"Insufficient access rights to perform the operation" error when you try to perform Exchange Server management tasks

Symptoms
When you try to perform Microsoft Exchange Server management tasks such as Set-Mailbox and Move-Mailbox in a multidomain environment, you receive the following error message:

Active Directory operation failed on dc1.contoso.com. This error is not retriable. Additional information: Insufficient access rights to perform the operation. Active directory response: 00002098: SecErr: DSID-03150889, problem 4003 (INSUF_ACCESS_RIGHTS), data 0

This issue occurs only when you are running cmdlets against mailboxes in the domain in which the Exchange universal security groups reside. For example, this issue occurs when you are running cmdlets against mailboxes in Exchange Trusted Subsystem.
Cause
This issue occurs if SID filtering quarantining is enabled between domains in the same forest. When this feature is turned on, the domain in which the Exchange universal security groups reside will discard the SIDs of those universal security groups from any tokens for users in other domains. This means that users who are members of Exchange Trusted Subsystem, such as the Exchange servers themselves, will be unable to act as members of Exchange Trusted Subsystem when those members are located in other domains. Because the Exchange management cmdlets use the security context of the computer account to update recipients, this causes any attempts to update recipients in that domain to fail.
Resolution
To fix this issue, don't enable SID filter quarantining between domains in the same forest. For information about how to disable SID filter quarantining, see the following article: 
More information
For more information about SID filter quarantining, see the following article:
Properties

Article ID: 3096158 - Last Review: 12/04/2015 01:28:00 - Revision: 1.0

  • kbsurveynew KB3096158
Feedback