Permissions lost after moving mailbox from Exchange 2003 to Exchange Online in hybrid environment
Consider the following scenario:
- Your on-premises Exchange organization includes mailboxes that are hosted in Exchange 2003;
- Your on-premises Exchange organization is set up for a hybrid deployment together with Exchange Online;
- You move users or shared mailboxes from on-premises Exchange to Exchange Online.
After you move these mailboxes, you notice that the original mailbox permissions are not retained.
You might also notice that when you run the Add-MailboxPermission cmdlet in Exchange Online, you receive an error stating:
The ACL for the object “CN=user,CN=Users,DC=letsexchange,DC=com" is not in canonical order (Deny/Allow/Inherited) and will be ignored.
This is because Exchange 2003 uses a mailbox security descriptor system that is no longer used by Exchange Online. Because of this, when an Exchange 2003 mailbox is moved to Exchange Online, the original mailbox security descriptors are ignored and permissions are not kept.
To resolve this issue, run the FixMailboxSD command-line tool to correct the security descriptions on the on-premises Exchange 2003-based servers.
This is a small utility to fix mailbox security descriptors in Microsoft Exchange that have become non-canonical. It must be run on a machine with Exchange System Manager, as it relies on the interfaces exposed by CDOEXM, but it will work against mailboxes on 2003 or 2007 (not 2010 or 2013).
The tool uses CDOEXM from C# to read the MailboxRights object from the IExchangeMailbox interface. It then iterates through the DACL and puts all the ACEs in canonical order, and saves the changes.
The syntax of the tool is very straightforward:
FixMailboxSD “DN of mailbox”
The tool will display a summary view of the current DiscretionaryAcl, and then show a summary view of the DACL after it has reordered it. It will then save the changes and return to a command prompt.