Logon to OWA results in problem 4003 (INSUFF_ACCESS_RIGHTS)

After a migration from Exchange 2003 to Exchange 2007, some users may experience problems while connecting to Outlook Web Access (OWA). When they try to logon, they face the following error:

Inner Exception
Exception type: Microsoft.Exchange.Data.Directory.ADOperationException
Exception message: Active Directory operation failed on domain controller. This error is not retriable. Additional information: Insufficient access rights to perform the operation. Active directory response: 00002098: SecErr: DSID-03150A45, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

This error particularly occurs with users who had administrative privileges before. They may have been Domain Administrators in the past.

 

Solution

  1. Open up Active Directory Users and Computers
  2. Go to the View menu, Advanced.
  3. Locate the user in AD, right click, properties.  Jump to the security tab.
  4. Click “Advanced”
  5. Click “Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here.”
  6. Check box and apply.
  7. Click OK and OK again.
    Depending on the size of your domain/forest, replication may take some time.

Cause:

XADM: Do Not Assign Mailboxes to Administrative Accounts
http://support.microsoft.com/kb/328753 which says

By not assigning mailboxes to accounts with administrative permissions, you avoid security issues related to “elevation of privilege” attacks. For example, in an elevation of privilege attack, a security hole exists in which Group X is made a member of the Domain Administrators group, and access control lists (ACLs) exist on Group X that permit Group Y to modify Group X. In this situation, members of Group Y can make themselves members of Group X and so become a member of the Domain Administrators group.

To help guard against such security issues, the Administrator account and accounts that are members of these security groups are not permitted to inherit permissions. On the Security tab of the group or account’s properties page, you can see that the Allow inheritable permissions from parent to propagate to this object check box is not selected. Moreover, if you click to select this check box, a Microsoft Windows 2000 system task soon clears it automatically. Clearing the check box is a function of Windows 2000 intended to prevent hackers from playing with security and inappropriately increasing their permissions to the level of administrator.

As a side effect of this inheritance setting, if you do try to use a mailbox assigned to an administrative account, you may not be able to log on to or resolve the mailbox. Also, in Exchange System Manager, although the Administrator account can have an Exchange 2000 alias and an Exchange 2000 mailbox, it does not have e-mail addresses. The Recipient Update Service, which updates the e-mail addresses and several other attributes, does not have the authority to update objects if the Allow inheritable permissions from parent to propagate to this object check box is not selected.

Complete error code (typical keywords are highlighted for further search queries, in case you want to know more about the problem)

Url: <url of Exchange 2007 OWA server>
User host address: <ip address>

Exception
Exception type: Microsoft.Exchange.Data.Storage.StoragePermanentException
Exception message: There was a problem accessing Active Directory.

Call stack
Microsoft.Exchange.Data.Storage.ExchangePrincipal.Save()
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchLanguagePostLocally(OwaContext owaContext, OwaIdentity logonIdentity, CultureInfo culture, String timeZoneKeyName, Boolean isOptimized)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchLanguagePostRequest(OwaContext owaContext)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.PrepareRequestWithoutSession(OwaContext owaContext, UserContextCookie userContextCookie)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.InternalDispatchRequest(OwaContext owaContext)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchRequest(OwaContext owaContext)
System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Inner Exception
Exception type: Microsoft.Exchange.Data.Directory.ADOperationException
Exception message: Active Directory operation failed on <domain controller>. This error is not retriable. Additional information: Insufficient access rights to perform the operation. Active directory response: 00002098: SecErr: DSID-03150A45, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

Call stack
Microsoft.Exchange.Data.Directory.ADSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer)
Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADRawEntry entry, DirectoryRequest request, ADObjectId originalId)
Microsoft.Exchange.Data.Directory.ADSession.Save(ADObject instanceToSave, IEnumerable`1 properties)
Microsoft.Exchange.Data.Storage.ExchangePrincipal.Save()

Inner Exception
Exception type: System.DirectoryServices.Protocols.DirectoryOperationException
Exception message: The user has insufficient access rights.

Call stack
System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation)
Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADRawEntry entry, DirectoryRequest request, ADObjectId originalId)

0 0 votes
Article Rating
Subscribe
Notify of
guest
13 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Charlie Agonoy

The solutions was dead on. After making the necessary changes as stated in the solution, the issue was resolved.

Thank You.

ps

Thanks, much apprecaited

robert henriksen

Many thanks!

marcod

And what happend when the users are in diferent domains (but in the same forest) than the exchange 2007? I check and that solution and not apply

Dave

Fantastic. Problem sorted, thank you.

Ebinesar

thanks lot… its working fine

Steve

Thanks a bunch!

Max Wyatt

I have the Same problem as Marcod. Users in a child domain can’t access OWA. This fix doesn’t help.

Thierry B

Many Thanks 🙂

Lee Forster

Absolutely perfect thanks a lot, the user we had a problem with was previously a domain administrator and this worked great.

Marc Winkler

Solved my problem, thank you very much.

Bridgett

The most CRUCIAL point of born penis blowup is real efficacious for assorted cinch physical exercises.
Male Person sweetening workouts such as milking and jelquing to
the inquiry, do women comparable a penis pump?
To bookmarker the “Penis Pump and it in truth will do a difference in your life. Our metamorphoses are really little additional than an surprisingly real and on-going chronological sequence – because your health is but as of import as the sizing of your penis.

sex tentatrice

C’est un vrai plaisir de parcourir ce poste

13
0
Would love your thoughts, please comment.x
()
x