Cannot set the security descriptor of mailbox – Exchange PowerShell error when assigning permissions in Exchange 2010/2016 co-existence

You may come across this error especially if you have not fully migrated all user mailboxes to your new exchange 2016 servers, or you have a co-existence 2010/2013 or 2010/2016, and you still have to resolve help desk calls for those users not yet migrated or those who just got migrated.


“Cannot set the security descriptor of mailbox…….. in exchange mailbox database ……..”

Below command was executed to grant full access permission to userB on userA mailbox:-

Add-MailboxPermission -Identity “userA” -User “userB” -AccessRights FullAccess -InheritanceType All

And we got the error described above.


Powershell is throwing this error because the mailbox that you are trying to add the permission is hosted in a higher version of exchange than the server you are running the powershell command from.

That means you should be running the command in Exchange 2016 where the mailbox of userA is now hosted after it was migrated from Exchange 2010.


  1. Check which database the mailbox is currently on, and which version of Exchange server.

Get-Mailbox -Identity UserA | fl database,exchangeversion

2. Use powershell on a higher version of  exchange where the mailbox resides. In my case it is exchange 2016 powershell, it depends on your Exchange version result which you will get by running the command above.

You can always refer to this Microsoft technet link to know your versions of Exchange 🙂