Insuff Access Rights when Adding ADPermission to BESAdmin Account
Problem:
When running the command on our Exchange 2010 Server
Add-Adpermission -InheritedObjectType user -InheritanceType Descendents -ExtendedRights Send-AS -user “BESAdmin” -identity “OU=OrganizationalUnit,”DC=domain,DC=com”
We received the following error
Active Directory operation failed on “FQDN.DOMAIN.COM” This error is not retriable. Additional Information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
+ CategroyInfo : WriteError: (0:Int32) [Add-ADPermission], ADOperationException
+ FullyQualifiedErrorID : 30EFD754,Microsoft.Exchange.Management.RecipientTasks.AddADPermission
Resolution:
This has to do with a security permission on the BESAdmin account. So we just need to clear that security permission on the BESAdmin account and run the command again.
1. Open up AD users and computers on the DC in the same site as Exchange.
2. Make sure we can view Advanced features by going to View | Advanced Features
3. In AD Users and Computers go to the properties of the BESAdmin account. Security | Advanced
4. Check the Box for “Include inheritable permissions from this object’s parent and click OK
5. Re-run the AD-Permissions command for the BESAdmin account.
Leave a Reply
Hey Scott..
Thank you for this tip, saved me from ripping the rest of my hair out.