Thanks anyway Michael. I would imagine it isn’t done in production very often. If we sort it out, I’ll post to the list.
Regards, Patrick Patrick Nagle | IT Analyst | IT Services | University College Cork | ☎ +353 21 490 3217 | email [email protected]<mailto:[email protected]> | web www.ucc.ie<http://www.ucc.ie/> From: [email protected] [mailto:[email protected]] On Behalf Of Michael B. Smith Sent: 14 August 2013 00:24 To: [email protected] Subject: RE: [Exchange] RE: Exchange 2010 - AD Split Permissions Removal I’ve only done it in the lab, sorry. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Nagle, Patrick Sent: Tuesday, August 13, 2013 3:30 AM To: [email protected]<mailto:[email protected]> Subject: RE: [Exchange] RE: Exchange 2010 - AD Split Permissions Removal Thanks Michael. We did that and got all the cmdlets etc. back. We still haven't got them working though. Has anyone gone through this before or should we contact PSS? Not much about on google other than how to do it. Regards, Patrick Patrick Nagle | IT Analyst | IT Services | University College Cork | tel +353 21 490 3217 | email [email protected]<mailto:[email protected]> | web www.ucc.ie<http://www.ucc.ie> ________________________________ From: Michael B. Smith<mailto:[email protected]> Sent: 12/08/2013 16:41 To: [email protected]<mailto:[email protected]> Subject: [Exchange] RE: Exchange 2010 - AD Split Permissions Removal There is a switch on setup.com that lets you switch everything back. Look at setup help From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Nagle, Patrick Sent: Monday, August 12, 2013 11:15 AM To: [email protected]<mailto:[email protected]> Subject: [Exchange] Exchange 2010 - AD Split Permissions Removal Hi, When we migrated from Exchange 2003 a number of years ago, we had to introduce AD split permissions rather than RBAC for political reasons. Now the wind has turned and we are trying to roll this back. Working with our AD team we have made the changes and the “Mail Recipient Creation” role appears under “Organization Management” and the missing cmdlets are back. However we get the following errors when we try and use the cmdlets. [PS] C:\Windows\system32>New-MailContact -Name "Patrick Hotmail" -ExternalEmailAddress "[email protected]<mailto:[email protected]>" -DomainController xxxxxdc1.xxxxx.xxxxx.ucc.ie -OrganizationalUnit "xxxxx.xxxxx.ucc.ie/Users" Active Directory operation failed on xxxxxDC1.xxxxx.xxxxx.ucc.ie. This error is not retriable. Additional information: Access is denied. Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 + CategoryInfo : NotSpecified: (0:Int32) [New-MailContact], ADOperationException + FullyQualifiedErrorId : 7B2AEF25,Microsoft.Exchange.Management.RecipientTasks.NewMailContact If I use the AD cmdlets for setting up a contact and mail enable it after, it works perfectly so the permissions seem to be correct. We also added a domain administrator to “Organization Management” role group for Exchange 2010 and received the same error. Has anyone changed from AD split permissions to RBAC before? Any ideas where to go next? It’s in a virtual test environment so we can restart/make changes as required. Regards, Patrick -- Patrick Nagle | IT Analyst | IT Services | University College Cork | tel +353 21 490 3217 | email [email protected]<mailto:[email protected]> | web www.ucc.ie<http://www.ucc.ie/>
