Error when you try to perform Exchange Server management tasks: Insufficient access rights to perform the operation
Original KB number: 3096158
Symptoms
When you try to perform Microsoft Exchange Server management tasks such as Set-Mailbox and Move-Mailbox in a multidomain environment, you receive the following error message:
Active Directory operation failed on dc1.contoso.com. This error is not retriable. Additional information: Insufficient access rights to perform the operation.
Active directory response: 00002098: SecErr: DSID-03150889, problem 4003 (INSUF_ACCESS_RIGHTS), data 0
This issue occurs only when you are running cmdlets against mailboxes in a domain where the Exchange universal security groups reside, for example, in Exchange Trusted Subsystem.
Cause
This issue occurs if SID filtering quarantining is enabled between domains in the same forest. When this feature is turned on, the domain where the Exchange universal security groups reside will discard the SIDs of those universal security groups from any tokens for users in other domains. This means that users who are members of Exchange Trusted Subsystem, such as the Exchange servers themselves, will be unable to act as members of Exchange Trusted Subsystem when those members are located in other domains. Because the Exchange management cmdlets use the security context of the computer account to update recipients, any attempts to update the recipients in that domain will fail.
Resolution
To fix this issue, don't enable SID filter quarantining between domains in the same forest. For information about how to disable SID filter quarantining, see Disable SID filter quarantining.
More information
For more information about SID filter quarantining, see Configuring SID Filtering Settings.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for