When this checkbox is unchecked you could have an issue moving the mailbox to a new server and the error would be look something like this:
Both of these errors occur because permissions are missing which block the mailbox move process from doing its job. The fix is relatively easy to implement:
Add-PSSnapin Quest.ActiveRoles.ADManagement
$users = import-csv c:\new\users.csv
foreach ($line in $users) {
$user = $line.DisplayName
Get-QADUser $user | where {$_.DirectoryEntry.psbase.ObjectSecurity.AreAccessRulesProtected} | Set-QADObjectSecurity -UnlockInheritance
}
** Please note you need the Quest ActiveRoles AD Management Plug-ins for the script to work
The script will simply check the Inheritable Permissions checkbox for each user who is missing the setting. You can scope this to certain OU’s as well if there is a need to do so.
Here is the format of the CSV file that was used:
CSV File
DisplayName
“Smith, Bob”
“Washington, Smith”
A spot check of the accounts that were affected shows that the checkbox for inheritable permissions is now checked and the mailbox can proceed to be moved to Exchange 2013 or Office 365.
Background
Typically this setting is unchecked on Admin accounts because they have special rights assignments and won’t necessarily cause their mailbox migration to fail. On an ordinary user account (non-admin), if this checkbox is not checked and the permissions have never copied to the user account, things can go wrong when it comes to mailbox moves. Usually this misconfiguration is not revealed until a new active-sync agreement is created (rebuild or new phone) or when their maibox is moved to a different mail system (Office 365). In order to prevent this from causing issues for your migrations, I suggest you run PowerShell script like this one to see who is missing the checkbox and correct all those mailboxes that are not Administrator mailboxes with my previous script.
Hope this brief article provides some help for those migrating mailboxes and experiencing a similar issue.
