Hi all,
I recently was involved in troubleshooting an access issue for a client. We managed to work out what was going on and I thought I'd share.
Symptoms:
Users were unable to access their vaulted items. If they attempted to do so, they would be prompted for credentials.
Troubleshooting:
To try to get to a root cause, I checked the user's Provisining Group membership from "Display Policies Assigned to Mailboxes". This was showing that the user did not have a provisining group assignment. The group membership list for the user was long and his membership list was even longer so I explicitly added him as a user and ran the task again. Still no good!
My next step was to add a new group with a higher rank and then add him in. When I ran the provioning task this time it added him into the new group. I checked the event log and noticed the following error from the provisioning task run:
The Exchange mailbox provisioning task failed to read required information from Active Directory. The task has stopped. Ensure that the Active Directory server is operational and the account the task is using to log on has read access to the required objects. Then run the task again.
Task: Exchange Provisioning Task for foo.bar
Domain: foo.bar
Provisioning group: foo.bar group
Group member: OU=Some OU,DC=foo,DC=bar
AD server: GC://gc.foo.bar
Error: Failed to read required properties from AD 'OU' object [GC://gc.foo.bar/OU=Some OU,DC=foo,DC=bar] - There is no such object on the server.
For more information, see Help and Support Center at http://evevent.symantec.com/rosetta/showevent.asp?EvtID=41129d
Solution:
Aha! My client had recently done some AD renovating and the provisioning task was failing when it encountered OUs in its list that no longer existed. Removing these objects resolved the issue.
I hope this helps somebody!
Cheers
Ben
