Sign in with Microsoft
Sign in or create an account.
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.


Consider the following scenario:

  • You have a third-party application that sets an incorrect order for the access control list of a Calendar folder in a mailbox.

  • You move the mailbox that contains the Calendar folder to a Microsoft Exchange Server 2010 mailbox server. The move operation is completed successfully.

  • You try to change the access permission of the Calendar folder by using an Exchange Web Service (EWS) application, or by using a MAPI application, such as Microsoft Outlook.

In this scenario, you cannot change the access permissions of the Calendar folder.


This issue occurs because of an error when the Exchange store validates canonical access control lists. Therefore, the MAPI or EWS application cannot retrieve the access control list table of the Calendar folder.


To resolve this issue, install the following update rollup:

2685289 Description of Update Rollup 3 for Exchange Server 2010 Service Pack 2
After the update is installed, you can enable the validation of canonical ACLs by configuring a registry key. To have us enable the validation of canonical ACLs for you, go to the "Fix it for me" section. If you prefer to enable the validation of canonical ACLs yourself, go to the "Let me fix it myself" section.

Fix it for me

To enable the validation of canonical ACLs automatically, click the Fix it button or link. Then click Run in the File Download dialog box, and follow the steps in the Fix it wizard.


  • Install update that is described in Microsoft Knowledge Base (KB) article 2685289 before you run this Fix it solution.

  • This wizard may be in English only. However, the automatic fix also works for other language versions of Windows.

  • If you are not on the computer that has the problem, save the Fix it solution to a flash drive or a CD and then run it on the computer that has the problem.

Then, go to the "Did this fix the problem?" section.

Let me fix it myself

To enable the validation of canonical ACLs by configuring a registry key, follow these steps:

  1. Open Registry Editor. To do this, click Start, type regedit in the Start Search box, and then press Enter.

  2. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\ParametersSystem

  3. On the Edit menu, point to New, and then click DWORD (32 bit) Value.

  4. Type CheckCanonicalACLDuringMove, and then press Enter.

  5. On the Edit menu, click Modify.

  6. In the Value data box, type 1, and then click OK.

  7. Exit Registry Editor.

After the validation of canonical access control lists feature is enabled, you cannot move folders in which the access control list is not in a canonical order. Additionally, you receive the following error message when you try to move the folder:

Error: MapiExceptionInvalidParameter: Unable to set properties on object. (hr=0x80070057, ec=-2147024809)
Diagnostic context:
Lid: 55847 EMSMDBPOOL.EcPoolSessionDoRpc called [length=267]
Lid: 43559 EMSMDBPOOL.EcPoolSessionDoRpc returned [ec=0x0][length=232][latency=0]
Lid: 23226 --- ROP Parse Start ---
Lid: 27962 ROP: ropSetProps [10]
Lid: 17082 ROP Error: 0x80070057
Lid: 30561
Lid: 21921 StoreEc: 0x80070057
Lid: 27962 ROP: ropExtendedError [250]
Lid: 1494 ---- Remote Context Beg ----
Lid: 26426 ROP: ropSetProps [10]
Lid: 21970 StoreEc: 0x8004010F PropTag: 0x668F0040
Lid: 25000
Lid: 24936
Lid: 24952
Lid: 47113
Lid: 7915 StoreEc: 0x80070057
Lid: 5263 StoreEc: 0x80070057
Lid: 19768
Lid: 4559 StoreEc: 0x80070057
Lid: 1750 ---- Remote Context End ----
Lid: 26849
Lid: 21817 ROP Failure: 0x80070057
Lid: 25761
Lid: 1940 StoreEc: 0x80070057
Lid: 25297
Lid: 21201 StoreEc: 0x80070057

Did this fix the problem?

  • Check whether the problem is fixed. If the problem is fixed, you are finished with this section. If the problem is not fixed, you can contact support.

  • We would appreciate your feedback. To provide feedback or to report any issues with this solution, please leave a comment on the "Fix it for me" blog or send us an email.

More Information

For more information about access control lists, go to the following Microsoft website:

General information about access control listsFor more information about access control entries, go to the following Microsoft website:

General information about access control entriesFor more information about how to use Visual Basic and ADsSecurity.dll to suitably order ACEs in an ACL, go to the following Microsoft website:

How to use Visual Basic and ADsSecurity.dll to suitably order ACEs in an ACL

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!