Inheritable Permissions – Failed Mailbox Migration

Occasionally mailbox moves fail. There are many reasons why a move could fail. For this particular article I will concentrate on one failure that can occur if a mailbox is moved to an internal Exchange Server or to a server on Office 365. Simply put it is inheritable permissions:


When this checkbox is unchecked you could have an issue moving the mailbox to a new server and the error would be look something like this:

Both of these errors occur because permissions are missing which block the mailbox move process from doing its job. The fix is relatively easy to implement:

Add-PSSnapin Quest.ActiveRoles.ADManagement
$users = import-csv c:\new\users.csv
foreach ($line in $users) {
	$user = $line.DisplayName
	Get-QADUser $user | where {$_.DirectoryEntry.psbase.ObjectSecurity.AreAccessRulesProtected} |  Set-QADObjectSecurity -UnlockInheritance

** Please note you need the Quest ActiveRoles AD Management Plug-ins for the script to work

The script will simply check the Inheritable Permissions checkbox for each user who is missing the setting. You can scope this to certain OU’s as well if there is a need to do so.

Here is the format of the CSV file that was used:

CSV File

“Smith, Bob”
“Washington, Smith”

A spot check of the accounts that were affected shows that the checkbox for inheritable permissions is now checked and the mailbox can proceed to be moved to Exchange 2013 or Office 365.

Typically this setting is unchecked on Admin accounts because they have special rights assignments and won’t necessarily cause their mailbox migration to fail. On an ordinary user account (non-admin), if this checkbox is not checked and the permissions have never copied to the user account, things can go wrong when it comes to mailbox moves. Usually this misconfiguration is not revealed until a new active-sync agreement is created (rebuild or new phone) or when their maibox is moved to a different mail system (Office 365). In order to prevent this from causing issues for your migrations, I suggest you run PowerShell script like this one to see who is missing the checkbox and correct all those mailboxes that are not Administrator mailboxes with my previous script.

Hope this brief article provides some help for those migrating mailboxes and experiencing a similar issue.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s