Users Cannot Log On to Outlook Web Access Because of Insufficient User Rights

  • Article

Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.

 

This topic explains how to use the Active Directory Users and Computers snap-in to correct user rights so that users can log on to Microsoft Office Outlook Web Access.

When you log on to Outlook Web Access, you may be presented with a Web page that includes the following exception:

a.Core.Culture.SetPreferredCulture(ExchangePrincipal exchangePrincipal, CultureInfo culture) 
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchLanguagePostLocally(OwaContext owaContext, OwaIdentity logonIdentity, CultureInfo culture, Int32 
timeZoneId, Boolean isOptimized) 
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchLanguagePostRequest(OwaContext owaContext) 
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.PrepareRequestWithoutSession(OwaContext owaContext, UserContextCookie userContextCookie) 
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.InternalDispatchRequest(OwaContext owaContext) 
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchRequest(OwaContext owaContext) 
System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() 
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Inner Exception
Exception type: Microsoft.Exchange.Data.Directory.ADOperationException
Exception message: Active Directory operation failed on ctssgreen.ctss.contoso.com. This error is not retriable. Additional information: 
Insufficient access rights to perform the operation. Active Directory response: 00002098: SecErr: DSID-03150A45, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 

Call stack

Microsoft.Exchange.Data.Directory.ADSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32& retries, Int32 maxRetries) 
Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADRawEntry entry, DirectoryRequest request, ADObjectId originalId) 
Microsoft.Exchange.Data.Directory.ADSession.Save(ADObject instanceToSave, IEnumerable`1 properties) 
Microsoft.Exchange.Data.Storage.ExchangePrincipal.Save()

Inner Exception
Exception type: System.DirectoryServices.Protocols.DirectoryOperationException
Exception message: The user has insufficient access rights.

Call stack

System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut) 

System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout) 
Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation) 
Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADRawEntry entry, DirectoryRequest request, ADObjectId originalId)

Cause

This exception may occur if the Allow inheritable permissions check box is not selected on the user object or on the OU container in Active Directory Users and Computers.

You should also verify that the Exchange Servers group appears on the Security tab of the top-level domain container. This security group is required on the top-level container and must be propagated to each organizational unit that includes users before users can successfully log on to Outlook Web Access.

Before You Begin

To perform this procedure, the account you use must be delegated membership in the Domain Administrators group.

For more information about permissions, delegating roles, and the rights that are required to administer Microsoft Exchange Server 2007, see Permission Considerations.

Procedure

To use Active Directory Users and Computers to set permissions for users and organizational units

  1. Open the Active Directory Users and Computers snap-in.

  2. On the View menu, click Advanced Features.

  3. Open the properties of a user who cannot log on to Outlook Web Access.

  4. Click the Security tab, and then click Advanced.

  5. Select the Allow inheritable permissions check box if it has not already been selected.

  6. Repeat steps 3 through 5 for each organizational unit between the user object and the top-level container.

  7. Allow time for replication to occur.

To use Active Directory Users and Computers to set permissions for the top-level container

  1. Open the Active Directory Users and Computers snap-in.

  2. On the View menu, click Advanced Features.

  3. Open the properties of the top-level container in the domain of the users who cannot log on.

  4. Click the Security tab.

  5. Verify that the Exchange Servers group appears in the Group or user names list. Add this group if it does not appear in the list. You do not have to set permissions for the Exchange Servers group.

For More Information

For more information about permissions settings for Outlook Web Access, see IIS and File System Settings for Outlook Web Access.