Just trying to disable a users mailbox in ESM. Getting error "failed to commit the change on object "sid" because access is denied. mapiexceptionnoaccess: unable to set mailbox securitydescripter

Verify the Status of the AD account - Is it Enbled ?Satheshwaran Manoharan | Exchange 2003/2007/2010 | Blog:http://www.careexchange.in | Please mark it as an answer if it really helps you

Verify the Status of the AD account - Is it Enbled ? Satheshwaran Manoharan | Exchange 2003/2007/2010 | Blog:http://www.careexchange.in | Please mark it as an answer if it really helps you YES

Can you go to the AD account in ADUC, properties, security tab, advanced. Is inheretance checked? If not check it. If that doesnt work, try re-running set-mailbox user1 -applymandatoryproperties James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

Can you go to the AD account in ADUC, properties, security tab, advanced. Is inheretance checked? If not check it. If that doesnt work, try re-running set-mailbox user1 -applymandatoryproperties James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com Yes inheritance is checked, am looking for the exact command you mentioned above and cannot find it, i do run in powershell right and user1 is the mailbox i need to set specific perms on? i am a recipioent administrator and a domain built in account operator and a local admin on the exchange server i am disabling the user on. Any other ideas?

Make sure you are launching exchange powershell and not just regular powershell than run set-mailbox user1 -applymandatoryproperties [enter] Then try your task again.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

Are you using the EMC or ESM to do this?Sukh

@jamestechman did it no difference @sukh828 ESM

Hi Its coming for single user or all users and also check its group of users belong to particular OU. If its fort particular user or particular OU.. Check the permission of that Object in AD.. thanks

i have checked perms on the ou ya know microsoft they dont provide a great way to dump acls on all objects nicely unless you come up with one that can dump exchange recipient administrators, it is all users

I have a feeling the account you're using or the groups that your account is in is missing the "administer information store" right. I would try this for grins, open adsiedit, configuration, services, drill down to databases. Highlight the database this user is in, right click properties, security tab, advanced tab. Double click your user account and check administer information store. Then try disabling the account again.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

So we are talking 2003 here. Can you create a new account and test? Or is this issue only with the account you're trying? If only account, then it very likely it's missing permission.Sukh

i have granted my account create \ delete infomation store objects permissions and still get access denied error. With regards to creating new account i get a error as well.

We are talking about Exchange 2003 here?Sukh

Can you check if inheritence is checked via adsiedit not ADUC. start, run type adsiedit expand domain, expand the ou the user is in, find the user, right click properties security tab, advanced.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

exchange 2007 sp3 throughout org inheritance is checked on all users

Maybe try running the setup /prepareAD again to try to reset the necessary Exchange perms again. Doesn't harm to re-run. James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

Can you try EMC rather than ESM.Sukh

if i remember right i need to mount the burned exchange sp3 cd and run that setup /prepareAD from it right? i did this way back when we implimented exchange 2007 but not since. i hope it doesnt break anything. what would i run in the EMC?

I am confused as to if you have Exchange 2003 and/or 2007. Is this a pure Exch 2007 deployment? If yes then I would use the Exchange Management Console (EMC) to perform this task, not Exchange Systems Manager (ESM)Sukh

We are 100% exchange 2007 env. Regardless of what console we use exchange recipient administrators should work. Sounds like there are no clear answers to this issue. I have a case open with Msft engineers holding my breathe.