This article is a consolidation of the following previously available articles: 261185, 296123, 297124, 317654, 328223, 328675
RESOLUTION
Scenario 1: Administrator or user of built-in Active Directory security group name or log on does not resolve
This behavior may occur with the
Administrator account and with users or groups that are members of the following Active Directory security groups:
- Schema Administrators
- Domain Administrators
- Enterprise Administrators
The following event may appear in the Event Viewer Application log:Event Type: Warning
Event Source: MSExchangeAL
Event Category: Replication
Event ID: 8315
Description:
The service could not update the entry 'CN=UserName,CN=Users,DC=domain,DC=com' because inheritable permissions are not propagated to this object. The inheritable permissions may be disabled because the object belongs to a Windows 2000 administrative group or the inheritable permissions were disabled explicitly by an administrator. DC=ServerDC1,DC=domain,DC=com.
Cause
The
Administrator account and the accounts that are members of the Active Directory security groups that are listed do not have the
Allow inheritable permissions from parent to propagate to this object check box selected. This check box is located on the
Security tab for the user or group object. This tab is displayed when
Advanced Features is enabled on the
Active Directory Users and Computers management console. If you select this check box, a Microsoft Windows system task clears the check box automatically.
This behavior is by design. This system task prevents security issues that may occur that stem from "elevation of privilege" attacks. For example, Group X is a member of the Domain Administrators security group. If the Access Control List (ACL) on Group X indicates that Group Y can modify the Group X object, members of Group Y may make themselves members of Group X. Transitively, they may become members of the Domain Administrators security group. We recommend that you do not use accounts with administrative permissions to perform mailbox-related tasks.
Resolution
To access mailboxes or perform mailbox-related tasks, use Active Directory accounts that do not have administrative permissions.
Scenario 2: Inheritable permissions from parent are not propagated to object
The Recipient Update Service does not have the necessary permissions to an Active Directory organizational unit that accounts reside in. The following events may appear in the Event Viewer Application log:Event Type: Warning
Event Source: MSExchangeAL
Event Category: Replication
Event ID: 8315
Description:
The service could not update the entry 'CN=UserNameB,CN=CustomOrgUnit,DC=domain,DC=com' because inheritable permissions are not propagated to this object. The inheritable permissions may be disabled because the object belongs to a Windows 2000 administrative group or the inheritable permissions were disabled explicitly by an administrator. DC=ServerDC1,DC=domain,DC=com.Event Type: Error
Event Source: MSExchangeAL
Event Category: LDAP Operations
Event ID: 8270
Description:
LDAP returned the error [32] Insufficient Rights when importing the transaction dn: <GUID=1631A14EC051DF4C87260F7AE8212AE6> changetype: Modify
showInAddressBook:add:CN=All Users,CN=All Address Lists,CN=Address Lists Container,CN=<Exchange_Organization_Name> ...
: CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists
mail:User_Name@domain.com
textEncodedORAddress:c=us;a= ;p=Org;o=Site;s=LastName;g=FirstName;
proxyAddresses:SMTP:UserNameB@domain.com : X400:c=us;a= ;p=Org;o=Site;s=LastName;g=FirstName; : smtp:UserNameB@domain.com
msExchPoliciesIncluded:add:{D1D8C0C6-D450-4CD7-8F35-1F5A42C49C1C},{26491CFC-9E50-4857-861B-0CB8DF22B5D7}
msExchUserAccountControl:0
msExchALObjectVersion:52
objectGUID:1631A14EC051DF4C87260F7AE8212AE6
-
DC=domain,DC=com Event Type: Error
Event Source: MSExchangeAL
Event Category: LDAP Operations
Event ID: 8022
Description:
LDAP Modify on directory .domain.com for entry '<GUID=1631A14EC051DF4C87260F7AE8212AE6>' was unsuccessful with error:[0x32] Insufficient Rights [ 00002098: SecErr: DSID-03150646, problem 4003
(INSUFF_ACCESS_RIGHTS), data 0
].
DC=domain,DC=com
If you enable the MSExchangeAL diagnostic logging, you may see the following event in the Event Viewer Application log:
Event Type: Warning
Event Source: MSExchangeAL
Event Category: Replication
Event ID: 8316
Description:
The service could not update the entry 'CN=UserNameB,CN=CustomOrgUnit,DC=domain,DC=com' because inheritable permissions have been explicitly disabled to all objects in the container 'OU=CustomOrgUnit,DC=domain,DC=com'. For this object to be mail-enabled properly, you will need to enable inheritable permissions on the security tab for this container so that the permissions can be propagated correctly to the entry that the service is trying to process.
Cause
This behavior may occur
if you disabled the
Allow inheritable permissions from parent to propagate to this object check box on the Active Directory organizational unit that the accounts reside in.
Resolution
Use either the Active Directory Users and Computers management console or use Active Directory Service Interfaces (ADSI) Edit to re-establish inheritable permissions on the organizational unit.
In Active Directory Users and Computers- In Active Directory Users and Computers on the View menu, click Advanced Features.
- Right-click the container or organizational unit that contains the users who are not being stamped by the Recipient Update Service, and then click Properties.
- On the Security tab, verify that the Allow inheritable permissions from parent to propagate to this object check box is selected. This options adds Exchange Enterprise Servers to the list of accounts that have rights to that object.
