active-directoryldap
I tried to set an attribute to another user while I was logged with my account, which is member of Domain Admins group of the Active Directory.
Error while executing LDIF- [LDAP: error code 50 - 00002098: SecErr: DSID-03150A45, problem 4003 (INSUFF_ACCESS_RIGHTS), data java.lang.Exception: [LDAP: error code 50 - 00002098: SecErr: DSID-03150A45, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
What I need to do in order to be able to edit data using LDAP?
On your domain object, you need to assign the querying user the "Read MemberOf" right to User objects.
That should set it up so that the specified account can read the group memberships of all User accounts in the domain.
I've finally fixed this.
Interestingly Send-As is an AD permission - not an exchange permission as you might have expected.
Anyway, these are the steps:
Make the target mailbox "shareable" using this command in Powershell on your Exchange Server:
Set-Mailbox user1 -type:shared
If you get this error (same as in my first post):
You will need to find that user in AD and go to the properties >> Security >> Advanced:
You need to ENABLE the option to "Include inheritable permissions from this object's parent":
Once that is done you should be able to complete the folder share script.
Then actually grant the rights using this command:
Add-ADPermission user1 -User Ourdomain\User2 -ExtendedRights "Send As"
Hope that helps others who have the same problem.
Kieran
Best Answer
Right-click on the application and select Run as Administrator.
When you are a member of one of the special restricted groups such as Domain Admins, Enterprise Admins, or Administrators, those group memberships are blocked from your normal process token. To use these group memberships, you need to elevate by using Run as Administrator.
You can verify that the groups are blocked by running SysInternals' Process Explorer, right-click on the application, select Properties, and on the Security tab, the groups will have a Deny in the Flags column.