Symptoms
In a Microsoft Exchange Server 2010 environment, users cannot send email messages to a mail-enabled public folder. Additionally, the users receive non-delivery reports (NDRs) that contain a 5.2.0 status code. The NDRs resemble the following:
Delivery has failed to these recipients or groups:<Display Name of Public Folder> <SMTP Address of Public Folder>There's a problem with the recipient's mailbox. Please try resending the message. If the problem continues, please contact your helpdesk.Diagnostic Information for administrators:Generating Server: <FQDN of the Client Access Server running STOREDRV><SMTP-Address of mail-enabled Public Folder>#554 5.2.0 STOREDRV.Deliver.Exception:AccessDeniedException.MapiExceptionNotAuthorized; Failed to process message due to a permanent exception with message Cannot complete delivery-time processing.
This issue occurs if the following conditions are true:
-
You have more than one domain in your Active Directory forest.
-
You are running Windows Server 2008 or Windows Server 2008 R2 on the domain controllers in your domains.
-
The users who cannot send email messages to mail-enabled public folders are members of one or more of the following built-in security groups:
-
BUILTIN\Event Log Readers
-
BUILTIN\Cryptographic Operators
-
BUILTIN\IIS_IUSERS
-
BUILTIN\Certificate Service DCOM Access
-
Cause
This issue occurs because new domain local security groups are defined in Windows Server 2008 and in Windows Server 2008 R2. In a multiple-domain environment, these groups share the same well-known security identifier (SID). However, these groups are not included in the well-known SIDs list that is maintained by Exchange Server 2010 that is excluded from the check for ambiguity. Therefore, members of these groups that send email messages to a mail-enabled public folder are considered as ambiguous alias.
Resolution
To resolve this issue, install the following update rollup:
2608646 Description of Update Rollup 6 for Exchange Server 2010 Service Pack 1
Workaround
To work around this issue, remove the users from these security groups.
Status
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
More Information
For more information about a similar issue, click the following article number to view the article in the Microsoft Knowledge Base:
873393 A user receives an NDR that contains a 5.2.1 status code when the user tries to send an e-mail message to a public folder in Exchange Server 2003 For more information about well-known SIDs in Windows, click the following article number to view the article in the Microsoft Knowledge Base:
243330 Well-known security identifiers in Windows operating systems For more information about how to mail-enable a public folder, visit the following Microsoft website:
General information about how to mail-enable a public folderFor more information about well-known security identifiers and accounts, visit the following Microsoft website:
General information about well-known security identifiers and accounts
