I recently had a case with a major customer which inspired me to write this blog post.
Consider the following scenario: in Exchange 2010 you have some old mail-enabled public folders migrated from Exchange 2003. You notice that editing AD permissions such as Send As on these folders fails. So you are logged in with an account that’s member of Organization Management, you go in Exchange Management Console – Toolbox - Public folder Management Console, select the public folder that you would like to adjust the Send As Permissions on, you choose Manage Send As Permission and select a user to add. At this moment you have an error:
The directory operation failed on "FolderName". This error is not retriable.
Additional Information: Access is denied. The directory response 00000005: SecErr: DSID-031521D0, problem 4003
The user has insufficient access rights.
Add-Adpermission –identity “DN of the Public Folder AD Object” –ExtendedRights “Send-as”
If you look closely at Active Directory security settings on these public folders, you will notice that the owner is still the decommissioned Exchange 2003 server. In order to check this, go in ADSIEdit – Default Naming Context - DC=domain,DC=com,CN=Microsoft Exchange System Objects, right-click on the mail-enabled public folder, Properties – Security – Advanced – Owner tab.
This is a known issue for migrated mail-enabled public folders. The issue is fixed in Exchange 2013, and for Exchange 2010 the workaround is pretty simple: just mail-disable / mail-enable the public folder and the issue is gone.
For those who, for some reason, are not able to mail-disable their public folders, the second workaround is to manually change the owner of those PF in ADSIEdit (follow the same path as above) – you can simply replace it with Exchange Servers.