Hi Running Exchange 2010 SP1, all in a single domain I seem to be having lots of permissions errors when running cmdlets and trying to do things such as Create a mailbox database, etc. I was having permissions errors for adding user mailboxes but resolved this issue by allowing the Exchange Servers group to have the correct permissions on that user OU and having the users inherit permissions from their OU. (as a side note the permissions I manually enabled for that user OU were: Make sure the Exchange Enterprise Servers group has the permissions for the following: - (Object tab) List Contents [Allow] - (Properties tab) Read Display Name [Allow] - (Properties tab) Write Display Name [Allow] - (Properties tab) Read Exchange Information [Allow] - (Properties tab) Write Exchange Information [Allow] - (Properties tab) Read Personal Information [Allow] - (Properties tab) Write Personal Information [Allow] - (Properties tab) Read Public Information [Allow] - (Properties tab) Write Public Information [Allow]) So it seems that the Administrator user I am using in Exchange is not the problem, but rather the permissions that the Exchange Servers group has. Now, it seems that Exchange doesn't have proper permissions to edit things in the CN=Configuration container. Example trying to enable/disable SSL: [PS] C:\Windows\system32>Set-RpcClientAccess -Server RTP-EXCH -encryptionrequired $false Active Directory operation failed on RTP-AD.gbrtp.com. This error is not retriable. Additional information: Insufficien t access rights to perform the operation. Active directory response: 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 + CategoryInfo : NotSpecified: (0:Int32) [Set-RpcClientAccess], ADOperationException + FullyQualifiedErrorId : AF230B62,Microsoft.Exchange.Management.SystemConfigurationTasks.SetRpcClientAccess Using Get-RpcClientAccess I see that what it's likely trying to write to is located here: DistinguishedName : CN=RpcClientAccess,CN=Protocols,CN=RTP-EXCH,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=GBRTP,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=gbrtp,DC=com I reran setup /ps, /p, /pad hoping that this might re-establish permissions settings but that hasn't fixed it. Mailbox Database info is also stored here, which I'm unable to modify due to the same permissions error, so I'm pretty convinced the problem lies in this whole container. Can someone suggest what permissions I can set on the Configuration container, or if there's a proper way to go about making sure my permissions are correctly set everywhere?

Possibly inheritance on some of the configuration partition objects aren't inheriting. Fire up adsiedit\configuration\services\microsoft exchange. Look at the properties, security tab. Several Exchange groups are listed. Now go below that tree and keep sampling down to see if inheritance is stopped at some level.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

Inheritance is good the whole way down. The problem seems to lie in the permissions defined once we get to CN=GBRTP. There's lots of permissions defined for the "Exchange Servers" group, but a lot of these are completely empty. That doesn't seem right. Most importantly, "Exchange Servers" has no write permissions at all. Is this expected? The Exchange Trusted Subsystem group has full control, but it has no members. Is that also expected? Adding the server computer account to this still didn't fix the problem, maybe because the permissions for "Exchange Servers" cancels it out?

Both those observations seem to be by default when comparing mine so you should'nt have had to explicitly grant the Exchange servers group those rights on the OU. Can you make sure your account is in the Exchange org admins group?James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

This user is the domain/enterprise/schema admin and is in the "Organization Management" group which is under "Microsoft Exchange Security Groups". Inheritance is checked. I also tried creating a different user that is exclusively in the Organization Management group but I hit the same permissions errors. Like I was saying though, earlier I hit similar permissions errors with the administrator user when trying to add an enduser mailbox and they were only resolved by changing the permissions that the Exchange Server itself had on the user objects...

Right just doing sanity check, the permissions that you explicity set on the OU should be applied at the root domain in ADUC. For some reason it prob got removed, I would've thought re-running setup /prepareAD would've fixed it as well but if it didn't then you need to manually fix it. These are my default settings when I look at a mail enabled user, I can see the following being inherited at the domain level. As you can see you pretty much got the right attributes but the permissions need to be applied to the Exchange Trusted Subsystem for some and some to the Exchange servers. The reason it worked for just Exchange servers is because both these groups have same members. When I view my user I see that Exchange Servers has the following perms inherited at the domain level. Exchange Servers Object tab Create msexchactivesyncdevices... and Delete msexchactivesyncdevices... Descendant User Objects Exchange Servers Properties Tab Read Exchange personal info This user object and all Descendant Exchange Servers Properties Tab Read Exchange information This user object and all Descendant Exchange Trusted Subsystem Properties Tab Write Exchange personal info This user object and all Descendant Exchange Trusted Subsystem Properties Tab Write Public Info This user object and all Descendant Exchange Trusted Subsystem Properties Tab Wrrite Personal Info This user object and all Descendant Exchange Trusted Subsystem Properties Tab Write Exchange info This user object and all Descendant Exchange Trusted Subsystem Properties Tab List Contents, Read all properties, read perms. Write Exchange info This user object and all Descendant James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

Hi bsquizzato, Please also run the Exbpa to do a Permission Check. Frank Wang

Does the user account running the task have inheritence enabled? Mike Crowley | MVP My Blog -- Planet Technologies