Have you see this error yet?  If you haven’t, you will.  This is one of the most common errors and can be seen while performing a variety of functions within Exchange 2010.  I continue to see this issue pop up so I decided to write a post on it.  Most recently I saw this while trying to attach a disconnected mailbox to an existing AD user account.  I have seen this same error pop up during the following functions (not full list):

  • Reconnect mailbox
  • Move mailbox to another database    
  • Enable user for Unified Messaging
  • Creating an Outlook profile


Here is the exact message:

“Active Directory operation failed on SERVERNAME.  This error is not retriable.  Additional information: Insufficient access rights to perform the operation…..The user has insufficient access rights.”

error rights-connect

And on a database move operation:

error rights-DB move

How can this be?  I am a Domain Administrator and an Exchange Organization Administrator.  How is it that I do not have the right access?  Well, it is not that you do not have the right access on the object, it is that Exchange does not have the right access on the object.

So how do we solve this issue?  It is actually quite simple.  If we open up AD Users and Computers and take a look at the object’s security, we will find that Exchange does not have the proper access.

After opening AD Users and Computers, make sure that “Advanced Features” is selected in the menu.  This will enable the Security tab on AD objects.

error rights-AD Adv
Open the user’s AD object and select the Security tab.  This will show the current security configuration on the object. 

error rights-perm Advanced

If we examine the list and compare to a user that does work properly we will notice that certain Exchange permissions are either missing or different.  In order to fix this, click on the Advanced button.  Then select the check box that reads “Include inheritable permissions from this object’s parent”.

error rights-perm inherit-markup

That’s it!  Exchange needs specific rights on AD objects that it manages.  If it doesn’t, then all sorts of issues will arise.  Not only does this check box need to be checked for the user object, but also for the OU container that holds the object.