The Checkbox of Doom

1 Reply

There are many issues that come up in exchange which are fixed by an undocumented checkbox procedure (see very bottom of post for an examples of issues).  I call this checkbox, The Checkbox of Doom as it is responsible for many failed move-mailbox requests as well as causing mobile devices to stop receiving mail after mailboxes are migrated (iPhone mail shows as connected to server but inbox is empty).

2021 Update: “The Checkbox Polymorph’ed Self”
You find yourself in a dungeon and your head hurts. The familiar checkbox of doom past conquered, has been replaced by a confusing button. Your head hurts more.

checking The Checkbox of Doom:
Open AD Users and Computers > View > Advanced Features > open user account in question > Security Tab > Advanced Button > Check “Include inheritable permissions from the objects parent”.
Once aforementioned checkbox is checked the permissions which are either missing or misconfigured on a particular user account will be fixed and inherited down. include inheritable permissions from this object's parent Note: if the user is a member of “Protected Groups” like Domain Admins/Print Operators/Etc, the checkbox will automatically re-check itself at an interval.  This often requires checking it several times to ensure the permissions are inherited and replicated prior to the box automatically unchecking itself due to the user being a member of protected groups.  On occasion I have to remove the user from any protected groups migrate them, get devices working, then add them back to the protected group they were in again.

Enable inheritance on multiple accounts:
In some cases, like an Exchange migration, you may wish to enable inheritance on all AD user accounts or a large group of accounts.

Some of the issues the issues that can occur when a Checkbox of Doom goes unchecked:

 Move Mailbox Failing: Insufficient access rights to perform the operation (INSUFF_ACCESS_RIGHTS)

Update 5-16-14: On a recent project where migrated users could not receive mail on their mobile device (iPhone, Android) even after checking the ‘checkbox of doom’ we discovered that the ‘inherit’ checkbox was unchecked on the OU’s hierarchy containing the users accounts, once those inherit checkbox’s were checked on the OU’s the mobile devices started receiving mail again.

I’ve also found that in some cases clicking ‘restore defaults’ on the advanced tab of the security tab of the users AD account is necessary in order to get mail working on the mobile device after migration.

Related

One thought on “The Checkbox of Doom

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.