I was doing some quick research recently with a topic totally unrelated to Exchange. Due to some resource constraints, I decided to install and setup an instance of Spiceworks (Helpdesk and Asset Management tool) on my Lab Exchange 2010 SP2 Server. Then began my problem. As soon as I was done, it didn’t take long for me to realize I could no longer create new mailboxes.
The New-Mailbox cmdlet kept throwing the following exception:
Error:
Active Directory operation failed on FQDN.dc.com. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS)…
The last time I encountered this error, I was in the process of moving mailboxes from one Server to another. I quickly resolved it by enabling Inherited Permissions for the affected user mailbox account . Easy.
But this was different. My admin account could not create mailboxes. Again, I checked to make sure that Inherited Permissions were enabled for my exchange admin account. Still nothing.
I used the ADSIEdit.msc tool to drill into Active Directory configuration context . I checked as many configuration containers as I could, to confirm that Inherited Permissions were enabled. Exchange Administrative group, Database container, Exchange Trusted Subsystem Group security properties and all. Still nothing.
Now, I know that all Exchange based actions done through the Management Shell must be authorized by RBAC (Role Based Access Control). RBAC in turn accomplishes these tasks within the context of the Exchange Trusted Subsystem Universal Security Group. This group basically contains the Exchange Server account and has read/write access to all exchange-related object in the Exchange organization.
According to Microsoft, the ETS USG should be a member of the Exchange Windows Permissions USG and local Administrators group.
And herein lies problem. The ETS USG was not a member of the built-in Administrators group. I went ahead and added it to the Administrators group, and boom problem solved. Just to confirm this, I removed the ETS from the Administrators group again and few seconds later same errors started up and I couldn’t create new mailboxes. I added the ETS to the Administrators group again, and problem disappeared.
One problem though, is that before this situation, the Exchange Trusted Subsystem USG was never part of the built-in Administrators group or any other Administrators group for that matter except for the Exchange Windows Permissions USG and yet everything worked well. So if these changes solved my problem, how come I never had the problem before now.
I hope this helps someone, but I am still in research mode hoping to find the best practice configuration for the ETS USG and related configuration items.
Chinny Chukwudozie, Cloud Solutions. 
My Exchange Trusted Subsystem group is empty, what members should be present?
Your exchange servers would be in that group.
Perfect fix, thanks very much. Spent two days on this one – doesn’t appear on any of the Microsoft sites I looked at.
You’re welcome dude. Glad the post helped you.
Hi all
any known side effects of doing this?
we have two exchanges(13 and 07), and only 13 is in this group….
the issue comes to me when i try to migrate certain user from 07 to 13 and i cant due to this error: (https://support.microsoft.com/gl-es/help/4131514/error-migrationpermanentexception-active-directory-property-homemdb)
now i wonder, before doing it,if it may cause any other issues.
both exchanges are in production!
regards