Unable to add rights after upgrade from Exchange 2007 RTM to Exchange2007 SP1 - Fixed

Not open for further replies.


I'm posting this rather bizarre fix, because this problem has been
bugging me for almost a year, and maybe it might help someone else out
in a similar situation.

I was having the following issues after upgrading to SP1:

I was not able to give administrator rights by using the GUI or the
management shell, and I was getting the following error:

Active Directory operation failed on DC.<root>.com. This error is not
Additional information: the specified user does not exist.
Active directory response: 00000525: NameErr: DSID-031A0F80, problem
2001 (NO_OBJECT), data 0, best match of: []"

The object does not exist.

Exchange Management Shell command attempted:
Add-ExchangeAdministrator -Identity '<child>.<root>.com/OU/OU/User" -
Role RecipientAdmin

Also, my designated Exchange Recipient Admins were reporting errors
when trying to give access rights to mailboxes. Something that they
were able to do previously in 2007 RTM without any problem.

I originally posted my problem in this group las year in the hopes
someone else was having the same issue, without much luck.

I've been trying to fix this for a while, and have checked all the
things that are referenced on the web in relation to the error above,
including permissions (root domain and child), group memberships,DC
policyrights, Directory replication, etc, but everything looked OK.
and the problem has persisted.

Well, I've stumbled apon a fix. It makes absolutely no sense why this
works, but I have managed to fix my production and lab environment by
doing this. (I had originally tested the upgrade in the lab. After
the problem came up in production, I checked the lab, and it had the
same syptoms)

Stop the logging of the MSExchange ADAccess Topology

Run this in Powershell: set-eventloglevel "MSExchange AdAccess
\Topology" - Level 0

Wait approx. 30 minutes. (maybe longer)

After reducing the logging level, I was able to add Admins via the
GUI, and my Exchange Recipient Admins were able to add rights

As far as I can tell, the event log level for Topology was set to 1
(low) either before, or by the upgrade. I know I did not modify it,

I cannot explain why this works. As far as I know, it should have no
effect on adding/removing permissions. All I know is that this fixed
the problem I was having in both my production and lab environments.
I switched the logging back to level 1 (low) in my lab, and the
problem did not reappear (yet). I know this fix sounds nuts, but it
is relatively easy to try, and could help you out.
Not open for further replies.