Cannot set the security descriptor of mailbox

You may come across this error in powershell – Cannot set the security descriptor of mailbox…. For me it was occurring in the beginning when we were doing a small number of mailbox migrations from Exchange 2010 to Exchange 2016 and assigning mailbox permissions.

“Cannot set the security descriptor of mailbox…….. in exchange mailbox database ……..”

Error appeared when I used below exchange powershell command to grant full access permission to userB on userA mailbox:-

Add-MailboxPermission -Identity "userA" -User "userB" -AccessRights FullAccess -InheritanceType All

Cause:-

Changes in user attributes in AD after migrating user from Exchange 2010 to Exchange 2016.

Powershell is throwing this error because the mailbox that you are trying to add the full access permission is now hosted in a higher version of exchange than the server you are running the powershell command from.

In my case, it means i should be running the Add-MailboxPermission command above in Exchange 2016 exchange management shell where the mailbox of userA is now hosted after it was migrated from Exchange 2010.

Solution:-

1. Check which database the mailbox is currently on, and which version of Exchange server.

Get-Mailbox -Identity UserA | fl database,exchangeversion

2. Use Exchange powershell on a higher version of  exchange where the mailbox now resides after migration. If mailbox was migrated from Exchange 2010 to Exchange 2016, so you will have to run the command from Exchange 2016 management shell to add the permissions successfully.

Add-MailboxPermission -Identity "userA" -User "userB" -AccessRights FullAccess -InheritanceType All

You can always refer to this Microsoft technet link to know your versions of Exchange from the exchangeversion result you get 🙂 

https://technet.microsoft.com/en-us/library/hh135098(v=exchg.150).aspx

Leave a comment and let me know if it worked for you.