Sign in with Microsoft
Sign in or create an account.
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.


Assume that you create a Distribution Group on one Microsoft Exchange Server. In this situation, you cannot grant users the send-as or receive-as permission to the Distribution Group by using the add-ADPermission cmdlet from other Exchange Servers. You receive a message such as the following:

Active Directory operation failed on <>. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
+ CategoryInfo : WriteError: (0:Int32) [Add-ADPermission], ADOperationException
+ FullyQualifiedErrorId : 5557AD82,Microsoft.Exchange.Management.RecipientTasks.AddADPermission

In this example, <> represents the fully qualified domain name of the computer.


By default, Exchange Trusted Subsystem is not granted the "modify permissions" permission. This causes the Add-ADPermission cmdlet to fail with an Access Denied error in some circumstances. 

Specifically, this error will occur under either of the following circumstances:

  • If the admin user who makes the change has an associated mailbox, this error occurs if the Owner of the Active Directory group object being modified differs from the computer that hosts that mailbox.

  • If the admin user who makes the change does not have an associated mailbox, this error  occurs if the Owner of the Active Directory group object being modified differs from the computer that hosts the arbitration mailbox (the arbitration mailbox has a name that resembles SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c).


To work around this issue, add the "modify permissions" permission for the Exchange Trusted Subsystem to the organizational unit (OU) that contains the Distribution Group. To do this, follow these steps:

  1. Open Active Directory Users and Computers.

  2. Select View > Advanced Features.

  3. Right-click the OU that contains the distribution lists, and then select Properties.

  4. Select Security > Advanced.

  5. Select Permissions > Add.

  6. In the Permissions Entry for <OU NAME> window, select Select a principal.

  7. In the Enter object name to select box, type Exchange Trusted Subsystem, and then select OK.

    Note: If Exchange Server is installed in a domain other than this Organizational Unit's domain, Exchange Trusted Subsystem may not be found in the current domain. It will be necessary to change the From this location setting to the domain in which Exchange is installed.

  8. In the Permissions Entry for <OU NAME> window, change the Applies to value to Descendant Group objects.

  9. To clear all permission selections that have been added by default, scroll to the bottom of the window and select Clear all.

  10. In the Permissions section of the window, select Modify permissions.

  11. To apply the permission and close all windows, select OK three times.

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!