Cannot set the security descriptor of mailbox – Exchange PowerShell error when assigning permissions in Exchange 2010/2013 or 2016 co-existence

I would like to shed some light for some of you who have exchange 2010/2013 or 2016 co-existence or still slowly upgrading from 2010 to 2013/2016, you may come across this error especially if you have not yet migrated all mailboxes over to exchange 2013 or 2016, also could be that the migration is being handled by another team or 3rd part vendor and you are still performing your regular daily exchange administrative tasks on the 2010 server. As part of your task you might have to add or remove mailbox permissions for a mailbox user and if you have a habit of just getting the user information, replace it into your command-lets notepad and run it on the Exchange server, you may run into this error.


“Cannot set the security descriptor of mailbox…….. in exchange mailbox database ……..”

In this case the following command was executed, to grant full access permission to a mailbox account:-

Add-MailboxPermission -Identity “userA” -User “userB” -AccessRights FullAccess -InheritanceType All

And then we got the error above.


Powershell is throwing this error because the mailbox that you are trying to add permissions is hosted in a more higher version of exchange than the server you are running the command from. That means you should be running the command in Exchange 2016 where the mailbox of userA is hosted, rather than in Exchange 2010 powershell.

Simply to say:-  You can’t change the properties of a mailbox in Exchange Server 2013 or 2016 when you connect to a server that is running Exchange Server 2010 🙂


  1. Check which database the mailbox is currently hosted on and which version of Exchange server. Use this command to check:-

Get-Mailbox -Identity UserA | fl database,exchangeversion

2.  Use exchange 2016 powershell, or 2013 powershell depending on your result from step 1.

You can always refer here to know your versions of Exchange 🙂 :-