Seen On Exchange 2010 (SP1), when trying to add a user to a distribution group.
Add-DistributionGroupMember Failed
Error:
You don’t have sufficient permissions. This operation can only be performed by a manager of the group.
Solution
1. There a few reasons for this error, I’m assuming that there is no user set as the manager for this group? (Properties > Group Information > Managed By). In my case it’s a known bug in Exchange 2010 with SP1.
Error seen on some users on both Exchange 2007 and 2010, (post migration) form earlier versions of Exchange. When it fails you will also see this error.
Event ID 1053 MSExchange ActiveSync
Exchange ActiveSync doesn’t have sufficient permissions to create the “CN={User Name},OU=<OU Name>,DC={Domain Name},DC=com” container under Active Directory user “Active Directory operation failed on servername.domain-name.com This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
Make sure the user has inherited permission granted to domainExchange Servers to allow List, Create child, Delete child of object type “msExchangeActiveSyncDevices” and doesn’t have any deny permissions that block such operations.
Solution
Note: This can happen if the user is a member of any of these groups.
If your user IS a member of any of these groups, then have their ActiveSync device ready to be configured, as this fix will “revert” back every hour. If you get it connected and working before it reverts you will be fine.
Note: Users and mailbox’s created post migration are NOT affected.
1. On your Exchange Server > Launch the Exchange Management Console > Server Configuration > Select your CAS Server > Properties > Security Settings > Locate the DC that it is using.
2. Go the that Domain Controller, and press Windows Key+R > dsa.msc {enter} > Active Directory Users and Computers should open.
3. View > Ensure Advanced Features is enabled > Locate the problem user > Properties > Security > Advanced > Ensure Exchange Servers is present > Tick the box to “Allow inheritable permissions from this objects parent” > Apply.
4. Now attempt to connect your ActiveSync client.
Related Articles, References, Credits, or External Links