Active Directory operation failed (INSUFF_ACCESS_RIGHTS) in Exchange 2010

When trying to perform one of these actions

  • move a mailbox from Exchange 2007 to Exchange 2010, or
  • creating a new mailbox for a user in Exchange 2010,

the following error may occur:

Active Directory operation failed on domain.local. This error is not retriable. Additional information: Insufficient access rights to perform the operation.
Active directory response: 00002098: SecErr: DSID-03150A48, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

The user has insufficient access rights.

This error message often is an indication that the user, for which you try to create the mailbox, is (or has been) a domain administrator.

To resolve this error, do the following:

  1. Open Active Directory Users and Computers with domain administrative rights.
  2. Choose View, and check Advanced Featuresimage
  3. Locate the user in Active Directory, right click and choose Properties
  4. Go to the tab Security and uncheck and recheck the Include
    inheritable permissions from this object’s parent
    This will re-apply the permissions

Above actions should be sufficient to create or move the mailbox.

If you still face the error as described above, feel free to leave a comment.

0 0 votes
Article Rating
Notify of
Newest Most Voted
Inline Feedbacks
View all comments

mailbox migrations from 2003 to 2010 fail with “active directory operation failed on “dc”…
I get the exact error that you have posted. I went into properties and sure enough, inherited peerms — checked; move request is successful, but fails at (20-29)%.. tried another user= same.
I have moved 5 successfully. I checked and license is not the issue


Applied permissions to inherit yet still the same issue.
The mailboxes we are having issues with are on another domain in the forest.
On the primary schema server for the forest we ran:
setup /preparead
setup /preparedomain:otherdomain.local
setup /prepareschema

setup /prepareschema was not run on the problematic domain because from what I have read this will apply schema changes to all domain in the forest. Is this correct?


I’m having the same issue, were you able to resolve this?


How can I go about your suggestion using Power Shell?


thank, its work.


i still get same issue after inheritable permission checked option.But this option is not stable sometime uncheck can i do?


merci c’est parfait

Kaka Mama

I found the solution. All you have to do is add the SCCM Server account in the group policy object.
On Domain Controller go to Server Manager > Tools > Group Policy Object. On the left Pane, select your domain object, then on the pane, click the Delegation tab. Once there, at the bottom you see the Add button. Click that and add your SCCM Server Account. Refresh SCCM and you’ll see “Succeeded.” You’ll also see the System Management container in the Active directory populated.

Would love your thoughts, please comment.x