Pages

Thursday, December 4, 2014

Exchange 2010 MoveRequest Fails Due to Access Rights

Over the weekend, one of my co-workers was attempting to do a database compression on a series of databases. As part of the process, he wanted to move a large number of these mailboxes off to another, empty DB. Today, when checking the status, I noticed that his mailbox moves had all failed.

Get-MoveRequest "UserMailbox" | Get-MoveRequestStatistics | fl message

Message : Error: Active Directory operation failed on LocalDomainController. This error is not retriable. Additional information: Insufficient access rights to perform the operation.
          Active directory response: 00002098: SecErr: DSID-3150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 --> The user has insufficient access rights.

I found a TON of blogs that stated the AD portion of the mailbox doesn't have the 'include inheritable permissions from this object's parent' checkbox selected. This was NOT the issue in my case. I tested this by taking the very same object and simply resuming the move. It completed normally.

Now the difference between myself and my co-worker? He has Domain Admin rights to the Exchange domain. As a DA, he has specific Deny set on the databases.


get-mailboxdatabase New-DB01 | get-adpermission | ?{$_.user -like "*domain admin*" -and $_.deny} | select extendedrights

ExtendedRights
--------------
{Send-As}
{Receive-As}
{ms-Exch-EPI-Impersonation}
{ms-Exch-EPI-Token-Serialization}
{ms-Exch-Store-Constrained-Delegation}
{ms-Exch-Store-Transport-Access}
{ms-Exch-Store-Read-Access}
{ms-Exch-Store-Read-Write-Access}

If I had to guess, he can't read/write from the databases this way. Moral, don't have domain admins moving mailboxes.


No comments:

Post a Comment