Monday, February 24, 2014

Exchange 2010 Distribution Groups INSUFF_ACCESS_RIGHTS

I recently performed an Exchange 2003 to 2010 migration.   Everything seemed to go ok, but there were a few glitches here and there, including this one.  I got a call from a user who manages certain distribution lists from within outlook.  She could no longer add/remove users from the groups.  This wasn't a problem prior to the migration.

I jumped on EMC and tried to check the permissions of the DL and it spit a nice error out at me:

Error:
Active Directory operation failed on SERVER.DOMAIN.COM. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
The user has insufficient access rights.
Click here for help... http://technet.microsoft.com/en-US/library/ms.exch.err.default(EXCHG.141).aspx?v=14.1.267.0&t=exchgf1&e=ms.exch.err.Ex6AE46B

Exchange Management Shell command attempted:
new-DistributionGroup -Name 'Test Group' -SamAccountName 'Test Group' -Alias 'NJTest'

Elapsed Time: 00:00:00

Of course, it can be weeks after the migration before stuff like this pops up, so I had to go digging around for an answer.  I found a few things on technet, but nothing stood out.  I changed and checked the following to try to fix the issue:

  • Changed all of the DL's to Universal groups
  • Changed all of the Distribution groups to 2010 DL's 
    • I did this by renaming the DL from within EMC, clicking apply, and reverting the change
  • Ensured that I had permissions on the object from ADUC
I was able to check the permissions and change all of the DL's to 2010 DL's, but when I tried to change the problem DL's (rename and revert), I was greeted with the same error.

I then checked the differences between the DL's that worked and the DL's that were not allowing admin's / owners to change their DL's from within Outlook.  I noticed that the inherit permissions wasn't checked on the two DL's that were not working.  I checked it and it immediately started working.  I was able to change the DL's to 2010 DL's and I checked with the users and they were able to add and remove users from within Outlook.

Hope this helps
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)