousands, a script may be a better option. Unfortunately, I did quite a bit of searches on the internet but was unable to find one that works.
Here’s one that I found and tried but it error-ed out on me: http://gallery.technet.microsoft.com/ScriptCenter/b15da21e-2732-4b63-b7b3-c2b862dd5707/
PS C:\> .\setacl.ps1
C:\data\Profiles\Staff\
\ is True
Set-Acl : The security identifier is not allowed to be the owner of this object.
At C:\setacl.ps1:39 char:20
+ Set-Acl <<<< -Path $job -AclObject $acl
+ CategoryInfo : InvalidOperation: (C:\:String) [Set-Acl], InvalidOperationException
+ FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.SetAclCommand
\ is False
PS C:\data\Profiles\Staff>
I’ll definitely update this post if I figure out a way but if someone who happens to pass by this post has a solution, please feel free to share.