When trying to perform one of these actions
- move a mailbox from Exchange 2007 to Exchange 2010, or
- creating a new mailbox for a user in Exchange 2010,
the following error may occur:
Active Directory operation failed on domain.local. This error is not retriable. Additional information: Insufficient access rights to perform the operation.
Active directory response: 00002098: SecErr: DSID-03150A48, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
The user has insufficient access rights.
This error message often is an indication that the user, for which you try to create the mailbox, is (or has been) a domain administrator.
To resolve this error, do the following:
- Open Active Directory Users and Computers with domain administrative rights.
- Choose View, and check Advanced Features
- Locate the user in Active Directory, right click and choose Properties
- Go to the tab Security and uncheck and recheck the Include
inheritable permissions from this object’s parent option.
This will re-apply the permissions
Above actions should be sufficient to create or move the mailbox.
If you still face the error as described above, feel free to leave a comment.