Wrong security rights for Exchange Trusted Subsystem
I think the security rights for Exchange Trusted Subsystem is wrong in my domain.
An example:
When I try to disable a user from EMC i get an error: "Insufficient access rights to perform the operation. Active directory response: 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
I can disable the user if I give Exchange Trusted Subsystem full access to the user object in AD.
I have made sure that both the user object and all OU's have inherited permissions. And I have tried to run setup /preparead and setup /preparedomain, but it makes no difference.
Questions are: If the security rights are wrong, how do i fix it? Is it possible to reset security rights to default for the Exchange Trusted Subsystem? If I have to fix it by manually give it security rights, should I give it Full Access from the root of
the domain?
June 17th, 2011 8:08am
Hi
It is blog
of your question. You modify rights by adsiedit machine.
According to the article, you should check inherited setting of all the advanced security group.
Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
June 18th, 2011 1:34am
Hi
Thank you for your reply. But I have already read that blog. The security rights are ok on the Configuration part of AD, and inheritance is in place (on all folders).
The problem is on the user objects in AD. I suspect that the security rights for Exchange Trusted Subsystem is not right on the root of the domain in ADUC. And running setup /preparead does not fix it.
Any ideas?
I know I can fix this by giving Exchange Trusted Subsystem full control on everything, but that is not a very elegant (and safe?) way to do it...
June 18th, 2011 9:31am
Hi
I just read other colleague about your issue.
Someone opened this case. My colleague built fresh exchange and compare difference security right of two exchange servers. Then they modify the security right of target server and fix the error.
I also find that someone added Exchange Trusted Subsystem to local admin group and fix the issue.
Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
June 19th, 2011 10:00pm
This is still an issue. I have not found a good way to solve this yet. My next move will be to set up a test environment to compare security rights. Will post back here if I find a good solution.
June 24th, 2011 9:32am