Set-ADSiteLink error 4003 (INSUFF_ACCESS_RIGHTS) in Exchange Server 2010/2013
I got an error this last week where the user running Exchange Server 2010 wasn’t able to configure MaxMessageSize using Set-ADSiteLink cmdlet.
At the beginning I thought was something on his environment however since I was using Exchange Server 2013 on my Windows 8/Hyper-V 3.0 I tried to run the same cmdlet and I got the same issue ! Well, I tried in a couple of different Exchange Server 2010 and I got the same issue however if you run from an Exchange 2007 Management Shell it works like a charm!
Just to make sure that we are on the same page, here is the error message:
After analyzing the issue I noticed that the attribute delivContentLenght doesn’t allow the Exchange Trusted Subsystem to perform changes (Read and Write), so the solution is to open Active Directory Sites and Services, expand Sites, Inter-Site Transports, right-click on IP and then Properties.
Click on Security Tab, and click on Advanced button. In the new permissions tab, look for the entry that has Exchange Trusted Subsystem in the Name column and also Descendant Site Link Objects in Appy to column. After selecting the entry, click on Edit..
Make sure that you allow both Read delivContLenght and Write delivContLength and click OK on all other dialog boxes.
Time to test it! Let’s go back to the Exchange Management Shell and now we should be okay to define the MaxMessageSize from our Exchange Management Shell session.
Note: I couldn’t find an Official document from Microsoft supporting the Active Directory permission change however as you can see our change is just for that specific attribute.
Cheers, Anderson Patricio http://www.andersonpatricio.ca http://www.andersonpatricio.org