Finding Active Directory objects with Inheritance Disabled

Finding Active Directory objects with Inheritance Disabled

Rate this post

From time to time, an issue that crops up during Exchange or Office 365 migrations is the dreaded “insufficient access rights:”

It’s commonly manifested like this (though I have seen it displayed other ways as well):

Warning: Unable to update Active Directory information for the source mailbox at the end of the move. Error details: An error occurred while updating a user object after the move operation.
–> Active Directory operation failed on This error is not retriable. Additional information: Insufficient access rights to perform the operation.

Active directory response: 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
–> The user has insufficient access rights.

Ugh. Your migration service account is a member of Org Admins, Recipient Admins, Domain Admins … What can the problem be?

As it turns out, this is *frequently* an error regarding permissions inheritance.  Permissions inheritance problems have caused more than one migration to fail in my career.  While permissions inheritance can be disabled due to a variety of things, the two biggest sources I’ve seen are:

In either case, Exchange Sever is expecting a particular permission to be present, and when it’s not, it is unable to update the user object after a migration.

I’ve put together a script to help proactively identify (and re-enable, if desired) permissions inheritance. If an object is protected by adminSDHolder, it will be noted in the output.  Objects protected by adminSDHolder will be reset when SDProp runs again, so be sure to check this column of the log file to see if your object falls into that category.  You’ll want to check to see if the account is a member of a protected group.  If it’s not a member of one (any more), you’ll want to clear the adminCount attribute on the user object and re-run the script or manually reset the permissions inheritance.

Skip over to the TN Gallery to download the script.

Reader Comments

    1. The easiest way is do a find/replace in the script for objectclass=user and objectcategory=user and replace with group.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.