Udostępnij za pośrednictwem


Finding Active Directory objects with Inheritance Disabled

From time to time, an issue that crops up during Exchange or Office 365 migrations is the dreaded "insufficient access rights:"

It's commonly manifested like this (though I have seen it displayed other ways as well):

Warning: Unable to update Active Directory information for the source mailbox at the end of the move. Error details: An error occurred while updating a user object after the move operation.
--> Active Directory operation failed on casserver.domain.com. This error is not retriable. Additional information: Insufficient access rights to perform the operation.
Active directory response: 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
--> The user has insufficient access rights.

Ugh. Your migration service account is a member of Org Admins, Recipient Admins, Domain Admins ... What can the problem be?

As it turns out, this is *frequently* an error regarding permissions inheritance.  Permissions inheritance problems have caused more than one migration to fail in my career.  While permissions inheritance can be disabled due to a variety of things, the two biggest sources I've seen are:

In either case, Exchange Sever is expecting a particular permission to be present, and when it's not, it is unable to update the user object after a migration.

I've put together a script to help proactively identify (and re-enable, if desired) permissions inheritance. If an object is protected by adminSDHolder, it will be noted in the output.  Objects protected by adminSDHolder will be reset when SDProp runs again, so be sure to check this column of the log file to see if your object falls into that category.  You'll want to check to see if the account is a member of a protected group.  If it's not a member of one (any more), you'll want to clear the adminCount attribute on the user object and re-run the script or manually reset the permissions inheritance.

Skip over to the TN Gallery to download the script.

https://gallery.technet.microsoft.com/Find-and-Fix-Broken-Object-5ae18ab1

Comments

  • Anonymous
    December 03, 2015
    thanks
    very helpful
  • Anonymous
    September 22, 2016
    Thanks a lot.
  • Anonymous
    November 28, 2017
    Is there a away to only get Groups with disabled inheritance and not users
    • Anonymous
      January 30, 2018
      The easiest way is do a find/replace in the script for objectclass=user and objectcategory=user and replace with group.