Symptoms
Consider the following scenario:
-
You use Microsoft Identity Lifecycle Manager (ILM) 2007 to migrate mailbox users in Active Directory directory service to mailbox users in a Microsoft Exchange Server 2010 environment.Note To do this, you run the Update-Recipient cmdlet on the Exchange server. This cmdlet adds attributes for the recipient objects that are created by using the global address list (GAL) Synchronization management agent in ILM 2007.
-
The migrated mailbox user clicks Options in Outlook Web Access (OWA).
In this scenario, the migrated mailbox user receives the following error message:
Sorry! Access denied.
Cause
This issue occurs because the Update-Recipient cmdlet does not stamp the msExchRBACPolicyLink attribute for the recipient objects. Therefore, the Default Role Assignment Policy is not assigned to the recipient.
Resolution
To resolve this issue, install the following update rollup:
2582113Description of Update Rollup 5 for Exchange Server 2010 Service Pack 1
Status
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
More Information
For more information about the Update-Recipient cmdlet, visit the following Microsoft website:
General information about the Update-Recipient cmdletFor more information about Identity Lifecycle Manager (ILM) 2007, visit the following Microsoft website:
General information about Identity Lifecycle Manager 2007For more information about permissions in Exchange Server 2010, visit the following Microsoft website:
General information about permissions in Exchange Server 2010For more information about the Set-Mailbox cmdlet, visit the following Microsoft website:
