Zero Hour Sleep
7Dec/0917

Cannot move mailboxes: INSUFF_ACCESS_RIGHTS error

When moving mailboxes from Exchange 2003 to Exchange 2007 or Exchaneg 2010 either from Exchange Management Console or Powershell using the move-mailbox or new-moverequest cmdlets the move operation might fail with the following error.

Active Directory operation failed on server.domain.com. This error is not retriable. Additional information:
Insufficient access rights to perform the operation.
Active directory response: 00002098: SecErr: DSID-03150A45, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
+ CategoryInfo : NotSpecified: (0:Int32) [New-MoveRequest], ADOperationException
+ FullyQualifiedErrorId : 6C39B6E8,Microsoft.Exchange.Management.RecipientTasks.NewMoveRequest

At first sight it looks like the user initiating the move mailbox doesn't have enough rights to perform this operation, however that user can move other mailboxes just fine.

Here is how to solve the issue

  1. Open Active Directory Users and Computers
  2. From the View menu select "Advanced Features"

  3. Find the user causing the problem and right click properties
  4. Go to the Security Tab
  5. Then Click on Advanced
  6. Check the "Include Inheritable permissions from object's parent"

  7. Issue the move mailbox operation again that should solve it
Cannot Move Mailboxes from Exchange 2003 to 2007/2010

Enjoyed the post, what is next?

Grab our FULL RSS feed! or Email Updates then share it

About Antoine Khater

I have been working in IT consultancy and solution integration since 1998 and I consider myself lucky to be, one in a few, making a living out of my passion. I am also member of the famous Experts Exchange (profile here) online community where I try my best to share what I have learned along the road.
Tagged as: , , , , Leave a comment
  • syed

    that was a good post and helped! thanks

  • http://whygoogle.me/ akhater

    Glad to know it was of help

  • Wes

    Fixed my issue as well thanks for the helpful information.

  • http://whygoogle.me/ akhater

    Thank you for taking the time to drop a line

  • cj

    It's also worth checking parent OU's for this setting also if above doesn't work.

  • Jpanos

    Great post .. would have never found that..

  • http://whygoogle.me/ akhater

    Glad I was of help

  • Alex Oosterom

    Thank you very much! It did work

  • http://whygoogle.me/ akhater

    Great to know ! thanks for the feedback

  • A. Friend

    thanks! saved my life!

  • Rhu

    This is OK, if you only have a view Mailboxes, but how can this be applyed, if you have hundreds of Accounts?

  • Trip

    thank you, saved me alot of time =)

  • Chelie

    Thank-You this was driving me insane in the membrane today

  • Thank you

    Cheers, saved me a lot of hassle!

  • Ekhoury2000

    Can you help here?

    10/7/2011
    1:00:55 PM [Server-Name] Fatal error UpdateMovedMailboxPermanentException has
    occurred.
    Error
    details: An error occurred while updating a user object after the move
    operation. –> Active Directory operation failed on “Domain Controller Name”.
    This error is not retriable. Additional information: The attribute value cannot
    be removed because it is not present on the object.
    Active
    directory response: 00002085: AtrErr: DSID-031521B3, #1:
    0:
    00002085: DSID-031521B3, problem 1001 (NO_ATTRIBUTE_OR_VAL), data 0, Att 200d2
    (proxyAddresses):len 100
    –> The
    requested attribute does not exist.
    at
    Microsoft.Exchange.MailboxReplicationService.LocalMailbox.Microsoft.Exchange.MailboxReplicationService.IMailbox.UpdateMovedMailbox(UpdateMovedMailboxOperation
    op, ADUser remoteRecipientData, String domainController, ReportEntry[]&
    entries, Guid newDatabaseGuid, Guid newArchiveDatabaseGuid, String
    archiveDomain, ArchiveStatusFlags archiveStatus)
    at
    Microsoft.Exchange.MailboxReplicationService.MailboxWrapper.c__DisplayClass3c.b__3b()
    at
    Microsoft.Exchange.MailboxReplicationService.ExecutionContext.Execute(GenericCallDelegate
    operation)
    at
    Microsoft.Exchange.MailboxReplicationService.MailboxWrapper.Microsoft.Exchange.MailboxReplicationService.IMailbox.UpdateMovedMailbox(UpdateMovedMailboxOperation
    op, ADUser remoteRecipientData, String domainController, ReportEntry[]&
    entries, Guid newDatabaseGuid, Guid newArchiveDatabaseGuid, String
    archiveDomain, ArchiveStatusFlags archiveStatus)
    at
    Microsoft.Exchange.MailboxReplicationService.LocalMoveJob.UpdateMovedMailbox()
    at
    Microsoft.Exchange.MailboxReplicationService.MoveBaseJob.UpdateAD(Object[]
    wiParams)
    at
    Microsoft.Exchange.MailboxReplicationService.CommonUtils.CatchKnownExceptions(GenericCallDelegate
    del, FailureDelegate failureDelegate)
    Error
    context: ——–
    Operation:
    IMailbox.UpdateMovedMailbox
    OperationSide:
    Target
    Primary
    (a77ad2aa-713b-4439-89bb-7ae4c5210c91)
    10/7/2011
    1:00:56 PM [Server-Name] Relinquishing job.

  • Ekhoury2000

    ——————————————————–

    Microsoft
    Exchange Error

    ——————————————————–

    The
    following error(s) occurred while saving changes:

    Set-Mailbox

    Failed

    Error:

    Active
    Directory operation failed on “Domain Controller”. This error is not
    retriable. Additional information: The attribute value cannot be removed because
    it is not present on the object.

    Active
    directory response: 00002085: AtrErr: DSID-031521B3, #1:

    0:
    00002085: DSID-031521B3, problem 1001 (NO_ATTRIBUTE_OR_VAL), data 0, Att 200d2
    (proxyAddresses):len 94

    The
    requested attribute does not exist.

    ——————————————————–

    OK

    ——————————————————–

  • Thankfull

    hi5! was certainly not looking there for permissions!
    Cheers

« Managing spaces in AddReplicaToPFRecursive.ps1 script Managing certificates in Exchange 2010 »

Latest Tweets

Follow @ZeroHourSleep (115 followers)

Recent Posts

Archives

Categories

Content Twitter

RSS Feed

RSS by email