Find and Fix Broken AD Object Inheritance

5/5 - (1 vote)

A few years back, I created a script for a customer to help find broken AD object inheritance during an Exchange migration.  I then created a blog post to go through it.

However, time has marched on and the TechNet Gallery fell off the face of the earth, and I needed to update this.  I’ve still got some updates to do in it to finish it off, but it’s at least back to where it was when I originally released it.

This script helps you identify broken permissions inheritance and, optionally attempt to resolve it (permanently, in some cases, while temporarily in others).  Here’s a snippet from the original post:

It’s commonly manifested like this (though I have seen it displayed other ways as well):

Warning: Unable to update Active Directory information for the source mailbox at the end of the move. Error details: An error occurred while updating a user object after the move operation.
–> Active Directory operation failed on This error is not retriable. Additional information: Insufficient access rights to perform the operation.
Active directory response: 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
–> The user has insufficient access rights.

Ugh. Your migration service account is a member of Org Admins, Recipient Admins, Domain Admins … What can the problem be?

As it turns out, this is *frequently* an error regarding permissions inheritance.  Permissions inheritance problems have caused more than one migration to fail in my career.  While permissions inheritance can be disabled due to a variety of things, the two biggest sources I’ve seen are:

In either case, Exchange Sever is expecting a particular permission to be present, and when it’s not, it is unable to update the user object after a migration.

I’ve put together a script to help proactively identify (and re-enable, if desired) permissions inheritance. If an object is protected by adminSDHolder, it will be noted in the output.  Objects protected by adminSDHolder will be reset when SDProp runs again, so be sure to check this column of the log file to see if your object falls into that category.  You’ll want to check to see if the account is a member of a protected group.  If it’s not a member of one (any more), you’ll want to clear the adminCount attribute on the user object and re-run the script or manually reset the permissions inheritance.

You can pick up this script at the PowerShell Gallery ( or by running:

 Install-Script -Name Fix-BrokenInheritance

Published by Aaron Guilmette

Helping companies conquer inferior technology since 1997. I spend my time developing and implementing technology solutions so people can spend less time with technology. Specialties: Active Directory and Exchange consulting and deployment, Virtualization, Disaster Recovery, Office 365, datacenter migration/consolidation, cheese.

Leave a Reply Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Exit mobile version