Friday , July 20 2018

Exchange Control Panel Error Access Control entry not resolved

When ever you login to Exchange Control Panel ,  you will get a error on Delegation Tab

The Object user has been corrupted or isn’t compatible with Microsoft Support Requirement and it’s in an inconsistent state. The Following validation errors happened

Warning
The object azure365pro.com/user/test has been corrupted or isn’t compatible with Microsoft support requirements, and it’s in an inconsistent state. The following validation errors happened:
The access control entry defines the ObjectType ‘d819615a-3b9b-4738-b47e-f1bd8e000ea4’ that can’t be resolved..
The access control entry defines the ObjectType ‘e2d6986b-2c7f-4cda-9851-d50003fb6706’ that can’t be resolved..

image

Get-AdPermission "DC=Azure365pro,DC=com"

image

image

Warning
The object azure365pro.com/user/test has been corrupted or isn’t compatible with Microsoft support requirements, and it’s in an inconsistent state. The following validation errors happened

The access control entry defines the ObjectType ‘d819615a-3b9b-4738-b47e-f1bd8e000ea4’ that can’t be resolved..

Get the corrupted Access Control Entry object value place in below command and run it.

Get-ACl "AD:\DC=Azure365pro,DC=com" | Select Access -ExpandProperty Access | Where-Object {$_.ObjectType -eq "e2d6986b-4505059851-d5b5f3fb6706"} 

Now Its points to a null reference which is a SID value. if you see a valid object. action only on that object. in my case its inheriting from the root domain.

image

Open Active Directory users and computers

Make sure Advanced Features is checked – Right Click on the root domain properties

imageimage

Check list –

  • No connectivity problems between domain controllers
  • Windows will show “Account Unknown” if it can’t connect to a Active Directory Server
  • if you have multiple domains or trust relation ships it might take a few moments or connectivity between them domains may cause account showing unknown
  • Have a good system state backup . Whatsoever permissions cannot be reverted backup unless you use tools like icacls.exe to backup permissions. Still it can’t be applied back as these objects doesn’t exist.

Most of the Old SID may show because of account being removed and permission was not able to remove by active directory.

Example –

Account Unknown (S-1-5-21-#########-#########-#########-1835)
Account Unknown (S-1-5-21-#########-#########-#########-1835)

Once you confirm above 100 % . Permissions are the most risky part in active directory. take extreme care when you touch permissions on the root domain.

Security – Advanced –

Removed the objects listed in identity reference In my case first identity reference was listed 5 times and second reference was listed 3 times.

Removed them safely.

Click on Apply.

Prompt Appears on Changing 80 to 90 permissions _ Clicked Yes.

image

It resolved the delegation error on Exchange Control Panel

About Satheshwaran Manoharan

Satheshwaran Manoharan is an Microsoft Exchange Server MVP , Publisher of CareExchange.in
Supporting/Deploying/Designing Microsoft Exchange for some years.
Extensive experience on Microsoft Technologies.

Check Also

Exchange Server 2016 CU9 Outlook Web Access ArgumentException

Outlook Web Access broken – The Message Can’t be sent right now. Please Try again ...

Leave a Reply

Your email address will not be published.