Symptoms

In a Microsoft Exchange Server 2010 environment, users cannot send email messages to a mail-enabled public folder. Additionally, the users receive non-delivery reports (NDRs) that contain a 5.2.0 status code. The NDRs resemble the following:

Delivery has failed to these recipients or groups:
<Display Name of Public Folder> <SMTP Address of Public Folder>
There's a problem with the recipient's mailbox. Please try resending the message. If the problem continues, please contact your helpdesk.
Diagnostic Information for administrators:
Generating Server: <FQDN of the Client Access Server running STOREDRV>
<SMTP-Address of mail-enabled Public Folder>#554 5.2.0 STOREDRV.Deliver.Exception:AccessDeniedException.MapiExceptionNotAuthorized; Failed to process message due to a permanent exception with message Cannot complete delivery-time processing.

This issue occurs if the following conditions are true:

  • You have more than one domain in your Active Directory forest.

  • You are running Windows Server 2008 or Windows Server 2008 R2 on the domain controllers in your domains.

  • The users who cannot send email messages to mail-enabled public folders are members of one or more of the following built-in security groups:

    • BUILTIN\Event Log Readers

    • BUILTIN\Cryptographic Operators

    • BUILTIN\IIS_IUSERS

    • BUILTIN\Certificate Service DCOM Access

Cause

This issue occurs because new domain local security groups are defined in Windows Server 2008 and in Windows Server 2008 R2. In a multiple-domain environment, these groups share the same well-known security identifier (SID). However, these groups are not included in the well-known SIDs list that is maintained by Exchange Server 2010 that is excluded from the check for ambiguity. Therefore, members of these groups that send email messages to a mail-enabled public folder are considered as ambiguous alias.

Resolution

To resolve this issue, install the following update rollup:

2608646 Description of Update Rollup 6 for Exchange Server 2010 Service Pack 1

Workaround

To work around this issue, remove the users from these security groups.

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information

For more information about a similar issue, click the following article number to view the article in the Microsoft Knowledge Base:

873393 A user receives an NDR that contains a 5.2.1 status code when the user tries to send an e-mail message to a public folder in Exchange Server 2003 For more information about well-known SIDs in Windows, click the following article number to view the article in the Microsoft Knowledge Base:

243330 Well-known security identifiers in Windows operating systems For more information about how to mail-enable a public folder, visit the following Microsoft website:

General information about how to mail-enable a public folderFor more information about well-known security identifiers and accounts, visit the following Microsoft website:

General information about well-known security identifiers and accounts

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

What affected your experience?

Thank you for your feedback!

×