After trying to move a mailbox from Exchange 2003 to Exchange 2010, I received the following error:
Error:
Active Directory operation failed on *DomainController*. This error is not retriable. Additional information: Insufficient access rights to perform the operation.
Active directory response: 00002098: SecErr: DSID-03150E8A, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
The user has insufficient access rights.
Exchange Management Shell command attempted:
’*OUStructure*’ | New-MoveRequest -TargetDatabase ‘Mailbox Database 1985885663′ -BadItemLimit ‘-1′
This error can be resolved by editing the Advanced Security Settings for the user.
- Open Active Directory Users and Computers
- Find the user of which the mailbox move caused the error
- Open up the properties of this user and go to the security tab (if this is not available, choose view and then advanced features in the AD users and computers MMC)
- Click on [Advanced]
- Activate the checkbox “Include inheritable permissions from this object’s parent” and then click [OK] twice.
Worked perfectly, thanks!
Worked for me, thanks
perfect! thanks a lot!
cheers, worked a charm
Thank you!
perfect!
WORKED LIKE A CHARM. NEED TO GET THIS MOVED UP TO THE TOP OF THE LIST IN GOOGLE!!!! THANKS A LOT!!!!!
Thanks for posting this, This has really helped me to move the mailboxes from exchange 2003 to exchange 2010.
In general I have around 500 users and doing this manually for each users is not possible, is there any way to get this done for all the users with different organizational unit.
I know it too late posting here, but hoping that you may got the solution and reading the comments.
Thanks,
Hi Raveesh….
Powershell is the tool
1. download the Quest Powershell commands @ http://www.quest.com/powershell/activeroles-server.aspx
2. open them (make sure to execute them as a domain admin or else you can list things but not write things to AD)
3. If you execute the following command you will get a list of all users and you can see if this checkbox is set (verify it for some user), True = set.
Get-QADUser -SizeLimit 0 | Select-Object Name,@{n=’IncludeInheritablePermissions’;e={!$_.DirectoryEntry.PSBase.ObjectSecurity.AreAccessRulesProtected}}
4. You can now set if for every user with the command:
Get-QADUser -SizeLimit 0 | Set-QADObjectSecurity -UnLockInheritance
You can test it by supplying one user, and see if it works: Get-QADUser username -SizeLimit 0 | Set-QADObjectSecurity -LockInheritance
Use it @ your own risk. I advise you to test it first in a test domain or test environment.
More on the set-qadobjectsecurity command: http://wiki.powergui.org/index.php/Set-QADObjectSecurity
Pingback: Unable to move 2003 mailboxes to 2010 Exchange server | xombe
Thanks! Saved me a headache this afternoon.
Awesome worked !!!
It work like a charm!
Thanks.
Thanks for the tip, worked perfectly and I have many mailboxes to move