Cannot set the security descriptor of mailbox – Exchange PowerShell error when assigning permissions in Exchange 2010 and 2016 co-existence

You may come across this error especially if you have not fully migrated all user mailboxes to the new exchange 2016, or co-existence with 2010, and you still have to resolve requests and help desk calls from both users, those not yet migrated and those already migrated, sometimes it could be even while migration is on-going.


“Cannot set the security descriptor of mailbox…….. in exchange mailbox database ……..”

Below command was executed to grant full access permission:-

Add-MailboxPermission -Identity “userA” -User “userB” -AccessRights FullAccess -InheritanceType All

And then it threw the error described above.


Powershell is throwing this error because the mailbox that you are trying to add permissions is hosted in a more higher version of exchange than the server you are running the command from. That means you should be running the command in Exchange 2016 where the mailbox of userA is now hosted after it was migrated, rather than in Exchange 2010 powershell in this case.

Simply to say:-  You can’t change the properties of a user mailbox in Exchange Server 2013 or 2016 when you connect to a server that is running Exchange Server 2010. 🙂


  1. Check which database the mailbox is currently hosted on and which version of Exchange server. Use this command to check:-

Get-Mailbox -Identity UserA | fl database,exchangeversion

2.  Use exchange 2016 powershell, or 2013 powershell depending on your result from step 1.

You can always refer here to know your versions of Exchange 🙂 :-

Another good tip would be to always first check which database and exchange version the user mailbox is on whenever you have a co-existence!