Article ID: 842033
Article Last Modified on 10/25/2007
APPLIES TO
- Microsoft Exchange Server 2003 Enterprise Edition
- Microsoft Exchange Server 2003 Standard Edition
SYMPTOMS
When you try to move a mailbox by using the Exchange Task Wizard in Microsoft Exchange Server 2003, an access denied error message that is similar to the following appears in the Task Wizard report file:
<?xml version="1.0" encoding="unicode" ?>
- <taskWizardRun taskName="Move Mailbox" dcName="GC001" buildNumber="6944"
runningAs="jd_smith@contoso.com">
<timespan startTime="2004-04-24 09:19:55.019" milliseconds="25250" />
- <moveMailbox mixedMode="false" maxBadItems="0">
- <destination>
<database>/dc=com/dc=contoso/cn=Configuration/cn=Services/cn=Microsoft Exchange/cn=ContosoOrg/cn=Administrative
Groups/cn=Americas01/cn=Servers/cn=EXSERVER501/cn=InformationStore/cn=First Storage
Group/cn=Mailbox Store 4 SG1 (EXSERVER501)</database>
</destination>
</moveMailbox>
<taskSummary errorCount="1" completedCount="0" warningCount="0" errorCode="0x00000000" />
- <items>
- <item adsPath="LDAP://contoso.com/cn=remoteuser1,ou=Workers,dc=childdomain,dc=contoso,dc=com" class="user">
<progress code="100" milliseconds="25235">Saving changes to the directory</progress>
- <summary isWarning="false" errorCode="0x80070005">
Access denied.
- <details>
- <source>
<database>/dc=com/dc=contoso/cn=Configuration/cn=Services/cn=Microsoft
Exchange/cn=ContosoOrg/cn=Administrative
Groups/cn=Americas01/cn=Servers/cn=EXSERVER501/cn=InformationStore/cn=First
Storage Group/cn=Mailbox Store 1 SG1 (EXSERVER501)</database>
</source>
</details>
</summary>
</item>
</items>
</taskWizardRun
Note The Task Wizard report file appears if you click to select the View detailed report when this wizard closes check box after the move-mailbox operation is complete. The Task Wizard report file is stored in the following folder:
%systemdrive%\Documents and Settings\profile_name\My Documents\Exchange Task Wizard Logs
CAUSE
This issue may occur if the account that you are using to run the Exchange Task Wizard does not have the correct permissions for the following attributes on the user object:
Read/write msexchhomeservername
Read/write homemdb
Read/write homeMTA
Read/write msExchOmaAdminWirelessEnable
Read/write msExchOmaAdminExtendedSettings
Read/write targetAddress
This issue typically occurs in a multiple-domain forest where your account and the user's account that you want to move exist in different domains. Although you may be a domain administrator of your domain, you are not a domain administrator of the remote domain where the user's account exists.
Note The Microsoft Exchange 2000 move-mailbox operation does not look for the msExchOmaAdminWirelessEnable attribute or for the msExchOmaAdminExtendedSettings attribute.
RESOLUTION
To resolve this issue with the minimum set of permissions, you must assign the following attributes on the organizational unit that contains the user object. You must assign the attributes either to yourself or to your Domain Admins group:
Read/write msexchhomeservername
Read/write homemdb
Read/write homeMTA
Read/write msExchOmaAdminWirelessEnable
Read/write msExchOmaAdminExtendedSettings
Read/write targetAddress
To do this, follow these steps:
- Start Active Directory Users and Computers.
- On the View menu, click Advanced features.
- Right-click the organizational unit that contains the user account whose mailbox you want to move, and then click Properties.
- Click the Security tab.
- Click Add, and then add either your account or the Domain Admins group that contains the domain administrators who will use the Exchange System Manager to move mailboxes that belong to the remote domain.
- With the Domain Admins group selected or with your administrative user selected, click Advanced.
- With the appropriate permissions entry selected, click Edit. (If you are using Microsoft Windows 2000, click View/Edit ).
- Click the Properties tab, and then click User Objects in the Apply onto box.
- Click to select the check box in the Allow column for the following permissions:
Read/write Exchange Home Server
Read/write Exchange Mailbox Store
Read/write homeMTA
Read/write msExchOmaAdminWirelessEnable
Read/write msExchOmaAdminExtendedSettings
Read/write targetAddress - Click OK to close the open dialog boxes.
- Force Active Directory replication over all connections between domain controllers, or wait for all domain controllers in the domain to replicate. To force Active Directory replication, follow these steps:
- Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.
- Expand Sites, expand Default-First-Site-Name, expand Servers, expand
ServerName, and then click NTDS Settings. - In the right pane, right-click each connection that is listed, and then click Replicate Now.
- Quit the Active Directory Sites and Services snap-in.
MORE INFORMATION
To resolve this issue, you can also add your account to the remote domain's built-in Administrators group; however, we do not recommend this method.
Note To view the Task Wizard report file, click to select the View detailed report when this wizard closes check box after the move-mailbox operation is complete. The Task Wizard report file is stored in the following folder:
%systemdrive%\Documents and Settings\profile_name\My Documents\Exchange Task Wizard Logs
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Keywords: kbnofix kberrmsg kbbug KB842033
