My Frustrating Experience with the Exchange Trusted Subsystem USG.

I was doing some quick research recently with a topic totally unrelated to Exchange. Due to some resource constraints, I decided to install and setup an instance of Spiceworks (Helpdesk and Asset Management tool) on my Lab Exchange 2010 SP2 Server. Then began my problem. As soon as I was done, it didn’t take long for me to realize I could no longer create new mailboxes.

The New-Mailbox cmdlet kept throwing the following exception:
Error:
Active Directory operation failed on FQDN.dc.com. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS)…

The last time I encountered this error, I was in the process of moving mailboxes from one Server to another. I quickly resolved it by enabling Inherited Permissions for the affected user mailbox account . Easy.

But this was different. My admin account could not create mailboxes. Again, I checked to make sure that Inherited Permissions were enabled for my exchange admin account. Still nothing.

I used the ADSIEdit.msc tool to drill into Active Directory configuration context . I checked as many configuration containers as I could, to confirm that Inherited Permissions were enabled. Exchange Administrative group, Database container, Exchange Trusted Subsystem Group security properties and all. Still nothing.

Now, I know that all Exchange based actions done through the Management Shell must be authorized by RBAC (Role Based Access Control). RBAC in turn accomplishes these tasks within the context of the Exchange Trusted Subsystem Universal Security Group. This group basically contains the Exchange Server account and has read/write access to all exchange-related object in the Exchange organization.
According to Microsoft, the ETS USG should be a member of the Exchange Windows Permissions USG and local Administrators group.

And herein lies problem. The ETS USG was not a member of the built-in Administrators group. I went ahead and added it to the Administrators group, and boom problem solved. Just to confirm this, I removed the ETS from the Administrators group again and few seconds later same errors started up and I couldn’t create new mailboxes. I added the ETS to the Administrators group again, and problem disappeared.

One problem though, is that before this situation, the Exchange Trusted Subsystem USG was never part of the built-in Administrators group or any other Administrators group for that matter except for the Exchange Windows Permissions USG and yet everything worked well. So if these changes solved my problem, how come I never had the problem before now.

I hope this helps someone, but I am still in research mode hoping to find the best practice configuration for the ETS USG and related configuration items.

Advertisements
This entry was posted in Exchange 2010 SP2, Exchange Cmdlets, Exchange Management Roles, Exchange Management Shell, Microsoft Exchange, RBAC, Role Based Access Control and tagged . Bookmark the permalink.

4 Responses to My Frustrating Experience with the Exchange Trusted Subsystem USG.

  1. Lee says:

    My Exchange Trusted Subsystem group is empty, what members should be present?

  2. jbernec says:

    Your exchange servers would be in that group.

  3. Mac says:

    Perfect fix, thanks very much. Spent two days on this one – doesn’t appear on any of the Microsoft sites I looked at.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s