Exchange – “This operation can only be performed by a manager of the group” Error

KB ID 0000603 

Problem

Seen On Exchange 2010 (SP1), when trying to add a user to a distribution group.

Add-DistributionGroupMember Failed
Error:
You don’t have sufficient permissions. This operation can only be performed by a manager of the group.

Solution

1. There a few reasons for this error, I’m assuming that there is no user set as the manager for this group? (Properties > Group Information > Managed By). In my case it’s a known bug in Exchange 2010 with SP1.

Microsoft Exchange Server Build Numbers

2. This was fixed in Rollup 3 for Service pack 1 (source), Simply run an update and the problem should cease.

Related Articles, References, Credits, or External Links

NA

Exchange ActiveSync Not Working for Some Users “Post Migration”

KB ID 0000695

Problem

Error seen on some users on both Exchange 2007 and 2010, (post migration) form earlier versions of Exchange. When it fails you will also see this error.

Event ID 1053 MSExchange ActiveSync

Exchange ActiveSync doesn’t have sufficient permissions to create the “CN={User Name},OU=<OU Name>,DC={Domain Name},DC=com” container under Active Directory user “Active Directory operation failed on servername.domain-name.com This error is not retriable. Additional information: Access is denied.

Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

Make sure the user has inherited permission granted to domainExchange Servers to allow List, Create child, Delete child of object type “msExchangeActiveSyncDevices” and doesn’t have any deny permissions that block such operations.

Solution

Note: This can happen if the user is a member of any of these groups.

Account Operators
Administrators
Backup Operators
Domain Admins
Domain Controllers
Enterprise Admins
Print Operators
Read-only Domain Controllers
Replicator
Schema Admins
Server Operators

If your user IS a member of any of these groups, then have their ActiveSync device ready to be configured, as this fix will “revert” back every hour. If you get it connected and working before it reverts you will be fine.

Note: Users and mailbox’s created post migration are NOT affected.

1. On your Exchange Server > Launch the Exchange Management Console > Server Configuration > Select your CAS Server > Properties > Security Settings > Locate the DC that it is using.

2. Go the that Domain Controller, and press Windows Key+R > dsa.msc {enter} > Active Directory Users and Computers should open.

3. View > Ensure Advanced Features is enabled > Locate the problem user > Properties > Security > Advanced > Ensure Exchange Servers is present > Tick the box to “Allow inheritable permissions from this objects parent” > Apply.

4. Now attempt to connect your ActiveSync client.

Related Articles, References, Credits, or External Links

NA