- Verify that this box is selected at the container level, and also in the user properties. To select the properties for individual users, right-click the user, click Properties, and then click the Security tab.
In ADSI EditWarning If you use the
ADSI Edit snap-in, the
LDP utility, or any other LDAP version 3 client and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems that require that you reinstall Microsoft Windows and Microsoft Exchange. Microsoft cannot guarantee that problems resulting from the incorrect modification of Active Directory object attributes can be solved. Modify these attributes at your own risk.
- Click Start, point to Programs, point to Windows 2000 Support Tools, and then click ADSI Edit.
- In ADSI Edit, expand the domain tree, and then expand the organizational unit or container in which the user that is not getting stamped resides.
- Right-click the container or organizational unit, and then click Properties.
- On the Security tab, verify that the Allow inheritable permissions from parent to propagate to this object check box is selected. This option adds Exchange Enterprise Servers to the list of accounts that have rights to that object.
- Verify that this box is selected on all the individual users within that container. If Exchange Enterprise Servers do not have correct rights, the Recipient Update Service will not stamp the mailboxes. To select the properties of the individual users, right-click the user, click Properties, and then click the Security tab.
- Open the Exchange System Manager (ESM), expand Recipients, and then click Recipient Update Service.
- Right-click the Recipient Update Service for the domain where these users are located, and then click Update Now. The Recipient Update Service should now have sufficient rights to stamp these objects.
Scenario 3: Exchange Enterprise Servers group is missing required permissions
The Exchange Enterprise Servers group may not have the required permissions at the domain level. The Event Viewer Application log may show the following events:
Event Type: Warning
Event Source: MSExchangeAL
Event Category: Replication
Event ID: 8317
Description:
The service could not update the entry 'CN=UserName,CN=Users,DC=domain,DC=com' because inheritable permissions may not have propagated completely down to this object yet. The inheritance time may vary depending on the number of Active Directory objects within the domain and also the load of your domain controllers. To correct this problem, verify that the Exchange permissions have been propagated to this object and then force a rebuild for the Recipient Update Service on this domain.
DC=domain,DC=comEvent Type: Error
Event Source: MSExchangeAL
Event Category: LDAP Operations
Event ID: 8270
Description:
LDAP returned the error [10000001] Local Error when importing the transaction dn: <GUID=1631A14EC051DF4C87260F7AE8212AE6> changetype: Modify
showInAddressBook:add:CN=All Users,CN=All Address Lists,CN=Address Lists Container,CN=<Exchange_Organization_Name> ...
: CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists
mail:User_Name@domain.com
textEncodedORAddress:c=us;a= ;p=Org;o=Site;s=LastName;g=FirstName;
msExchPoliciesIncluded:add:{D1D8C0C6-D450-4CD7-8F35-1F5A42C49C1C},{26491CFC-9E50-4857-861B-0CB8DF22B5D7}
msExchUserAccountControl:0
msExchALObjectVersion:52
objectGUID:1631A14EC051DF4C87260F7AE8212AE6
-
DC=domain,DC=com
Cause
The permissions may have been modified or removed without knowing how it would affect Microsoft Exchange and the Recipient Update Service.
Resolution
To verify that the permissions for the Exchange Enterprise Servers group are missing at the domain level, follow these steps:
- Click Start, point to Programs, point to Microsoft Exchange, and then click Active Directory Users and Computers.
- On the View menu, click Advanced Features.
- Right-click the domain, and then click Properties.
- Click the Security tab, and then click Advanced.
There are several permissions for Exchange Enterprise Groups at the domain level. These permissions include four write permissions. If some of the write permissions are missing, it is very likely that the MSExchangeAL 8270 and 8317 events that were discussed earlier will be logged in the Event Viewer Application log. If all the write permissions are missing, there may not be any errors logged.
To reset the permissions for the Exchange Enterprise Servers group if they are missing, follow these steps:
- Insert your Exchange 2000 Server or Exchange Server 2003 CD-ROM into the CD Drive.
- Click Start, click Run, type
<drive>:\I386\Setup.exe /domainprep
in the Open box, and then press ENTER.
<drive> refers to the drive letter of your CD Drive. When you run Setup with the /domainprep switch, you restore default permissions for the Exchange Enterprise Servers group. - To rebuild the Recipient Update Services, follow these steps:
- Click Start, point to Programs, point to Microsoft Exchange, and then click Exchange System Manager.
- Double-click Recipients, and then click Recipient Update Services.
- Right-click each Recipient Update Service listed in the right pane, and then click Rebuild.
Scenario 4: Group has the hideDLMembership attribute set to True
In this scenario, you may see the following event in the Event Viewer Application log:Event Type: Warning
Event Source: MSExchangeAL
Event Category: Replication
Event ID: 8315
Description:
The service could not update the entry 'CN=UserName,CN=Users,DC=domain,DC=com' because inheritable permissions are not propagated to this object. The inheritable permissions may be disabled because the object belongs to a Windows 2000 administrative group or the inheritable permissions were disabled explicitly by an administrator. DC=ServerDC1,DC=domain,DC=com.For information about this specific scenario, see the following article in the Microsoft Knowledge Base:
253828 How the Recipient Update Service Populates Address Lists