Exchange 2010 Distribution Groups INSUFF_ACCESS_RIGHTS

I recently performed an Exchange 2003 to 2010 migration.   Everything seemed to go ok, but there were a few glitches here and there, including this one.  I got a call from a user who manages certain distribution lists from within outlook.  She could no longer add/remove users from the groups.  This wasn't a problem prior to the migration.

I jumped on EMC and tried to check the permissions of the DL and it spit a nice error out at me:

Error:
Active Directory operation failed on SERVER.DOMAIN.COM. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
The user has insufficient access rights.
Click here for help... http://technet.microsoft.com/en-US/library/ms.exch.err.default(EXCHG.141).aspx?v=14.1.267.0&t=exchgf1&e=ms.exch.err.Ex6AE46B

Exchange Management Shell command attempted:
new-DistributionGroup -Name 'Test Group' -SamAccountName 'Test Group' -Alias 'NJTest'

Elapsed Time: 00:00:00

Of course, it can be weeks after the migration before stuff like this pops up, so I had to go digging around for an answer.  I found a few things on technet, but nothing stood out.  I changed and checked the following to try to fix the issue:

• Changed all of the DL's to Universal groups
• Changed all of the Distribution groups to 2010 DL's 
• I did this by renaming the DL from within EMC, clicking apply, and reverting the change
• Ensured that I had permissions on the object from ADUC

I was able to check the permissions and change all of the DL's to 2010 DL's, but when I tried to change the problem DL's (rename and revert), I was greeted with the same error.

I then checked the differences between the DL's that worked and the DL's that were not allowing admin's / owners to change their DL's from within Outlook.  I noticed that the inherit permissions wasn't checked on the two DL's that were not working.  I checked it and it immediately started working.  I was able to change the DL's to 2010 DL's and I checked with the users and they were able to add and remove users from within Outlook.

Hope this helps

How to remotely enable/disable the firewall in Windows 7 / 2008 R2, and change RDP listening port

Had an issue about a month ago. I had to change the listening port on a user computer that had been changed from default RDP 3389 to 67890, but I couldn't get to it with COMPUTER:67890 (inside or outside the network).  Everything WAS setup with a group policy but for some reason, when it was removed, the settings stayed on the computer.  Regardless, the computer was still listening on 67890.  So, I decided to remotely change it back to 3389, and ensure that the service worked afterwards without rebooting the system.

Again, this is a remote operation so I needed tools.  My First step: download PSTools if you don't already have it.  It includes one of the best system admin tools known.... PSEXEC.   This program will allow an admin with full domain privileges to all domain computers run remote commands on that computer.  Get PSEXEC and the rest of PSTools from here: Here 

Be sure to double click on PSEXEC after you have extracted it.  This way you won't get the disclaimer when running PSEXEC commands.  Also, I find it helpful to just extract the PSTools to a directory that is already a system path (C:\Windows, or C:\Windows\System32).

Second, I had to open up a administrator command prompt on the target machine.  I did this by opening an admin command prompt and then ran psexec \\COMPUTERNAME cmd.exe.  This command allowed me to connect to the target via cmd prompt, and physically run commands on the target computer.

I used this to disable the firewall on the target workstation, by typing in the following commands on the target cmd prompt: netsh advfirewall set allprofiles state off.  

This command will turn off the Domain, Public, and Private profiles on the target computer.  If you already have them disabled via GPO or something local, then skip this.  Otherwise you may want to re-enable it prior to completion: netsh advfirewall set allprofiles state on.

Third, I had to start the remote registry service on the target machine.  Opened up services on my machine, and remotely connected to the services on the target machine.  I right clicked on Remote Registry Service and started it.

I then attached to the registry on the target machine by opening up regedit, clicking on File, Connect, Network Registry, and typing in the target computer name.

Lastly, the RDP port had to be reset to default 3389.  I had to dig into the registry on the target machine to change it from 67890 to 3389.  I searched MS and found the following from: http://support.microsoft.com/kb/306759

1. Locate and then click the following registry subkey:
   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber
2. On the Edit menu, click Modify, and then click Decimal.
3. Type the new port number, and then click OK.  (TYPE 3389)
4. Quit Registry Editor.
5. Restart the computer.

Granted, it does say restart the computer, but I was able to RDP into the target computer from my workstation right after changing this.  Also, I am using NLS, so this wasn't the reason.

Thanks!


EDIT:

Thanks to JH, a powershell script he created accomplishes this much better and faster.  Please use this in combination with the above is stuck:

 #Enable remote desktop on computer in computer OU

 

$creds = Get-Credential

 

$PCName = read-host " Enter Computer Name"

 

Enter-PSSession -ComputerName $PCName -Credential $creds

 

Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0

 

Enable-NetFirewallRule -DisplayGroup "Remote Desktop"