Symptoms

Consider the following scenario:

  • You have a third-party application that sets an incorrect order for the access control list of a Calendar folder in a mailbox.

  • You move the mailbox that contains the Calendar folder to a Microsoft Exchange Server 2010 mailbox server. The move operation is completed successfully.

  • You try to change the access permission of the Calendar folder by using an Exchange Web Service (EWS) application, or by using a MAPI application, such as Microsoft Outlook.

In this scenario, you cannot change the access permissions of the Calendar folder.

Cause

This issue occurs because of an error when the Exchange store validates canonical access control lists. Therefore, the MAPI or EWS application cannot retrieve the access control list table of the Calendar folder.

Resolution

To resolve this issue, install the following update rollup:

2685289 Description of Update Rollup 3 for Exchange Server 2010 Service Pack 2 After the update is installed, you can enable the validation of canonical ACLs by configuring a registry key. To have us enable the validation of canonical ACLs for you, go to the "Fix it for me" section. If you prefer to enable the validation of canonical ACLs yourself, go to the "Let me fix it myself" section.

Fix it for me

To enable the validation of canonical ACLs automatically, click the Fix it button or link. Then click Run in the File Download dialog box, and follow the steps in the Fix it wizard.

Notes

  • Install update that is described in Microsoft Knowledge Base (KB) article 2685289 before you run this Fix it solution.

  • This wizard may be in English only. However, the automatic fix also works for other language versions of Windows.

  • If you are not on the computer that has the problem, save the Fix it solution to a flash drive or a CD and then run it on the computer that has the problem.

Then, go to the "Did this fix the problem?" section.

Let me fix it myself

To enable the validation of canonical ACLs by configuring a registry key, follow these steps:

  1. Open Registry Editor. To do this, click Start, type regedit in the Start Search box, and then press Enter.

  2. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\ParametersSystem

  3. On the Edit menu, point to New, and then click DWORD (32 bit) Value.

  4. Type CheckCanonicalACLDuringMove, and then press Enter.

  5. On the Edit menu, click Modify.

  6. In the Value data box, type 1, and then click OK.

  7. Exit Registry Editor.

After the validation of canonical access control lists feature is enabled, you cannot move folders in which the access control list is not in a canonical order. Additionally, you receive the following error message when you try to move the folder:

Error: MapiExceptionInvalidParameter: Unable to set properties on object. (hr=0x80070057, ec=-2147024809)Diagnostic context: Lid: 55847 EMSMDBPOOL.EcPoolSessionDoRpc called [length=267] Lid: 43559 EMSMDBPOOL.EcPoolSessionDoRpc returned [ec=0x0][length=232][latency=0] Lid: 23226 --- ROP Parse Start --- Lid: 27962 ROP: ropSetProps [10] Lid: 17082 ROP Error: 0x80070057 Lid: 30561 Lid: 21921 StoreEc: 0x80070057 Lid: 27962 ROP: ropExtendedError [250] Lid: 1494 ---- Remote Context Beg ---- Lid: 26426 ROP: ropSetProps [10] Lid: 21970 StoreEc: 0x8004010F PropTag: 0x668F0040 Lid: 25000 Lid: 24936 Lid: 24952 Lid: 47113 Lid: 7915 StoreEc: 0x80070057 Lid: 5263 StoreEc: 0x80070057 Lid: 19768 Lid: 4559 StoreEc: 0x80070057 Lid: 1750 ---- Remote Context End ---- Lid: 26849 Lid: 21817 ROP Failure: 0x80070057 Lid: 25761 Lid: 1940 StoreEc: 0x80070057 Lid: 25297 Lid: 21201 StoreEc: 0x80070057

Did this fix the problem?

  • Check whether the problem is fixed. If the problem is fixed, you are finished with this section. If the problem is not fixed, you can contact support.

  • We would appreciate your feedback. To provide feedback or to report any issues with this solution, please leave a comment on the "Fix it for me" blog or send us an email.

More Information

For more information about access control lists, go to the following Microsoft website:

General information about access control listsFor more information about access control entries, go to the following Microsoft website:

General information about access control entriesFor more information about how to use Visual Basic and ADsSecurity.dll to suitably order ACEs in an ACL, go to the following Microsoft website:

How to use Visual Basic and ADsSecurity.dll to suitably order ACEs in an ACL

Facebook LinkedIn Email
SUBSCRIBE RSS FEEDS

Need more help?

Want more options?

Discover Community

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Ask the Microsoft Community

Microsoft Tech Community

Windows Insiders

Microsoft 365 Insiders